What are you looking for?
Showing 9 of 25 Publications in Crypto & Blockchain
TOTM Innovations in payment systems are rapidly transforming the world economy. While Bitcoin, Ethereum, and other decentralized blockchain-based systems tend to garner much of the press . . .
Innovations in payment systems are rapidly transforming the world economy. While Bitcoin, Ethereum, and other decentralized blockchain-based systems tend to garner much of the press (good and bad), centralized peer-to-peer (P2P) payment systems are far more common. (Note that I use the term P2P here in its original sense to mean all peer-to-peer transactions, which includes transactions between any combination of individuals, businesses, and other entities, such as governments and unincorporated associations.)
Read the full piece here.
Amicus Brief INTRODUCTION To determine whether the tokens traded on Coinbase and through Prime constitute unregistered “securities,” this Court must determine whether these “unusual instruments not easily . . .
To determine whether the tokens traded on Coinbase and through Prime constitute unregistered “securities,” this Court must determine whether these “unusual instruments not easily characterized as ‘securities,’” Landreth Timber Co. v. Landreth, 471 U.S. 681, 690 (1985), are “investment contracts,” and, as such, are one of the enumerated types of “securities” covered by the Securities Act of 1933, see 15 U.S.C. § 77b(a)(1) (Section 2(a)(1) of the “1933 Act”), and the Exchange Act of 1934, see 15 U.S.C. § 78c(a)(10) (Section 3(a)(10) of the “Exchange Act”).
The answer requires the application of the Supreme Court’s seminal decision in S.E.C. v. W.J. Howey Co., 328 U.S. 293 (1946), which held that an offering in a Florida citrus grove coupled with the right to receive a share of the grove’s profits constituted an “investment contract”—and hence a security—because it “involve[d] an investment of money in a common enterprise with profits to come solely from the efforts of others.” Howey, 328 U.S. at 301; see also Revak v. SEC Realty Corp., 18 F.3d 81, 87 (2d Cir. 1994) (same). This test is meant to “embod[y] the essential attributes” of a “security.” United Hous. Found., Inc. v. Forman, 421 U.S. 837, 852 (1975).
In Howey, the Court held that by including “investment contract” in the federal securities statutes, Congress used a term with a well-settled meaning based on judicial interpretations of state blue-sky laws. As a result, to assist the Court in assessing how “investment contract” was understood by Howey and at the time of the federal securities statutes’ enactment, amici offer their analysis of how the term was interpreted in the state blue-sky laws. That analysis makes clear that an arrangement is an “investment contract” only if the investor receives, in exchange for an investment, a contractual undertaking or right to an enterprise’s income, profits, or assets. That core notion has carried through in the federal cases since Howey.
TOTM Financial technology, or so-called “fintech,” is disrupting the financial sector, and that’s a good thing. Fintech services are making finance more digital and more user-friendly. . . .
Financial technology, or so-called “fintech,” is disrupting the financial sector, and that’s a good thing. Fintech services are making finance more digital and more user-friendly. This, in turn, has led to reduced transactions costs and increased levels of competition, innovation, and financial inclusion.
Alas, the emergence of fintech has also been accompanied by a rising chorus of the usual “if it’s good, mandate it; if I don’t like it, forbid it” reasoning that has motivated so many prior waves of regulatory intervention. The resulting regulations may be well-intentioned, but they more often than not lead to unintended consequences.
Scholarship Abstract This article sets out a philosophy for money in this new digital age. Specifically, we propose two descriptive and two prescriptive theories relating to . . .
This article sets out a philosophy for money in this new digital age. Specifically, we propose two descriptive and two prescriptive theories relating to cryptocurrency.
On the descriptive side, we first introduce a novel classification scheme to categorize cryptocurrencies. Distinct terms like “central bank digital currency” and “cryptocurrency” are often interchanged, so a precise typology is necessary in setting the parameters of debates over monetary policy. Secondly, the article explains the ideological roots of private digital currency and specifically focuses on the impact of the Austrian School of Economics on Satoshi Nakamoto, the creator of bitcoin.
On the prescriptive side, we argue that governments’ plans for central bank digital currencies are neither novel nor good policy. The reality is that most of today’s central bank currencies are already digital, and any attempts to disintermediate the banking system—that is, to allow individuals to hold accounts directly with the central bank (and not private banks)—will result in a dangerous temptation for governments to micromanage the finances of their citizens.
Our second policy conclusion is a positive one. We recommend that central banks in developing nations adopt private, decentralized digital currencies or fixed money supplies to encourage foreign investment and increase the economic well-being and stability of their citizens.
ICLE White Paper I. Introduction In cryptocurrency markets, maximal extractable value (“MEV”) is typically defined as “excess profit that a miner [validator] can extract by adjusting execution of . . .
In cryptocurrency markets, maximal extractable value (“MEV”) is typically defined as “excess profit that a miner [validator] can extract by adjusting execution of user transactions.” MEV extraction has slowly been gaining broader recognition, e.g., from the Bank of International Settlements, the International Organization of Securities Commissions (“IOSCO”), and mainstream publications like Forbes. The Bank of International Settlements estimates that there has been between $550 and $650 million of total MEV volume since 2020.
The aim of this paper is to provide an overview for policymakers regarding what we know today about MEV, but perhaps even more importantly, how much we do not know. I will offer general critical analysis of policy questions raised by MEV extraction on the Ethereum blockchain. The paper is intended both for those unfamiliar with MEV and those who are broadly familiar (the latter of whom can probably skip at least part of Section II).
Terms like “market manipulation” and “victim” tend to be used loosely in describing MEV extraction, often without thoughtful reflection on whether they are appropriate. The term “MEV searchers” was even included in a recent anti-money-laundering bill introduced by Sen. Elizabeth Warren (D-Mass.), although in a context that suggested a misapprehension of what such searchers actually do.
In January 2023, the U.S. Commodity Futures Trading Commission (“CFTC”) brought its first-ever “oracle manipulation” case, charging Avraham Eisenberg with illegal manipulation of the decentralized exchange Mango Markets, which operates on the Solana blockchain. While this case did not involve the Ethereum blockchain, it is nonetheless illustrative of similar schemes that could occur in Ethereum. The case also likely signals that regulators like the CFTC are beginning to take a closer look at decentralized blockchain markets, which could include scrutiny of MEV extraction.
MEV extraction may involve arbitrage between crypto-asset markets, which tends to be seen as a beneficial contribution to price accuracy, because it leads to equalizing prices of the same asset across markets. It may also, however, involve so-called “front-running” of transactions, which can be enabled by the ability of at least some market participants to see the details of pending transactions before they are executed.
The most prominent example of this type of transaction is called “sandwiching”: buying an asset ahead of another known pending buy transaction, and then selling the asset, thereby profiting from the positive price impact of the transaction in the middle of the “sandwich.” Sandwiching normally results in a worse execution price for the sandwiched trade and tends to be seen as an undesirable practice. According to the data-analysis platform EigenPhi, the volume of sandwich attacks reached $54.37 billion in the first half of 2022, causing traders to lose $87.7 million.
This suggests that MEV extraction is a significant phenomenon that may adversely affect some market participants in some transactions. Moreover, some forms of MEV extraction—particularly so-called “time-bandit attacks”—could pose a systemic threat to Ethereum, although they remain, for now, mostly theoretical. Nonetheless, as I discuss, to assess whether strategies like sandwiching should be seen as a policy problem requires more robust evidence and analysis than has been offered to date.
In this paper, I consider whether MEV extraction poses a problem that merits public-policy intervention. I argue that the mere fact that MEV extraction may adversely affect some market participants is not sufficient to answer that question. As in stock trading, which may likewise appear to be a zero-sum game with a “winner” and “loser” in each transaction, the nature and effects of MEV extraction have more dimensions that need to be considered.
It is important to carefully consider the costs and benefits of regulatory responses to MEV extraction. For example, while licensing requirements for dealers and brokers may be appropriate in the current “traditional” finance context, they may be inadvisable for block builders or relay operators. At the risk of sounding hyperbolic, a country that adopts such measures could be giving up on the benefits of decentralized and permissionless public blockchains like Ethereum. Hence, the benefits of such regulations should be carefully weighed against the potential cost of lost social benefits.
Moreover, regulation and regulatory enforcement in the realm of public blockchains faces the problem of regulatory arbitrage. Operators may choose the most favorable jurisdictions, while retaining influence on markets in other jurisdictions. This provides a strong argument to prefer and support technical solutions (e.g., on the level of the Ethereum protocol) that would apply globally over national or even international legal rules.
This paper is intended to be accessible to non-technical readers, and therefore employs simplified technical explanations. For greater detail, please follow the references provided. I also do not aim to provide comprehensive legal analysis, but merely note some of the prima facie legal issues. I build here on a working paper I co-authored with Alex Sarch, and on my brief comment published on the Flashbots forum.
This section provides a brief overview of what MEV extraction is, as well as the actors involved in the MEV ecosystem. The overview is intended for those who are not familiar with MEV in general (Section II.A) and the developments in MEV extraction since Ethereum’s move to “proof of stake” (Section II.B). Readers familiar with both can skip this section and proceed directly to Section III.
To understand the core case of MEV extraction, we need two basic concepts: a “transaction” and a “block.” As the name suggests, the Ethereum blockchain is a chain of blocks. For our purposes, we’ll consider blocks as ordered batches of transactions (typically up to several hundred). A transaction can be a simple transfer of some amount of Ether (or ETH, the cryptocurrency) from one account to another. It may also be a trade of some token (e.g., DAI) for another token, using one of the decentralized exchanges, which run as smart contracts on Ethereum (e.g., Uniswap). The latter case is one of the key sources of MEV. Without getting into more technical detail about “automated market makers” and “liquidity pools,” it should not be surprising that it matters in what order exchange trades are executed. A trade executed earlier (or later) may have a more attractive price. Also, trading just before or after another trade may create profit opportunities, as in the cases of “back-running” or a “sandwich.” As I wrote with Alex Sarch:
Consider “what happened on 16 February 2022 to a person using the Ethereum address 0x61…38 (we will call them ‘0x61’). 0x61 attempted to exchange just over 79 Ethereum (then worth around $250,000) for DAI (a stablecoin targeting a 1 to 1 exchange ratio with US Dollar), using the decentralized exchange Uniswap V2. Instead of receiving, after fees, around $225,000-worth of DAI, as 0x61 may have expected, they ended with around $179,000 – $46,000 less. What seems to have occurred here, was a ‘sandwich’ attack. An automated ‘searcher bot’ (using the address 0x26…af) noticed 0x61’s transaction while it was still waiting to be executed (in the ‘mempool’) and calculated that it presents an opportunity for a profitable sandwich.
