In this write-up, I will explain what MEV is, show a few examples. Then I will propose a few ideas on how we could go about mitigating one form of MEV — namely sandwich attacks. In process, we'll talk about relayers like Flashbots, and how sandwich attack can already be avoided today.
If you are already knowledgeable on MEV: First, and while I'm by no means an expert, rest assured that this is not a super naive take on MEV. As the refrain go, we want to "minimize what MEV we can, democratize the extraction of what MEV is left". The ideas presented here definitely fall into the "minimize what we can". I'm also not entirely sure we should pursue them, and these are not new ideas, but I think they're presented in a way that is conducive to conversation. Feel free to skip to the section titled "Preventing Sandwich Attacks at the Protocol Level".
MEV stands for "miner extractable/extracted value", though there is some proposal to reinterpret that as "maximum extractable value".
There is extractable value each time a risk-less opportunity arises on the blockchain. I'll give a more detailed run down of the different kinds of MEV later, but here is a brief description of two of the main kinds. The first are loan liquidations, where you buy the collateral of a loan that is approaching its collateralization threshold, at a discount. The second example is arbitrage, where you buy something somewhere and sell it a higher price somewhere else.
The extractable value can or cannot become extracted. "MEV" is often used for both extractable and extracted value, though people talk about the extracted value more often. The "miner" in MEV comes from the fact that if a miner could detect all forms of MEV, he could extract them himself in the block that he mines, since he is the one that chooses which transactions make it into the block, as well as their ordering.
In practice, miners only capture part of the extracted MEV. Third parties known as "searchers" search for MEV, and attempt to extract it.
Not all forms of MEV rely on transaction ordering, but some do (notably sandwich attacks, see below). Transaction ordering is nevertheless a big concern for searchers: if multiple searchers attempt to extract MEV, only the first one whose transaction is executed will succeed. This leads searchers to run a sort of auction for the right to extract MEV, with the proceeds going to the miner. This is a mutually beneficial arrangement: miners do not have to learn how to find MEV, and searchers still get paid. Because there is competition, searchers are incentivized to find new forms of MEV, or to extract more efficiently so they can pay the miner more. All of this is profitable for the miner.
(Note that after the Ethereum 2.0 merge, block proposers will be in exactly the same position as miners today.)
Historically, MEV was mostly extracted one transaction at a time. Miners include the transactions that pay them the most (highest gas price) first in a block. This is known as a "priority gas auction" or PGA. As we'll see below, it was also interesting to run straight after a given transaction (seen in the mem pool), and so to try to craft a transaction whose gas cost is lower but as close as possible to that of the transaction to backrun.
All of this changed with the introduction of Flashbots, as well as other direct channels through which searched could communicate with miners (we'll call those "relayers"). Through these channels, the searchers send "bundles" of transactions (including their own transaction and potentially transactions they gleaned from the mem pool) that should be included atomically, and in the specified order. Additionally, this allows signifying the miner that he will receive a tip (sent by one of the transactions in the bundle) if the bundle is successfully included. Another important detail is that the miner is supposed to keep the received bundles entirely private.
Roughly speaking, we can distinguish four kinds of MEV:
Frontrunning, or racing for opportunities. Typically these are loan liquidations, which can be quite profitable.
These opportunities arise from a change in the price oracle for the collateral (this could be an oracle protocol like Chainlink, or in rare cases the spot price in one or multiple liquidity pools — though I think this is less common these days because of the potential for flash loans attacks).
It's my understanding that the MEV competition used to be less fierce, and less sophisticated (especially pre Flashbots), and that searchers would sometime attempt to liquidate on the block following the oracle update. One difficulty is that it's easy to bid to be included early in the block (by default, miners include the transactions with the highest tip first), but pre-Flashbots, it used to be difficult to land right after the oracle update: it required crafting a transaction whose gas cost would as close as possible (but lower) than the oracle update. With Flashbots you simply put your transaction after the oracle update in a bundle.
Here is an example of such a transaction which I'm taking from this article (both from April 2020).
What happens there is that the liquidator loans 340k DAI from Aave as a flash loan. He then pays 340k DAI to liquidate the bad loan, in exchange of which he receives 1,128k AAVE. He then proceeds to swap those for 193 ETH, 168 of which he swaps into 340k DAI, which he uses to repay the flash loan, leaving him with 25 ETH. If you factor the 7.5 ETH gas cost, this leaves our searcher with a 17.5 ETH profit (which was worth 2.2k$ on the date.) From that 25 ETH & ETH price, we can infer that the liquidation reward for the AAVE token was about 15%.
This particular transaction used Flashbots to bid on gas price, but, as explained in the article, the oracle update occurred in the previous block!