Understanding MEV and its impact on blockchain users
Transparency is one of the fundamental characteristics of blockchains, but it has enabled the extraction of value by controlling the order and inclusion of transactions within a block, known as MEV, or maximum extractable value.
This problem is common on most blockchains and originates from the public nature of mempools, a ledger that stores data from pending transactions. This information allowed block producers and other players to benefit from early trading.
MEV is particularly well known on Ethereum, where it continues to be mined at a rate equivalent to 11% of block rewards. Data shows that nearly $300,000 was lost in sandwich attacks in September. This reveals that MEV is a recurring hidden fee, not a minor inefficiency, that hits large transactions harder in volatile markets.
Shutter Threshold Encryption as a Solution to MEV
Among a range of VEM mitigation measures, several cryptographic solutions have been proposed, including threshold encryption and homomorphic encryption. These techniques encrypt the contents of transactions before they enter the memory pool and keep them hidden until the order of transactions is finalized. This prevents block producers from mining MEV by manipulating transaction sequencing. However, most encrypted memory pool architectures are in the research stage.
Shutter was the first threshold encryption protocol designed specifically to combat MEV. Today, it stands out as the only threshold-based approach with real-world deployment, live on the Gnosis Chain mainnet.
Threshold encryption is a cryptographic technique that distributes the decryption key among a committee of key holders so that no party can decrypt a transaction alone. In most threshold encrypted memory pools, the committee first runs a distributed key generation (DKG) process to produce a public key as well as private key shares for each member. Users can then encrypt their transactions with this public key and submit the ciphertexts to the network.
Block nominators order these ciphertexts into a block, and once the block is finalized or a reveal condition is met, each committee member publishes a decryption share. The required number of valid committee actions are then combined to retrieve the transaction in plaintext. As in a multisig configuration, a qualified majority of committee participants is sufficient for this. Once the transactions are sequenced and decrypted, they are executed by the network virtual machine.
The Threshold Committee acts as an off-chain service that operates alongside the blockchain. This design makes it consensus agnostic, meaning it can be used on most blockchains without the need to change consensus rules. However, it is important to keep in mind that unlike all validators, the committee is generally a strictly authorized structure that must be trusted. In Shutter, committee members, called Keypers, are selected by protocol governance.
Shutter’s initial design used epoch-based encryption, where users encrypt transactions in the current epoch of the underlying chain. This was intended to improve efficiency and reduce latency by amortizing computationally intensive decryption over many transactions. However, this design created a critical flaw. When the epoch key was rebuilt, all transactions from that epoch became public, even those that were not yet included in the blocks. This could expose some network users to MEV.
This issue was resolved during actual deployment on Gnosis Chain, where Shutter used per-transaction encryption. The closed beacon chain on the Gnosis chain currently functions as an alternative RPC endpoint, which encrypts transactions and broadcasts the ciphertexts to the sequencing contract. Following the regular flow of threshold encryption, once transactions are included in a block and validated, they are decrypted and executed.
Per-transaction encryption trades efficiency for simplicity, since the committee workload increases linearly with transaction throughput rather than remaining roughly constant as in an epoch-based design. Further developments in memory pool threshold encryption could improve this tradeoff.
The Shutter team believes that batch threshold encryption (BTE) is a potential way to address the drawbacks of epoch-based and transaction-based schemes. BTE keeps the committee load almost constant while preserving the confidentiality of transactions that are not included in a block.
In addition to the Shutterized gnosis chain, the Shutter team is working on the encrypted mempool module for the OP stack, which is live on an Optimism testnet. This module supports epoch-based encryption and eliminates Shutter’s initial design problem, since transactions are tied to a specific block. A transaction contains the target block information and the contract checks the current block during execution, so it only succeeds if it lands in that block. If the target block is missing, the verification fails and the transaction is rolled back, after which it can be resubmitted for a new block.
Despite its promise of VPD mitigation, Shutter is not completely trustless today, since users rely on an authorized set of keys. Another constraint is the high latency of the current deployment on Gnosis, which means that Shutter, in its current form, has limited potential. While Gnosis blocks are produced every five seconds, Shutter transactions currently take on average around three minutes to be included, due to the limited number of Shutterized validators and keypers. The Shutter team is planning a practical path and off-protocol roadmap to a fully encrypted, trust-minimizing memory pool on Ethereum. This step will, however, require incremental work on wallets, RPCs, relays, constructors and validator incentives, followed by support in the protocol, after which the same modules can expand to other EVM chains.
This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research before making a decision.
This article is intended for general information purposes and is not intended to be and should not be considered legal or investment advice. The views, thoughts and opinions expressed herein are solely those of the author and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Cointelegraph does not endorse the content of this article or any products mentioned here. Readers should do their own research before taking any action related to any product or company mentioned and take full responsibility for their decisions.