A sandwich consists of three elements: (1) the front-run, (2) at least one sandwiched transaction (in this case 0x61’s trade), and (3) the back-run. The general idea is to buy an asset at a lower price (the front-run) and then profit from selling it at a higher price (the back-run).
In this case, the price of DAI against Ethereum rose due to two purchase transactions: the sandwicher’s transaction (the front-run) and then the sandwiched transaction itself. To execute this sandwich, the bot first traded 850 Ethereum for 2,273,029 DAI on Uniswap (the front-run). This trade was large enough to affect the Ethereum/DAI exchange rate to such an extent that 0x61 ‘lost’ $46,083.7 Finally, the bot traded 2,273,029 DAI for 868 Ethereum, ending with 18 Ethereum (worth over $56,000) more than they started with.”
The order of transactions in a block is decided by the validator. On Ethereum, a new “slot” opens every 12 seconds and a randomly chosen validator is given the power to propose a block. The Ethereum protocol constrains the validator only as to the maximum amount of content (measured by computational complexity) that can be included in a block. There is no minimum (a block can contain, e.g., one transaction), and no requirements as to which pending transactions are to be included and in what order.
Let’s distinguish two transaction-ordering scenarios. Transaction X could be executed earlier than Transaction Y, because Transaction X is included in an earlier block than Y. In this case, X and Y are executed at different clock times (at least 12 seconds apart, assuming that Blocks 1 and 2 are consecutive).
Note, however, that there is also an order of execution of transactions within a block. Hence, in Block 3, X could also be executed before Y because X is listed in an earlier position than Y within the same block.
Given this freedom in block building, validators can profit (extract MEV), for example, by constructing sandwiches or performing liquidations or arbitrage (see Section III below for a discussion of which of those strategies are considered desirable or undesirable). Validators can also accept payments for ordering blocks in a specific way from specialized operators (the “searchers”) who are proficient in identifying MEV-extraction opportunities.
In this simple model, the validator has three potential sources for transactions to include in a block: “(1) their own transactions, (2) transactions delivered to them privately, or (3) transactions from the mempool, which is a public collection of pending transactions broadcasted to the Ethereum network.”
The simple model of MEV extraction—involving only searchers and miners (validators)—was prevalent on Ethereum until the widespread adoption of the Flashbots “relay,” initially introduced in November 2020. The service provided by Flashbots changed fundamentally with Ethereum’s move from “proof of work” to “proof of stake” (“the Merge”) on Sept. 15, 2022. Here, I will cover only the current version, which introduced Proposer-Builder Separation (“PBS”) to Ethereum.
Under PBS, as currently implemented on Ethereum, the role of a validator is split into two parts: block building and block proposing. Acting as a mere proposer, a validator adopts a block entirely constructed by a specialist block builder, thus relinquishing control over the contents of a block. Typically, validators do not connect directly to block builders, but to relays, which in turn collect candidate blocks from block builders and choose the best one. Hence, the MEV-extraction ecosystem currently includes: searchers, block builders, relays, and validators.
Given that PBS is optional for validators, they remain free to control the contents of a block (and thus extract MEV on their own). However, a validator that does so forgoes the benefits of outsourcing control to block builders, who are likely better at identifying MEV-extraction opportunities.
Block builders have the same three sources of transactions as validators did before the Merge:
Notably, in addition to accepting individual transactions submitted by searchers, block builders like the one operated by Flashbots also accept “bundles” of transactions. Through this process, the block builder ensures “that all transactions in a bundle are executed in the set order or none of them are executed. This makes MEV-extraction strategies like sandwiches easier and less risky than going through the public route. A searcher may notice a publicly broadcasted transaction including a potentially sandwichable trade and then bundle that transaction with the searcher’s own front-run and back-run, and submit the whole bundle of three transactions to a block builder (e.g., Flashbots). Note that this involves the searcher taking (copying) a transaction submitted by someone else and then re-submitting it as a part of the searcher’s bundle.”
They can include pending transactions broadcasted publicly in the Ethereum peer-to-peer network (“mempool” transactions).
Figure 1: Schematic Illustration of the Current MEV-Extraction Pipeline
Source: Flashbots, What Is MEV-Boost?
The final piece of the puzzle needed to ground the following discussion is to explain how Ethereum transactions are broadcast from a user to the network. Normally, a user submits a transaction with the use of “wallet” software, such MetaMask. The key issue is to whom a user submit their transaction. As I note later, if—as is typical—the user submits their transaction only to one operator, this puts the operator in a privileged position, enabling them to treat user transactions as a kind of “private order flow,” potentially for the purposes of MEV extraction. Note that nothing about how Ethereum works guarantees that a transaction submitted by a user will be public information while pending.
The services where users submit transactions through wallet software are known as “RPC endpoints.” An RPC endpoint responds to a set of instructions, to which nodes of the Ethereum network also respond. It does not, however, have to perform the functions usually associated with a network node, particularly re-broadcasting (forwarding) the transaction to other nodes. An RPC endpoint operator faces a choice among (1) doing nothing (in a sense, censoring the transaction); (2) re-broadcasting the pending transaction in a way that makes it public; or (3) keeping it private and forwarding it directly to some block-builders or validators. In fact, the third choice is the advertised way in which some privacy RPCs operate (e.g., Flashbots Protect). The primary reason that privacy RPCs were developed was to offer users protection against unwanted kinds of MEV extraction.
As in many other aspects of blockchain, discussions of MEV are rife with ill-considered or emotionally charged language borrowed from other contexts, such as “harm,” “attack,” “victim,” and “theft.” Descriptions of MEV in terms of “harm” and “victimhood” are based on the question-begging assumption that the “victim” has been deprived of something that was rightfully hers. Whether that is the case is likely to be a more complicated question, because MEV extraction rarely involves depriving someone of a good they already possess. Instead, it tends to involve some actor achieving smaller economic gains than they might have in a counterfactual scenario in which MEV had not been extracted. Moreover, some kinds of MEV extraction—like so-called “generalized front-running”—may be analogous to hunters chasing a prey. The law does not necessarily reward an unsuccessful hunter, irrespective of the effort they put in or their claim to being the first to spot an opportunity.
This is important context to consider when evaluating statistics like EigenPhi’s estimate that there were $54.37 billion of sandwich attacks in the first half of 2022, which caused traders to “lose” $87.7 million, or the Bank of International Settlements’ estimate that there has been between $550 and $650 million of total MEV since 2020. The statistics suggest that MEV extraction is a relatively significant phenomenon that adversely affects (at least, compared to a non-MEV counterfactual) some market participants in some transactions. But they do not, on their own, show that those adverse effects are a policy problem.
Rather than attempt to resolve the question definitively of whether there are any kinds of MEV extraction might potentially pose a policy problem, I instead propose a framework to think about the issue. To begin, I will summarize previous attempts to classify various kinds of MEV extraction into “good” and “bad” categories, ultimately finding that a binary classification is unhelpful, especially from a policy perspective. I then consider a more sophisticated framework to think about different types of MEV (“Mafia, Moloch, and Monarch”). With that, I turn to a discussion of effects of MEV extraction on individual and social welfare. I suggest that social-welfare considerations—especially market efficiency—should be pivotal in policy analysis of phenomena like MEV extraction.
A first step to understand MEV is to consider the various value-extraction strategies that blockchain validators are in a privileged position to execute or control. In addition to sandwiching (discussed in Section II), the paradigmatic cases include: arbitrage, liquidations, generalized front-running, and specialized front-running (e.g., mints of nonfungible-tokens, or NFTs). Sandwiching and most of other front-running are often labelled “toxic MEV,” because the transaction that is front-run either executes at worse conditions than otherwise (e.g., a worse trade price) or fails to execute (e.g., because the front-running transactions scoops a limited opportunity, like minting an NFT). Though this is often-overlooked, strategies that only involve back-running—i.e., placing a transaction after some target transaction—also may execute in worse conditions. This could happen when the would-be MEV extractors can delay the transaction’s inclusion until the moment when it will create the best profit-making opportunity.
“Nontoxic MEV” is said to include arbitrage and liquidations. Arbitrage refers to “the process of simultaneously selling and buying assets in different markets in order to profit from the market price differences.” As Kaihua Qin et al. note, it “helps to promote market efficiency and is typically considered benign.” Liquidations occur in on-chain lending applications and involve purchasing collateral that secures a loan where the value of the collateral has fallen below the set-safe level for the loan. Anyone could repay the “bad” debt, while being rewarded with the ability to purchase the collateral at a discount. Arbitrages help to keep prices aligned across decentralized markets, while liquidations help to secure lending systems from being stuck with bad debt. Those competitive strategies constitute MEV because there is value in being able to control who has the opportunity to benefit from a given arbitrage or liquidation opportunity, which requires the ability to control the ordering of transactions within a block.
The distinction between toxic and nontoxic MEV is grounded solely in the effect of MEV extraction on the directly affected transaction. Arguably, this makes “toxic” and “nontoxic” unhelpful designations, because the terms presuppose that the phenomenon is on-balance bad. But as I note in the discussion below of market efficiency, even if a user “loses” on a single transaction, she may still derive indirect benefits from the existence of MEV extraction that outweigh those losses. On the other hand, even arbitrages or liquidations that don’t qualify as “toxic”—because they don’t adversely affect any single transaction—may still have significant negative effects on the market as a whole (e.g., spam and network clogging where MEV searchers must resort to priority gas auctions).
Among the undesirable MEV-extraction strategies that do not need to adversely affect any specific transactions is “oracle manipulation,” the only market strategy discussed here that has, thus far, resulted in a government-enforcement action. Oracle manipulation can take different forms, but it generally involves manipulation of a benchmark mechanism (an “oracle”) on which some on-chain application (smart contract) relies. Given that on-chain applications like lending systems and decentralized exchanges typically do not have robust internal price-discovery mechanisms, they rely on external sources of information about asset prices to provide a positive user experience (users expect asset prices to be similar across different applications and markets) and to prevent manipulation. It is often publicly known upon which external sources an on-chain application relies and how a specific price change reported by a source would affect the application. Hence, it may sometimes be profitable to affect the price on a market that serves as an external benchmark: e.g., to lower that price, in order to cause a liquidation opportunity on some lending application, which relies on the price from that reference market (“liquidation attack”).
Oracles can report prices from other on-chain applications, but they can also report prices from outside the blockchain, e.g., from a centralized exchange like Coinbase or Binance. This means that oracle manipulation can be done either fully on-chain or in a mixed on-/off-chain strategy, where someone attempts to affect off-chain prices—e.g., on Coinbase—to profit from the effect this will have on some on-chain application. Strictly speaking, the off-chain stage of a mixed oracle-manipulation strategy does not constitute MEV extraction, but its on-chain element may. The Mango Markets oracle-manipulation strategy deployed by Avi Eisenberg, which resulted in his prosecution by the U.S. government, reportedly involved a successful attempt to raise prices both on off-chain (FTX) and on-chain (Raydium) markets.
Both fully on-chain and mixed on-/off-chain versions of oracle manipulation may involve MEV, because an agent who succeeds in affecting the price in a reference market may create at least one profit opportunity (e.g., arbitrage, liquidation) that is publicly visible and that, in principle, anyone could realize. The challenge is to be the first. Thus, attempting the first stage of this strategy, which is likely to be costly, is only rational if the agent is confident that they will be the one to profit from the second stage. A guarantee that one will be able to realize such an opportunity is likely to come from controlling the contents of a block. One of the beneficial effects of the competition among sophisticated actors for liquidation opportunities is that actors who are not colluding with the would-be manipulator may spot the liquidation opportunity and be able to out-bid them. Because they did not incur the cost of the first stage of the strategy (affecting the price on the reference market), they may be well-positioned to offer a higher fee to the validator (proposer). This risk to would-be manipulators makes this kind of oracle manipulation less likely to be profitable. Similarly, arbitrage strategies can help to counteract “undercollateralized loan attack” oracle manipulations.
If an oracle-manipulation strategy is executed as a multi-block MEV extraction, however, the standard MEV-extraction strategies (liquidations, arbitrage) may not help to prevent the manipulation. If an agent controls two consecutive Ethereum blocks (e.g., because they are selected as the proposer for those two blocks), then they would be able to execute an oracle attack in a virtually riskless way, as demonstrated by Torgin Mackinga et al. To be randomly selected as a proposer of two consecutive blocks once a month may currently require running around 1,250 validators—i.e., staking 40,000 ETH (over $53 million). This capital would not necessarily be lost, however, as an oracle manipulation would not breach Ethereum consensus rules.
Flashbots researcher Xinyuan Sun has proposed a different classification of MEV, attempting to place what had been previously understood as MEV in a broader framework of extractable value. He distinguished three types of extractable value:
As examples of Mafia EV, Sun provided sandwiching and generalized front-running, which may appear to be extractable due to Monarch EV—i.e., due to control of block space. But in my reading, the value of the distinction lies in the fact that, if asymmetric informational sophistication (Mafia EV) is reduced, then sandwiching may also be reduced. In other words, the true source of sandwiching is not control of block space (Monarch), but in the lack of privacy about user intentions and in asymmetries of sophistication in acting on information about user intentions (Mafia).
Moloch EV stems from inefficient coordination methods like “first come, first served” or random ordering of transactions. Time-based ordering may, at first glance, appear to be fair, in that it puts users (market participants) on equal footing. This equality may be illusory, however, because time ordering can create incentives for an arms race in speed, similar to the techniques used by high-frequency traders in traditional finance. Participating in this arms race requires skill and resources, undermining the understanding of fairness as equality of access. In turn, random ordering creates incentives for spamming (submitting many transactions, hoping that some will be executed at the right position to realize some profit opportunity), which also requires skill and resources to execute effectively. To reduce Moloch EV, Sun recommends explicit auction mechanisms to allow aggregating user preferences efficiently.
Sun advocates reducing the amount of value extractable from asymmetric informational sophistication (Mafia) and inefficient coordination (Moloch), but stresses that this will leave us with value that is extractable solely due to control over block space (Monarch). Given that the most profitable kinds of MEV extraction today—e.g., sandwiching—depend on a lack of privacy, the “[Mafia] 0%, [Moloch] 0%, [Monarch] 100%” scenario would mean less value extracted, and possibly much less, but not zero. Like some others, Sun advocates distributing the remaining Monarch EV in ways that maximize social welfare, instead of distributing value associated with a transaction to the user who submitted that transaction.
Not every subjectively perceived harm is relevant to public policy, nor does every harm qualify as the kind of harm with which the law should be concerned. The law rightly protects only some interests. If the market price of an asset you have purchased depreciates, you may consider yourself harmed. But only under certain special conditions should the law respond (e.g., if you were defrauded). The law rightly protects only selected interests. You don’t have a legally protected interest in making as much money as possible on any given trade, but you do have a legally protected interest in avoiding fraud or prohibited market manipulation. I discuss the difficulties in applying legal concepts like fraud and theft to MEV extraction in Section IV.
A policy response will be most straightforwardly justifiable when harm to individual welfare is significantly unfair. Unfairness in trading could arise, e.g., due to asymmetries of information or of market power, although most would agree that superior skill and luck in a trade do not render a trade unfair. Notably, only some information asymmetries are considered legally relevant, as in the case of trading on material nonpublic information (insider trading).
In our discussion of sandwiching under U.S. commodities law, Sarch and I considered the argument that sandwiching is not unfair, because the sandwiched traders expressly consent to their transaction being executed at the price they obtain while being sandwiched (similar to a limit order on a book exchange). We noted a possible rejoinder that traders may sometimes become, e.g., “forced” sellers during a time of heightened market volatility in that they must set wide limits for their transaction (i.e., slippage tolerance). But traditional securities exchanges also experience periods of heightened volatility, which are not seen as negating the consensual nature of trading. Volatility could be either a sign of or an instrument in market manipulation, but that conclusion requires more evidence.
We concluded our discussion on this point by noting that, as on traditional exchanges, the key issue is whether abnormal and “manipulative” market activity occurred. Issues like express consent to the conditions of the trade or the existence of market volatility (and who induced it) may be factors in assessing whether there has been manipulation, but they are not necessarily dispositive in that assessment.
My purpose in referencing the above discussion of trader consent was to illustrate some of the difficulties in reasoning about unfairness. Due to those difficulties, it may be that the best approach to legal prohibitions of market activities is to focus not on unfairness, as such, but on harms to market efficiency. Gina-Gail Fletcher suggested that “claims for open-market manipulation based on” “transactions between anonymous counterparties on public exchanges” “should be limited to claims based on harm to market efficiency.” In other words, in Fletcher’s view and for reasons discussed in her work, if a market strategy—in this case, various kinds of MEV extraction—does not harm market efficiency (and might possibly even increase it), it should not be deemed impermissible market manipulation. It is possible, however, that some jurisdictions will approach this issue differently, deriving rules from other moral precepts regarding market orderliness (integrity) or the protection of settled expectations about how trades are to be executed, even where there is no evidence of harm to market efficiency.
Setting aside purely legal questions, it may be a policy problem that there is a widespread perception of unfairness of some practice or that the practice jeopardizes “market integrity,” even if that practice does not otherwise harm market efficiency. Perceptions of market integrity may, however, also push in the opposite direction, particularly with respect to concerns that are at least partially alleviated by some kinds of MEV extraction. Examples might include the accrual of bad debt (which can be addressed by liquidations) or widely varying prices across decentralized-finance (DeFi) markets (which can be addressed by arbitrage).
I suggest that, rather than attempting to enforce existing legal prohibitions against some MEV extraction practices or imposing new prohibitions, the optimal policy response to perceptions of unfairness connected with MEV extraction may be to create incentives for—and otherwise facilitate—market solutions to the perceived problem. I discuss such alternative solutions in Section V.
I cannot answer here the question of what net effect any particular kind of MEV extraction has on market efficiency, or on social welfare more broadly. Doing so would require significantly more research on the economics of MEV extraction than has been conducted to date. Given the differences between decentralized crypto-assets markets and traditional finance, it cannot be assumed that empirical findings about the latter can be applied to the former. From a policy perspective, this research gap should prompt caution in resorting to “hard” measures like enforcement or rulemaking on MEV extraction. In what follows, I outline some of the considerations that will likely need to be developed to address the question of how to estimate the net social-welfare effects of MEV extraction. This is not meant as a comprehensive survey, but rather an illustration of how the relevant issues differ significantly from traditional finance.
In traditional finance, market efficiency is typically analyzed with reference to factors like price accuracy, degree of market liquidity, and efficient allocation of resources or risk. However, maximizing all of those factors is likely impossible and would, in any case, not achieve maximal market efficiency, as some goals may conflict. For example, insider trading may improve price accuracy, but negatively affect market liquidity (traders without inside information will trade less if they expect to trade against insiders).
Since the basic “plumbing” of decentralized crypto markets is different from traditional markets, concerns about market efficiency may also differ significantly. Decentralized exchanges (DEX) on Ethereum, such as Uniswap V3, are code that runs directly on the blockchain. The existence and security of the market is tied to the existence and security of the blockchain. Thus, arguably, market efficiency for DEX-es is more closely connected to the overall health of the underlying blockchain than in traditional finance—where, e.g., the existence and security of a stock exchange can more often be abstracted from (taken as a given) when assessing the net market effects of some trading strategy.
Moreover, the scope of the “market” in a policy analysis of MEV extraction should arguably be broader than an analogy with traditional finance would suggest. MEV extraction is not limited to DeFi, where “finance” is understood as exchanging assets or lending them. For example, some very valuable MEV also arises in the context of NFT minting and sales. All products or services that are offered through on-chain mechanisms—many of which are not yet invented—potentially give rise to MEV. This also counts in favor of including effects on the overall functioning of a blockchain in the scope of market-efficiency analysis.
MEV-extraction strategies may have complex and positive effects on various aspects of on-chain markets. The mechanisms of those positive effects may be specific to blockchains, in which case, intuitions and analogies from traditional finance may be of limited help. For example, Kulkarni, Diamandis, & Chitra recently suggested that “while individual trades that are sandwiched undoubtedly receive worse prices, sandwiches can cause more effective routing patterns as some flow avoids sandwiches edges.” This result was found through theoretical analysis (algorithmic game theory); we would therefore need additional empirical research to know how significant such positive effect is for overall market efficiency. If effects like this are relatively significant, however, then it is possible that at least some kinds of MEV extraction are net-beneficial for market efficiency. It could also be the case that the welfare of an individual trader who is made worse off by MEV extraction in some specific trades is not worse off on balance, because she also benefits from positive effects of MEV (this also applies to the security-budget consideration raised below).
The key issue for the security of a blockchain like Ethereum is whether there is sufficient incentive for independent good-faith validators (with enough ETH being “staked” to provide economic security) as to ensure “liveness” (i.e., that the blockchain will not stop operating) and to make an attack on the blockchain too expensive to be worth attempting. Some have argued that allowing Ethereum validators to profit from MEV extraction may be helpful in providing this incentive, because standard validator rewards are insufficient. Even if the standard rewards are sufficient relative to current threats, those threats could increase and require a significant increase in Ethereum’s “security budget” (the amount of ETH staked) to defend against such a risk. Moreover, staking—i.e., contributing to the security budget—competes with other capital uses, such as on-chain lending. The relative attractiveness of those alternatives reduces the incentives to engage in staking. Theoretically, the security budget could be increased by increasing standard validator rewards, but malicious validators (would-be attackers) would also benefit both from that and from a potential attack.
Raising the standard validator rewards would also effectively constitute an additional tax on Ethereum users. Such a tax would also likely be at a nonoptimal rate, given that it would have to be sufficiently large to respond to unpredictable and dynamic risks without being pegged to the level of those risks. In contrast, MEV is correlated with at least some risks (like the profitability of on-chain lending). Proposed solutions include the redistribution of extracted MEV across validators. Note that the argument about the contribution of MEV extraction to Ethereum’s security budget is controversial. It could be that staking is, and will continue to be, sufficiently profitable even without significant profits from MEV extraction, especially with new mechanisms like restaking.
Moreover, for some effects on market efficiency, how MEV is extracted may be more important than what type of MEV extraction (sandwiching, liquidations, arbitrage back-running, etc.) it is. Early MEV extraction on Ethereum (see the “simple model” in Section II.A) had negative externalities on Ethereum users, because it resulted in spamming the network with large numbers of transactions, thereby raising transaction costs and causing delays. This was remedied by the old Flashbots relay, which has since been replaced by the mechanism described in Section II.B (which also remedies the problem). The relay introduced an auction mechanism, allowing MEV searchers to express their preferences for inclusion of their transactions (or bundles) at the beginning of a block.
Some negative effects of MEV extraction on the broader market are more difficult, though not necessarily impossible, to remove. Given that the security model of a public permissionless blockchain like Ethereum depends on decentralization, it is concerning that MEV extraction currently provides incentives for centralization. Decentralization can be understood in this context as dispersing control over key aspects of the network (especially over which transactions are included on the blockchain) among so many independent actors as to make collusion too costly. The key reasons why MEV extraction encourages centralization are that extracting MEV may require special skills and infrastructure, as well as that some MEV can be captured if an actor (or a group) controls several consecutive blocks. Currently implemented technology (in particular, MEV-Boost) tends to move the nexus of centralization from validators to block builders and relays, without significantly reducing overall centralization. Other solutions to reduce the centralizing effects of MEV extraction are in development (e.g., “the Scourge,” Flashbots SUAVE).
It is not this paper’s purpose to provide detailed legal analysis, but an overview of some of the key legal issues is needed to understand the policy landscape surrounding MEV extraction. The legal issues I will mention here fall into two broad categories: relatively straightforward charges (like theft and simple fraud) and infractions that are much more difficult to assess, due to our limited understanding of the net effects of MEV extraction (market-manipulation prohibitions). In both cases, it may be difficult to apply existing legal frameworks to MEV extraction, either because those frameworks clearly don’t apply or because it would require showing that the MEV-extraction practice in question is harmful in a relevant way.
As Sarch and I noted, MEV extraction may involve fraud, e.g., if someone (like a block builder) extracts MEV from their users despite promising them that they will not. Although this is not currently common, MEV extraction could also relate to (attempted) theft or criminal hacking—e.g., due to generalized front-running of a transaction with the intent to exploit a vulnerability in a smart contract. In the latter case, the important question is whether and at what point the MEV operator who unintentionally (but perhaps negligently) copies an exploiting transaction becomes liable civilly or criminally. Similar questions could arise if some or many of the especially profitable MEV-extraction opportunities arise due to someone else’s criminal actions (e.g., hacks, ransom/blackmail), but I am not aware of evidence that this is the case.
However interesting such cases of fraud or theft are, it is important to note that they are not currently common or relatively significant. Despite references to, e.g., sandwiches as “theft” or “fraud,” neither theft, nor (simple) fraud, apply to the most significant kinds of MEV extraction, without some additional circumstances like the ones mentioned here.
Simple fraud would not normally apply where MEV extractors have not promised anyone that they will not engage in MEV extraction. There may be differences among jurisdictions but, e.g., the 2nd U.S. Circuit Court of Appeals recently emphasized in a LIBOR-manipulation case that, for a finding of wire fraud, it is not sufficient that the defendants’ actions “may have violated any reasonable notion of fairness.” The prosecution has to prove “false, fraudulent, or misleading” representations. Similarly, in English law under the Fraud Act 2006, fraud requires not just “dishonesty,” but also a false representation, a failure to disclose information (where there is a duty to disclose), or an abuse of position (in which the defendant was, at the least, expected not to act against the financial interests of another).
The reason that theft does not usually apply is that “victims” of strategies like sandwiching do not typically lose something they already own. We can speak of a “loss” in such circumstances only by comparing the actual execution of a transaction with a counterfactual. Strictly speaking, we are dealing with a kind of “loss of opportunity.”
Fraud and potentially some other kinds of civil and criminal liability could arise if, by extracting MEV, someone breaches a legal duty they have toward a user, due to some special legal relationship between the extractor and the user. This may appear unlikely, given the absence of direct service relationships between Ethereum users and various other participants of the Ethereum network. Ethereum, after all, consists of a distributed network of actors (e.g., node operators, validators) who do not have privileged access to users or to information about users. But this view is overly simplistic. There are, in fact, at least three groups of actors who provide services directly to Ethereum users in ways that offer them privileged access to information or to control over user transactions:
All three groups may be in a privileged position to extract MEV from their users’ transactions through their ability to analyze the trading intent associated with a pending transaction, either earlier than other MEV extractors or based on better information (e.g., by knowing the user’s blockchain queries that did not yet result in submitted transactions). Moreover, those in group (1) may be able to treat user transactions as “private order flow” and either delay rebroadcasting transactions publicly or forgo public rebroadcasting altogether (see below), potentially selling exclusive access to information about those transactions in a kind of “payment for order flow” (PFOF) arrangement.
In traditional finance, PFOF refers to a payment that an “internalizer” makes to a broker in exchange for the broker routing her retail clients’ orders to the internalizer, who can then execute trades against those orders. A “DeFi PFOF internalizer” can extract MEV from transactions in a various ways, not only in the context of asset swaps (trades), but also, e.g., in other uses of smart contracts, like NFT mints. Unlike in traditional PFOF, it is relatively rare for an MEV extractor to be a counterparty in a trade from which she is extracting MEV (although this arguably happens in just-in-time liquidity provision), due to the use of automated market makers in DeFi.
Sarch and I discussed the mechanism by which pending Ethereum transactions are propagated and under what circumstances pending transactions can be considered public:
When a user submits a transaction to an Ethereum node, this node is in a privileged position and is dealing with non-public information until the moment that node re-broadcasts the transaction to other nodes in Ethereum’s peer-to-peer network. Delaying the rebroadcasting by seconds (or even by fractions of a second) may give the first node a significant advantage. For example, it may allow the node to assess (by performing a simulation) whether the transaction presents a profitable MEV extraction opportunity and – if it does – to submit the node’s own transactions aiming to take advantage of the opportunity. All of that could happen before the transaction becomes public in a meaningful sense. Such action may resemble “front-running” as this term is understood outside of the crypto markets. The scenario where only one node possesses non-public information could be further complicated by the theoretical possibility of a cartel of nodes that share information about pending transactions among each other but either (1) do not re-broadcast transactions presenting MEV extraction opportunities to the broader network at all (e.g., using relays instead), or (2) re-broadcast to the broader network only after a sufficient delay. 
We proposed defining the publicness of pending transactions in the following way:
… a transaction is public when an actor who did not receive the transaction directly from a user who submitted the transaction, can access it in an unencrypted state without too much delay and without special arrangements with the node that originally received the transaction.
Even if the kind of MEV extraction in question does not, on balance, negatively affect market efficiency (see Section III), cases of privileged access to information about pending transactions or of exclusive control over pending transactions may require additional analysis. Some of the insights developed regarding informed (including “insider”) trading and PFOF in traditional finance may be applicable here. For example, it could be the case that service providers would be able to provide a better user experience (lower cost of trading) due to an exclusive opportunity to extract MEV from the user’s transactions. This is what services like Rook and OpenMEV promise to Ethereum users. Selling access to information about user transactions or blockchain queries may also provide revenue for wallet software or front-end developers of smart contracts, thus allowing them to operate without needing other sources of revenue.
Even if such arrangements may be beneficial for users, however, there is no guarantee that this will be the case in any individual case. Moreover, it could be that the service provider in question is under a duty to obtain express user consent for such uses of their data (e.g., under privacy laws) and they fail to do so. It could also be that the terms of the contract between the user and the service provider don’t allow for using user data for MEV extraction. Finally, even in the absence of explicit contractual terms, in some cases, the nature of the relationship between the user and the service provider may give rise to fiduciary duties, or to duties under consumer-protection legislation, toward the user.
If service providers of any of the groups (1)-(3) do indeed have fiduciary duties toward their users, this would bring them closer to the situation of financial professionals, like investment advisors, brokers, and dealers. Note that a broker’s “duty of best execution” originally emerged from the common law of agency, not from legislated financial regulation. The same is true of the related duty not to “front-run” clients’ orders. Whether any fiduciary duties apply to our groups (1)-(3) requires further analysis. One reason for skepticism is that it is not obvious whether anyone in (1)-(3) acts to bind the principal (the user) with obligations created with third parties.
It is not only end users who may potentially be harmed in analogous ways by various service providers. Currently, block builders submit their draft blocks to relays, which can use the information provided by a block builder without rewarding them (e.g., to copy a complex arbitrage transaction and include it in a block built and forwarded to proposers by the relay operator). Reputational mechanisms are important in alleviating such risks, but their existence may not be sufficient to exclude the possibility of liability for a relay operator, stemming from breaches of duties grounded in the direct service relationship between a block builder and the relay.
Whether anti-market-manipulation rules apply to any MEV-extraction strategies should depend on whether those strategies harm market efficiency. Because we don’t know the net effect of any MEV-extraction strategy on the market, enforcement of anti-market-manipulation rules should be based on robust and comprehensive empirical research. I adopt this view, following scholars like Fletcher, because the alternative could easily lead to prosecution of market activities with greater positive externalities than negative effects. It is important, however, to note that some jurisdictions may take a different approach in practice.
U.S. anti-market-manipulation rules—like CFTC Rules 180.1 and 180.2, which Sarch and I discuss in the MEV context—employ general phrases like “manipulative device, scheme, or artifice to defraud.” The same is true in the EU, where the Market Abuse Regulation prohibits, e.g., the use of “a fictitious device or any other form of deception or contrivance,” as well as giving “false or misleading signals as to the supply” or demand.
Given such vague terminology, it may be tempting for law enforcement or regulators to act relying on superficial descriptions like “toxic MEV” or on some unfortunate word choices in the MEV-extraction ecosystem, like “bribes” that searchers offer to block producers. Doing so would likely apply what Sarch and I call “a moralized conception of market fairness,” built on experiences from traditional finance, which may seem analogous but may not be. Sarch and I note that a case that may seem particularly problematic is sandwiching with the use of bundles (by sending a bundle, e.g., to a block builder):
… in this scenario, the sandwicher, in a sense, “appropriates” another’s trade. They do so by copying the publicly available data of a pending transaction and bundling it with their own front- and back-running transactions. The sandwicher pays a “bribe” for their bundle to be included with all three (or more) transactions precisely in the order set by the sandwicher. This could be seen as an express instruction to order transactions in a way that adversely affects another trader.
Given that we don’t know the net effect of any MEV extraction on the market (see Section III), such enforcement actions would likely either disregard the issue of effect, or rely on an incomplete picture of effect (likely just the effect on the transaction directly affected by MEV extraction).
Government agencies like the U.S. Securities and Exchange Commission also sometimes rely primarily on a defendant’s alleged intent to manipulate markets. Fletcher criticized this intent-centric approach as under- and over-inclusive, and as ignoring the key question of harm to the market. But I believe there is an even more fundamental problem with relying on intent to manipulate in the case of MEV extraction. The problem is that we don’t know whether any MEV-extraction strategies do manipulate the market. It hasn’t yet been established what constitutes “normal” behavior on a decentralized crypto market. Arguably, such determination should consider all positive and negative external effects on the underlying blockchain network of various trading strategies and mechanisms. Relying on intent to do some bad thing is only meaningful if we are certain that the thing is indeed bad. Consider the following analogy: it would be difficult to justify criminalizing intending to form a cartel if there were no reliable evidence that cartels are, on balance, harmful to social welfare.
A similar concern arises with respect to the “manipulation-as-fraud” theory that Sarch and I discussed. Under this theory, “when a person engages in manipulative trading practices in the markets and does not let others know of his manipulative acts, the fraud derives from the failure to inform the other market participants, who are entitled to rely on their belief that the market is free of such improper behavior.” If it cannot be shown that the practices in questions are manipulative, then a “failure to inform” should not matter.
Relying on a failure to inform may face another hurdle, as Sarch and I noted. The MEV-extraction phenomenon appears to be well-known among DeFi users. It is at least arguable that most, if not virtually all, traders who are negatively affected by strategies like sandwiching are aware of the risk. Whether this impression is correct, however, may require further study.
I do not mean to suggest that no MEV extraction involves market manipulation. In fact, it is very likely that some or even virtually all cases of oracle manipulation or of the so-far theoretical time-bandit attacks would constitute illegal market manipulation. The already-mentioned CFTC action against Avi Eisenberg in connection with the Mango Markets oracle manipulation presents a strong case for liability. Eisenberg was involved in an “undercollateralized loan attack,” meaning that he manipulated the benchmark prices of collateral that he used to take out a loan, which he did not intend to repay. Several features of Eisenberg’s strategy—like the fact that it included a wash trade and that he took out a loan that he did not intend to repay—distinguish it from other market strategies discussed here, where the argument that they involve open-market trading in good faith is much stronger.
Difficult questions about whom, exactly, could be held liable may arise and policy considerations about the negative externalities of some enforcement actions—e.g., against validators who did not instigate but may have indirectly profited from a given manipulation—should be properly weighed (see Section V). It is advisable to prioritize prosecutions with evidence of both market harm and intent to manipulate, as appears to be the case in the CFTC’s enforcement action in the Eisenberg/Mango Markets case.
Despite the concerns discussed above, it is likely that MEV extraction will soon attract regulatory attention, focused not only on clear simple fraud, but also on market manipulation. Hopefully, this will be accompanied by robust research, answering the question of net social (market) effect in a way that is appropriate to decentralized blockchain networks (i.e., considering issues like blockchain security). There is also a risk, however, that no such research will be undertaken, and officials will be inclined to approach the perceived problems by relying solely on analogies with traditional finance. Some forms of enforcement or other regulatory interventions may have relatively little effect on the broader Ethereum ecosystem, but some may have significant negative externalities (see Section V).
One of the key conclusions from the preceding discussion is that we don’t currently know the net social-welfare effect of any kind of MEV extraction, even if we limit the social-welfare analysis to market efficiency. This is a strong reason for government officials to exercise caution before attempting to address perceived problems with MEV extraction, either through legislation or enforcement of existing rules. Naturally, this only applies to concerns based on harm to market efficiency, as is arguably the case with, e.g., anti?market-manipulation rules. It does not apply in case of fraud or other legal liability not defined by reference to harm to market efficiency.
Even if some MEV extraction is both harmful to individual market participants and reduces social welfare, it may still be the case that some legal and regulatory responses could be misplaced. A legal response could, for instance, reduce social welfare even more than the harm that it is meant to remedy. Legal and regulatory failures are arguably common, although it is usually hard to find consensus as to what things count as such (e.g., modern airport security).
Therefore, it is important to perform rigorous cost-benefit analysis of regulatory interventions, especially where they are meant to be applied in new technological and organizational contexts like decentralized crypto markets. For example, dealer-broker licensing may be a sensible measure in its current context (in “traditional” finance), but similar licensing—e.g., for block builders or relay operators—could be problematic. At the risk of sounding hyperbolic, a country that adopts such measures could be giving up on the benefits of decentralized and permissionless public blockchains like Ethereum. To the extent that that risk exists, the benefits of intervention should be measured against the social benefits that would be lost.
Not every state intervention is likely to have such serious systemic effects. For example, prosecution of some individual MEV extractors may push such activity to other jurisdictions and thus give a competitive advantage to those not located in the prosecuting jurisdiction. But if only independent MEV searchers are prosecuted, not base-layer operators like validators, then it might be that the risk of reducing geographic decentralization of the Ethereum network will not be overly significant.
Moreover, depending on what kinds of MEV extraction is deemed illegal, it may be possible for Ethereum to prioritize protocol development in directions that would reduce opportunities for such behavior. If no one can extract value this way, then there would be no benefit to fleeing to jurisdictions where it is legal. This point is worth stressing. Regulation and regulatory enforcement in the realm of public blockchains faces the problem of regulatory arbitrage: operators being able to choose the most favorable jurisdictions, while retaining influence on markets in other jurisdictions. This provides a strong argument for preferring and supporting technical solutions (e.g., on the level of the Ethereum protocol), which would apply globally, over national or even international legal rules, which would face the problem of regulatory arbitrage.
It is impossible to technically disable willing validators entirely from extracting at least some kinds of MEV (or, in other words, to remove all MEV). Where feasible, however, technical solutions to undesirable kinds of MEV extraction may be preferable over legal intervention. Hence, it is worth advocating for such technical work to be undertaken. For example, introducing more on-chain privacy on Ethereum could significantly reduce, if not solve, what Sun defines as “Mafia EV”—i.e., MEV that is possible because of the lack of privacy. This could be done by some form of “encrypted mempool,” ensuring that pending Ethereum transactions are not visible to MEV extractors.
Importantly, it is also worth advocating for the law not to disincentivize technical development. The latter point is important because, for example, introducing an encrypted mempool would turn Ethereum into more of a “privacy-coin.” This would come with significant social benefits, but also with the risk of a conflict with some approaches to enforcing anti-money-laundering (AML) rules or economic-sanctions regimes.
As I argued in a submission to the U.S. Treasury Department, AML and sanctions compliance is likely to be more effective and more proportionate if undertaken not on the level of blockchain infrastructure (the base layer), but on the application layer, i.e., services that interact primarily with end users, especially on- and off-ramp services (services that intermediate between crypto assets and the rest of the financial system). User privacy can be preserved in a blockchain network when AML and sanctions compliance is facilitated by tools like selective disclosure at the point where users exchange crypto-assets or non-crypto-assets (like fiat currencies).
 Kshitij Kulkarni, Theo Diamandis & Tarun Chitra, Towards a Theory of Maximal Extractable Value I: Constant Function Market Makers, 4 (2022), https://arxiv.org/abs/2207.11835. See also Philip Daian et al., Flash Boys 2.0: Frontrunning, Transaction Reordering, and Consensus Instability in Decentralized Exchanges, 2 (2019), https://arxiv.org/abs/1904.05234.
 Raphael Auer et al., Miners as Intermediaries: Extractable Value and Market Manipulation in Crypto and DeFi, BIS Bulletin (2022), available at https://www.bis.org/publ/bisbull58.pdf [https://perma.cc/3R75-T9TY].
 IOSCO Decentralized Finance Report, OR01/2022, 37 (March 2022), available at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD699.pdf.
 Jeff Kauflin, The Secretive World of MEV, Where Bots Front-Run Crypto Investors for Big Profits, Forbes (Oct. 11, 2022), https://www.forbes.com/sites/jeffkauflin/2022/10/11/the-secretive-world-of-mev-where-crypto-bots-scalp-investors-for-big-profits.
 Auer et al., supra note 2.
 Much of this analysis also applies to other blockchains, such as, e.g., Solana or Polygon. I chose to focus on the Ethereum MEV ecosystem because it is the best-studied and already the subject of a burgeoning policy debate.
 S.5267 – Digital Asset Anti-Money Laundering Act of 2022, 117th Congress (2021-2022).
 Press release, CFTC Charges Avraham Eisenberg with Manipulative and Deceptive Scheme to Misappropriate Over $110 million from Mango Markets, a Digital Asset Exchange, Commodity Futures Trading Commission (Jan. 9, 2023), https://www.cftc.gov/PressRoom/PressReleases/8647-23.
 Flash Boy’s Gain, Everybody’s Pain: 2022 Mid-Year Report of Sandwich MEV on Ethereum, EigenPhi Research (2022), https://eigenphi.substack.com/p/flash-boys-gain-everybodys-pain
 Daian et al., supra note 1 at 16.
 Miko?aj Barczentewicz & Alex F Sarch, Shedding Light in the Dark Forest: A Theory of Liability for Cryptocurrency “MEV” Sandwich Attacks, SSRN (2022), https://ssrn.com/abstract=4187752.
 Mikolaj Barczentewicz, Law and Regulation vs MEV Extraction, Flashbots (Oct. 7, 2022), https://collective.flashbots.net/t/law-and-regulation-vs-mev-extraction/477.
 For an accessible introduction, see Sirio Aramonte, Wenqian Huang & Andreas Schrimpf, Trading in the DeFi Era: Automated Market-Maker, BIS Quarterly Review (2021), https://www.bis.org/publ/qtrpdf/r_qt2112v.htm. See also Jiahua Xu et al., SoK: Decentralized Exchanges (DEX) with Automated Market Maker (AMM) Protocols, ACM Comput. Surv. (2022), https://doi.org/10.1145/3570639.
 For a more technical explanation, see Liyi Zhou et al., High-Frequency Trading on Decentralized On-Chain Exchanges, in 2021 IEEE Symposium on Security and Privacy (SP) 428 (2021), https://ieeexplore.ieee.org/document/9519421.
 Barczentewicz & Sarch, supra note 11.
 A validator, or a group (pool) of validators, may also find themselves in control of several consecutive blocks, as illustrated, e.g., in Metrika’s research on the first weeks of proof-of-stake Ethereum; see Validators or Value-Takers?, Metrika (2022), https://blog.metrika.co/validators-or-value-takers-e71f46047437.
 Barczentewicz & Sarch, supra note 11.
 @phildaian, Twitter (Nov. 23, 2020, 8:37 AM), https://twitter.com/phildaian/status/1330868049092747267.
 Mikhail Kalinin, Danny Ryan & Vitalik Buterin, EIP-3675: Upgrade Consensus to Proof-of-Stake, Ethereum.org (2021), https://eips.ethereum.org/EIPS/eip-3675; The Merge, Ethereum.org, https://ethereum.org/en/upgrades/merge.
 Brock Smedley, Searching Post-Merge, Flashbots (Aug. 24, 2022), https://writings.flashbots.net/searching-post-merge.
 This does not mean that proposers will never have control over block contents under PBS. One currently discussed scheme, which could involve proposers requiring inclusion of at least some transactions in blocks that they do not build, is known as “crlists.” See Censorship Resistance: Crlists in Mev-Boost #215, Flashbots (Jul. 15, 2022), https://github.com/flashbots/mev-boost/issues/215; Vitalik Buterin, How Much Can We Constrain Builders Without Bringing Back Heavy Burdens to Proposers?, ETH Research (October 2022), https://ethresear.ch/t/how-much-can-we-constrain-builders-without-bringing-back-heavy-burdens-to-proposers/13808.
 The “best” block is the block that offers the highest fee while satisfying the conditions of a given relay, such as by not including transactions that interact with addresses on the Specially Designated Nationals and Blocked Persons (“SDN”) list maintained by the U.S. Treasury Department’s Office of Foreign Asset Control.
 The standard way to broadcast an Ethereum transaction is to send it to at least one “node,” which is a computer running Ethereum-execution client software, such as Go Ethereum (geth). Nodes communicate peer-to-peer, broadcasting transactions that they receive from users and other nodes. Each node keeps a “mempool,” which is a collection of all pending transactions (not yet included in the blockchain), received directly by that node or from other nodes. There is no single mempool, strictly speaking, as the contents of node mempools diverge—e.g., because it takes time for information about new transactions submitted by users to reach all the nodes. It is, however, also customary to simplify this picture and speak of “the mempool,” referring to a set of pending transactions that are publicly broadcasted and received by at least some nodes. See, generally, What Is the Mempool?, Blocknative (2020), https://www.blocknative.com/blog/mempool-intro; Sahil Sen, How to Access Ethereum Mempool, Quicknode (2022), https://www.quicknode.com/guides/defi/how-to-access-ethereum-mempool; see Id.
 Barczentewicz & Sarch, supra note 11 (citations omitted).
 What Is MEV-Boost?, Flashbots, https://docs.flashbots.net/flashbots-mev-boost/introduction.
 See also supra note 23.
 Quick Start, Flashbots, https://docs.flashbots.net/flashbots-protect/rpc/quick-start.
 EigenPhi Research, supra note 9.
 Auer et al., supra note 2.
 See, e.g., Kaihua Qin, Liyi Zhou & Arthur Gervais, Quantifying Blockchain Extractable Value: How Dark Is the Forest?, in 2022 IEEE Symposium on Security and Privacy (SP) 198 (2022); Extractable Value, Amber Group (2022), https://medium.com/amber-group/extractable-value-7b0d4356a843.
 Id. at 6.
 Id. at 2.
 Daian et al., supra note 1.
 Torgin Mackinga, Tejaswi Nadahalli, & Roger Wattenhofer, TWAP Oracle Attacks: Easier Done than Said?, in 2022 IEEE International Conference on Blockchain and Cryptocurrency (ICBC) 1 (2022).
 See supra note 9.
 Mackinga, Nadahalli, & Wattenhofer, supra note 35 at 2.
 See, e.g., Scott Chipolina, Oracle Exploit Sees $89 Million Liquidated on Compound, Decrypt (Nov. 26, 2020), https://decrypt.co/49657/oracle-exploit-sees-100-million-liquidated-on-compound; Coinbase & the Oracle, Rekt (Nov. 26, 2020), https://rekt.news/coinbase-the-oracle.
 See supra note 9.
 Khor Win Win, Insights and Implications of the Mango Squeeze, CoinGecko (Nov. 21, 2022), https://www.coingecko.com/research/publications/insights-and-implications-of-the-mango-squeeze.
 Mackinga, Nadahalli, & Wattenhofer, supra note 35 at 2.
 Id. at 6.
 Own calculation assuming a total number of 500,000 validators using the code provided by Alvaro Revuelta. See Alvaro Revuelta, Statistical Analysis on Ethereum K-Consecutive Block Proposal Probabilities and Case Study (Aug. 14, 2022), https://alrevuelta.github.io/posts/ethereum-mev-multiblock; See also supra note 16.
 Mackinga, Nadahalli, & Wattenhofer, supra note 35 at 6.
 Xinyuan Sun, This Is MEV, Devcon Bogota (Oct. 11-14, 2022) https://www.youtube.com/watch?v=8qPpiMDz_hw; see also Xinyuan Sun, PBS and Layer 2s, Science of Blockchain Conference: MEV Workshop (Sep. 1, 2022) https://www.youtube.com/watch?v=JCZDd0iCMsg.
 See, e.g., Tarun Chitra & Kshitij Kulkarni, Improving Proof of Stake Economic Security via MEV Redistribution, in Proceedings of the 2022 ACM CCS Workshop on Decentralized Finance and Security 1 (2022).
 Gina-Gail S Fletcher, Legitimate yet Manipulative: The Conundrum of Open-Market Manipulation, 68 Duke LJ 479, 493, 530 (2018).
 Barczentewicz & Sarch, supra note 11.
 For a discussion of the difficulties inherent in applying the standard of fairness, see also Merritt B Fox, Lawrence Glosten, & Gabriel Rauterberg, The new stock market: law, economics, and policy 49–55 (2019).
 Fletcher, supra note 49 at 533.
 Barczentewicz & Sarch, supra note 11 at 16. See also infra notes 84-85 and the accompanying text.
 Fletcher, supra note 49 at 492–493.
 See, e.g., Fletcher, supra note 49; Fox, Glosten, & Rauterberg, supra note 51.
 Fox, Glosten, & Rauterberg, supra note 51 at 67–75.
 Kulkarni, Diamandis, & Chitra, supra note 1 at 8.
 Cf. Fox, Glosten, & Rauterberg, supra note 51 at 52.
 The website Ultra Sound Money introduced the helpful concept of the “security ratio,” which it defines as “[t]he ratio of total value secured (TVS) to economic security. It measures attacker leverage—lower is better.” Ethereum’s TVS is currently 17.5x; https://ultrasound.money.
 Tarun Chitra, Competitive Equilibria Between Staking and On-chain Lending, 1 Cryptoeconomic Systems (2021), https://cryptoeconomicsystems.pubpub.org/pub/chitra-staking-lending-equilibria; Chitra & Kulkarni, supra note 51.
 Chitra & Kulkarni, supra note 48. See also the referenced tweets and associated discussion on the role of MEV extraction in chains without block subsidy (this does not apply directly to Ethereum, as it has a block subsidy):
@gakonst, Twitter (Feb. 26, 2021, 7:47 AM), https://twitter.com/gakonst/status/1365191821375193088; @DZack23, Twitter (Mar. 3, 2021, 8:51 PM), https://twitter.com/DZack23/status/1367201076269772802.
 Chitra, supra note 60.
 Id.; Chitra & Kulkarni, supra note 48.
 Chitra & Kulkarni, supra note 48.
 See, e.g., Westie, EigenLayer: Supercharging ETH Through Restaking, Blockworks Research (Oct. 18, 2022), https://www.blockworksresearch.com/research/eigenlayer-supercharging-eth-through-restaking.
 Amber Group, supra note 30; Simon Brown, MEV Driven Centralization in Ethereum: Part 2, Medium (Dec. 5, 2022), https://simbro.medium.com/mev-driven-centralization-in-ethereum-part-2-97e4cb612e69.
 See, e.g., Brown, supra note 66; Amber Group, supra note 30.
 @VitalikButerin, Twitter (Nov. 5, 2022, 7:09 PM), https://twitter.com/vitalikbuterin/status/1588669782471368704; see also Brown, supra note 66.
 The Future of MEV is SUAVE, Flashbots (Nov. 22, 2022), https://writings.flashbots.net/the-future-of-mev-is-suave Chris Powers, MEV’s New Chapter: Beyond Ethereum’s Borders, Dose of DeFi (Dec. 9, 2022), https://doseofdefi.substack.com/p/mevs-new-chapter-beyond-ethereums
 Barczentewicz & Sarch, supra note 11.
 Researchers Robert Miller and Yannick recently noted an interesting case of what appears to be a bot (automated software) designed specifically to front-run profitable exploits (hacks) of smart contracts, thereby executing those exploits and profiting from them; see @bertcmiller, Twitter (Jan. 12, 2023, 10:59 AM), https://twitter.com/bertcmiller/status/1613566397954621442; @YannickCrypto, Twitter (Jan. 12, 2023, 8:04 PM), https://twitter.com/YannickCrypto/status/1613341008032415749.
 United States v. Connolly, 24 F.4th 821, 843 (2d Cir. 2022).
 See, e.g., Sebastian Bürgel, DERP Example 3: Uniswap MEV, (2022), https://medium.com/hoprnet/derp-example-3-uniswap-mev-c2a8d3417c8
 Fox, Glosten, & Rauterberg, supra note 51 at 289.
 In just-in-time liquidity provision, an MEV extractor becomes—for an instant—one of the liquidity providers in the liquidity pool with which the user’s transaction swaps assets. As Sarch and I explained: “Just-in-time (“JIT”) liquidity provision may be structured as a sandwich where the sandwiched transaction is front-run by a transaction providing more liquidity to a given smart contract market (‘liquidity pool’), thus improving the price of execution for the sandwiched transaction, and then back-run by removing the liquidity added earlier and realizing profits. JIT is profitable if the liquidity provider can obtain sufficient trade fees for providing a large proportion of liquidity during the sandwiched trade.” See @bertcmiller, Twitter (Nov. 12, 2021, 4:04 PM), https://twitter.com/bertcmiller/status/1459175377591541768. By providing this momentary liquidity, JIT reduces the share of fees collected by ‘passive’ liquidity providers and thus reduces incentives to engage in ‘passive’ liquidity provision; See, e.g., @ChainsightLabs, Twitter (Nov. 9, 2021, 7:30 AM), https://twitter.com/ChainsightLabs/status/1457958811243778052.”
 Another difference from traditional PFOF is that, in “DeFi PFOF,” internalizers may be able to enjoy virtually riskless strategies (due to atomicity), instead of relying on a probabilistically grounded expectation of profit when trading against uninformed traders.
 Barczentewicz & Sarch, supra note 11.
 We added: “This standard would be satisfied even if reliably detecting public transactions requires maintaining ‘watcher’ nodes simultaneously in several geographic zones (e.g., running on virtual servers in various Amazon Web Services regions). Admittedly, transactions ‘public’ by this standard are only meaningfully public to professional operators, not to an average user.” Id.
 https://docs.rook.fi; https://docs.openmev.org.
 See, e.g., Fox, Glosten, & Rauterberg, supra note 51 at 266.
 Id. at 97, 313.
 Fletcher, supra note 49.
 See supra notes 51-54 and the accompanying text.
 Barczentewicz & Sarch, supra note 11.
 The EU Market Abuse Regulation (MAR) applies to “financial instruments,” and it remains a largely open question whether crypto-assets qualify as such. The planned Markets in Crypto-Assets Regulation (MiCA) copies some of MAR’s key anti?manipulation provisions, however, and makes them applicable to nearly all economically significant crypto-assets.
 Barczentewicz & Sarch, supra note 11 at 16.
 Id. at 10.
 Fletcher, supra note 49 at 515–518.
 Barczentewicz & Sarch, supra note 11 at 14–19.
 Gregory Scopino, The (Questionable) Legality of High-Speed ‘Pinging’ and ‘Front Running’ in the Futures Markets, 47 CONN. L. REV. 607, 673 (2015).
 Mackinga, Nadahalli, & Wattenhofer, supra note 35 at 2.
 Currently, it is possible to use privacy RPCs (like Flashbots Protect), but this requires users to trust the service providers involved, because transactions are not encrypted.
 Mikolaj Barczentewicz, Comments of the International Center for Law & Economics, Ensuring Responsible Development of Digital Assets, Docket No. TREAS-DO-2022-0018 (Nov. 3, 2022) https://www.regulations.gov/comment/TREAS-DO-2022-0018-0039.
 Id. at 4-5.
Scholarship Abstract Web2 giants and Web3 projects entertain a complex relationship. They cooperate to maximize their chances of survival, yet they also compete through a combination . . .
Web2 giants and Web3 projects entertain a complex relationship. They cooperate to maximize their chances of survival, yet they also compete through a combination of dynamic factors and anti-competitive strategies. The present contribution untangles Web2 and Web3’s relationship, explores their distinct value propositions, and outlines what may be one of tomorrow’s enforcement priorities for antitrust agencies.
TOTM For many observers, the collapse of the crypto exchange FTX understandably raises questions about the future of the crypto economy, or even of public blockchains . . .
For many observers, the collapse of the crypto exchange FTX understandably raises questions about the future of the crypto economy, or even of public blockchains as a technology. The topic is high on the agenda of the U.S. Congress this week, with the House Financial Services Committee set for a Dec. 13 hearing with FTX CEO John J. Ray III and founder and former CEO Sam Bankman-Fried, followed by a Dec. 14 hearing of the Senate Banking Committee on “Crypto Crash: Why the FTX Bubble Burst and the Harm to Consumers.”
Popular Media The use of technology to provide financial services (FinTech) represents one of the most fascinating interplays in economic history in the last 150 years. Beginning with the . . .
The use of technology to provide financial services (FinTech) represents one of the most fascinating interplays in economic history in the last 150 years. Beginning with the introduction of the telegraph in 1838 and the first transatlantic cable in 1866, technological innovation defined the development of global financial markets throughout the 19th century. Similarly, Barclay’s introduction of the automatic teller machine in 1967 represents one of the most important financial innovations in the banking sector in the last century and initiated financial players’ shift toward digital infrastructure. Over the last half-century, the global financial industry has become one of the top purchasers of IT products. Regulation has struggled to keep apace.
Regulatory Comments We thank the U.S. Treasury Department for the opportunity to participate in this Request for Comment on “Ensuring Responsible Development of Digital Assets.” Docket No. TREAS-DO-2022-0018 Submitted: November 3, 2022
We thank the U.S. Treasury Department for the opportunity to participate in this Request for Comment on “Ensuring Responsible Development of Digital Assets.” Our response most directly addresses part “B” of the Request for Comments, focusing particularly on the following questions:
Agencies whose primary function is law enforcement are chiefly concerned with the effectiveness of that mission and may not have the resources to properly consider the costs of actions that appear to promise effectiveness. We thus welcome the whole-of-government approach to the responsible development of digital assets adopted in Executive Order 14067, which invites a rigorous assessment of costs and benefits across various policy objectives. The principal policy objectives set out in the Executive Order cover both law-enforcement and national-security concerns, while supporting technological advances and promoting access to safe and affordable financial services. Given the Order’s broad scope, some ways of pursuing its diverse policy objectives may be in tension. Our aim in this response is to shed light on two important areas of such tension.
First, policymakers must determine which entities in the crypto ecosystem are the most appropriate targets for law-enforcement and national-security efforts. We suggest that the costs of targeting crypto’s infrastructural or “base” layer may to a disproportionate extent impede the attainment of other policy objectives.
Second, it is important to determine the appropriate policy response to privacy-enhancing crypto technologies. As Treasury seeks to forward the goals of consumer and investor protection, promotion of access to finance, support of technological advances, and reinforcement of U.S. leadership, all point in favor of facilitating responsible use of privacy-enhancing technologies, including so-called “privacy coins.”
Crypto’s “base layer” is in some important ways analogous to the basic infrastructure of the Internet and of traditional finance. We understand the base layer to include:
One approach to prevent and counteract undesirable activity “on top” of crypto’s infrastructure layer would be to lay legal duties on base-layer participants to mitigate such activity, particularly where they may, in even some remote sense, have facilitated it. This approach will often be inappropriate, however, either because it is bound to be ineffective or because it will impose disproportionate costs relative to its benefits.
Infrastructural participants of blockchain networks are not often in the best position to apply rules like anti-money-laundering (“AML”) and combating-the-financing-of-terrorism (“CFT”) obligations because they do not have direct relationships with end users. They therefore do not possess the information needed and, even if they do act, cannot offer redress to the affected users. Moreover, in open networks like Ethereum and Bitcoin, imposing legal duties on U.S.-based actors (e.g., miners or validators) is very likely to be ineffective, as many network participants will be located in other jurisdictions. Finally, some base-layer participants may simply find it impossible to comply with some legal duties, which could prompt them to leave U.S. jurisdiction.
Recent enforcement actions arising from the strict-liability duty not to facilitate transactions with entities sanctioned by the U.S. Treasury Department help to illustrate the concerns that attend imposing such duties on base-layer participants. In August 2022, a number of Ethereum addresses deployed by Tornado Cash were added to the Specially Designated Nationals and Blocked Persons List (“SDN”). Following this designation—out of an abundance of caution and adopting an expansive interpretation of the law—some base-layer participants of Ethereum (validators, block builders, proposers, and relay operators) began to filter out transactions that interacted with SDN-listed Ethereum addresses, so that they would not contribute to including those transactions on the blockchain. While it appears that a fairly large segment of the base layer joined in this effort, it has been—and will very likely remain—ineffective at stopping transactions with sanctioned entities from being included on the blockchain.
One reason the filtering effort has been ineffective is that it was focused on blockchain addresses, which is what base-layer participants have access to. But sanctioned entities can create new addresses and use other methods to obfuscate their identities in transactions. The scope of filtering could theoretically be broadened, also using on-chain analysis, but this would likely be overinclusive. It would therefore threaten to harm other users; potentially leave filtering base-layer operators less competitive than non-filtering ones; and likely hasten the development of changes to Ethereum to bypass such filtering.
There are, to be sure, examples of situations where it would be difficult to use a new address to circumvent filtering. Some designated blockchain addresses (e.g., the addresses of autonomous smart contracts deployed by Tornado Cash) are not controlled by anyone and thus cannot “move” to new addresses on their own. But even where a smart contract is autonomous, its original deployers—or, in the case of open-source code, anyone—could copy the code and deploy a new smart contract that would perform the same functions as the original. The need to redeploy smart contracts to new addresses often would create significant friction and costs for all who relied on the original smart contract, but as we will note in a moment, there are also cases where redeployment may not be necessary.
Even if the scope of filtering is broadened, one reason that filtering efforts may remain ineffective is that even a relatively small number of validators—including those located outside the United States—can ensure that any transaction be included on the blockchain, albeit with some delay. The extent of that delay will be proportionate to how many non-filtering validators there are among the universe of all validators. Importantly, the Ethereum addresses included on the Tornado Cash SDN list largely do not represent the kinds of smart contracts that require rapid communication.
With more time-sensitive transactions—e.g., smart contracts used to liquidate on-chain collateral—delays could significantly affect utility. In cases where such delays could harm users, there would be a strong incentive to swiftly redeploy contracts to new addresses. Moreover, were the addresses of such time-sensitive smart contracts ever included on the SDN list, it would likely prompt changes to the Ethereum protocol to render base-layer filtering impossible. Indeed, development work in this direction was already underway prior to the Tornado Cash designation and may have accelerated in its aftermath. The proposed changes would involve the introduction of privacy-enhancing solutions to Ethereum, which we will discuss in the next section.
Here, we wish to focus on what these technical changes could mean for U.S. sanctions law if a determination is made that it is, indeed, illegal (on a strict-liability basis, i.e., irrespective of intent) for a U.S.-based Ethereum validator to propose (or perhaps even “attest to”) a block containing transactions with sanctioned entities. If changes to the Ethereum protocol render the contents of transactions hidden from validators, then those validators could never be certain that they are in compliance with the prohibitions. This would effectively force validators (and other base-layer operators) to leave the United States. Ethereum would likely continue to function and remain accessible to U.S.-based users, but the technological and economic position that the United States currently holds in the base layer of the ecosystem would be diminished significantly.
To this point, our comments have concerned targeting the base layer for undesirable activity that happens “on top” of it—i.e., for facilitating the actions of others. It is, however, also possible for base-layer participants to engage in illicit activity in their own right. In such cases, it would certainly be appropriate that they be a target of law enforcement. For example, node operators could use their privileged access to private information about pending securities or commodities transactions in ways that would constitute market manipulation under the Securities Exchange Act or the Commodity Exchange Act. Validators could also engage in potentially illegal market manipulation through some forms of “MEV extraction.”
An alternative to targeting the base layer is to target the application layer—i.e., services built on top of the base layer, with the primary function of interacting with end users. Of particular interest in this space are services that intermediate between crypto assets and the rest of the financial system—i.e., “on-ramps” and “off-ramps.” Due to their user-facing role, such services tend to already possess—and can more easily acquire—information needed for effective compliance with legal obligations related to user activity, such as AML/CFT and sanctions obligations. Because these services have direct relationships with users, they also can ask for additional information and provide redress opportunities in certain cases—e.g., where a user is mistakenly flagged as high risk by automated tools. Moreover, crypto on- and off-ramps have been regulated as money transmitters or under analogous regulatory regimes in certain other jurisdictions.
Targeting the base layer of permissionless blockchain networks may have symbolic value, but it is unlikely to achieve genuine law-enforcement or national-security goals. Imposing rules with which it would be impossible for base-layer operators to comply will simply push those operators to other jurisdictions. More effective targeting of the base layer is possible in permissioned blockchain networks, but requiring blockchain networks to be permissioned would run counter to the goal of reinforcing U.S. financial and economic leadership. It would amount to giving up on the promise of permissionless blockchains like Ethereum and Bitcoin. Finally, targeting the base layer is unnecessary, as the application layer presents a more appropriate target for legal obligations.
As we note above, base-layer efforts to filter transactions with sanctioned entities are currently ineffective and are likely to become impossible, given in-progress technological developments. We also noted that the application layer is the more appropriate target for sanctions law. The primary effect of the prevailing uncertainty surrounding the potential legal exposure of base-layer participants of public blockchains like Ethereum and Bitcoin has been to threaten U.S. technological and economic leadership in digital assets.
The U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) could address this uncertainty by offering a public statement—perhaps in its sanctions FAQs—that it does not regard any of the following as the prohibited facilitation of a transaction with a designated entity, either on public blockchains in general or, at least, on Ethereum and Bitcoin:
We stress that this issue is independent from any evaluation of either the propriety or legality of sanctioning any particular entity, or of the inclusion of addresses of autonomous smart contracts on the SDN list.
Ethereum and Bitcoin—the most widely used public blockchains—were not designed with user privacy in mind. Pseudonymity of blockchain addresses is easily broken, for example, whenever a user discloses their identity to make a purchase. The effect of breaking pseudonymity is that the other party will likely be able to discover the entirety of that user’s past activity on the blockchain. It is akin to a user giving someone access to their entire history of bank or credit-card transactions. The risk of so massive a breach of financial privacy—potentially exposing users to targeting by thieves and fraudsters—is inimical to the goal of “access to safe and affordable financial services” that President Biden set out in Executive Order 14067.
The lack of privacy on blockchains like Ethereum and Bitcoin has proven convenient for law enforcement, who have leveraged it to prosecute crimes. But it would be mistaken to regard the current level of transparency as a benchmark either for “responsible” public blockchains or for services built atop them. Safe and accessible public blockchains of the near future—including planned changes to Ethereum—will not offer the same transparency on which today’s criminals and law enforcement alike rely.
It is useful to examine the now-sanctioned Tornado Cash within this context. Tornado Cash was arguably the most effective “on-chain” tool to protect user privacy. For some use cases, users can enjoy similar privacy-protecting effects by routing their transactions through regulated exchanges like Coinbase, FTX, or Binance, but this comes at the expense of having to trust one of those third parties. The tradeoffs involved in going “off-chain” to achieve “on-chain” privacy include additional risk, friction, and delays, which could at least partially negate the point of using a public permissionless blockchain. If public blockchains are an innovation worth preserving and supporting, as the Executive Order implies, then a solution should be found that does not erase their primary salutary features.
Fortunately, there are technological solutions to preserve user privacy that simultaneously enable effective mitigation of illicit activity. One such solution is selective disclosure. Even where the pseudonymous identifiers of senders and recipients—or the contents of a blockchain message (transaction)—are hidden, users may nonetheless be able to selectively disclose in a non-falsifiable way that, for example, they control the account from which a certain transaction was made. This would allow on- and off-ramp services between crypto-assets and the rest of the economy to serve as gatekeepers that perform appropriate AML/CFT or sanctions screening of customers who wish to exchange their “private coins” for fiat currency or other goods. To be sure, service providers and law enforcement would likely have access to less information under this sort of blockchain analysis than they do today, especially regarding the transactions of parties other than the customer in question (although service providers may have access to disclosed transactions from many customers). As we noted above, however, the current level of transparency poses a regrettable risk to user privacy and safety and thus cannot serve as a normative benchmark.
Tornado Cash, Zcash, and Monero all offer forms of selective disclosure. While the transaction volume in these protocols is small relative to Ethereum or Bitcoin, it would be worthwhile to devote resources toward developing rules and guidance—especially for money transmitters and financial institutions—on how to facilitate transactions with those protocols responsibly. A pragmatic reason for this investment is that public blockchains and the services built on them are moving in the direction of increased privacy. Thus, the issue of privacy cannot be adequately addressed by blunt instruments like sanctioning an entire protocol, as happened with Tornado Cash. Even today, the hypothetical prohibition of Ethereum or Bitcoin would cause immense economic damage. Soon, such action could jeopardize the stability of the global economy.
As public blockchains grow, they will become more attractive both for lawful uses and for illicit uses. While illicit use may remain small as a percentage of total transactions, the volume of illicit transactions will likely rise in absolute numbers. The anticipated improvements in crypto privacy will cause significant tension for the prevailing law-enforcement and national-security approaches to digital assets. In this context, Treasury’s Digital Asset Action Plan may not be entirely adequate.
It is, to start, puzzling why the Digital Asset Action Plan adopted the label “anonymity-enhancing technologies,” rather the commonly used “privacy-enhancing technologies.” This focus on “anonymity” rather than “privacy” directs attention away from the tension among important policy objectives set out in Executive Order 14067. The importance of privacy and the aim to strengthen it (while also countering illicit activities) is mentioned 10 times in the Executive Order. Anonymity is not mentioned.
The Action Plan itself also refers to the goal of strengthening privacy several times. It is notable, however, that Priority Action 5 (“Holding Accountable Cybercriminals and Other Illicit Actors”) does not. It is in this section that the Action Plan singles out “mixing services” as an area of “primary concern.” Treasury’s recent enforcement actions—notably the branding of Tornado Cash as a “notorious (…) mixer”—suggest that the term “mixing services” is meant to refer to some of the popular privacy-enhancing technologies upon which both law-abiding Americans and foreign nationals alike have been relying.
In other words, rather than balancing the goals of strengthening privacy and mitigating illicit finance, as set out in the Executive Order, Priority Action 5 suggests a near-exclusive exclusive focus on the latter. Furthermore, it is hard to avoid the impression that, in a further departure from the Executive Order, the Action Plan treats strengthening privacy as chiefly a research concern (and thus assigns it primarily to the National Science Foundation) and not an issue to be given considerable weight in law-enforcement or national-security missions.
Given the value of both preserving and strengthening financial privacy, as well as the pragmatic concern that the largest public blockchains are moving in the direction of greater privacy, we suggest that a more constructive law-enforcement approach is needed with respect to the already-deployed privacy-enhancing technologies. This approach could include reversing the designation of Tornado Cash, combined with offering guidance for money transmitters and financial institutions on how to approach transactions with tools like Tornado Cash in a responsible manner. These guidelines could rely, among other mechanisms, on selective-disclosure functionalities built into privacy-enhancing tools.
 Ensuring Responsible Development of Digital Assets; Request for Comment, TREAS-DO-2022-0018-0001, 87 FR 57556, U.S. Dep’t of the Treasury (Sep. 20, 2022), https://www.federalregister.gov/d/2022-20279.
 Executive Order on Ensuring Responsible Development of Digital Assets, White House (Mar. 9, 2022), https://www.whitehouse.gov/briefing-room/presidential-actions/2022/03/09/executive-order-on-ensuring-responsible-development-of-digital-assets (hereinafter, “Executive Order”).
 Mikolaj Barczentewicz, Base Layer Regulation, Regulation of Crypto-Finance, https://cryptofinreg.org/projects/base-layer-regulation. Some operators (e.g., Infura) act both as infrastructural network participants in their own right (e.g., as node operators) and also offer services to infrastructural participants.
 Amit Zavery & James Tromans, Introducing Blockchain Node Engine: Fully Managed Node-Hosting for Web3 Development, Google Cloud (Oct. 27, 2022), https://cloud.google.com/blog/products/infrastructure-modernization/introducing-blockchain-node-engine.
 U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash, U.S. Dep’t of the Treasury (Aug. 8, 2022), https://home.treasury.gov/news/press-releases/jy0916.
 @ElBarto_Crypto, Twitter (Aug. 13, 2022, 8:21 AM), https://twitter.com/ElBarto_Crypto/status/1558428428763815942 (“[W]hile only 0.03% of addresses received ETH from tornado cash, almost half the entire ETH network is only two hops from a tornado cash receiver.”).
 All but one designated Ethereum addresses deployed by Tornado Cash represent smart contracts, but the SDN list also includes Ethereum addresses that do not represent smart contracts, which are associated with other sanctioned entities.
 For an argument that it is not illegal, see Rodrigo Seira, Amy Aixi Zhang, & Dan Robinson, Base Layer Neutrality: Sanctions and Censorship Implications for Blockchain Infrastructure, Paradigm (Sep. 8, 2022), https://www.paradigm.xyz/2022/09/base-layer-neutrality.
 Mikolaj Barczentewicz & Anton Wahrstätter, How Transparent Is Ethereum and What Could This Mean for Regulation?, Regulation of Crypto-Finance, https://cryptofinreg.org/projects/public-data-supervision.
 Mikolaj Barczentewicz & Alexander F. Sarch, Shedding Light in the Dark Forest: A Theory of Liability for Cryptocurrency “MEV” Sandwich Attacks, available at SSRN (Oct. 5, 2022), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4187752.
 Autonomous smart contracts that do not rely on off-chain cooperation and also are not controlled are not part of the application layer, as we understand it here. From the perspective of asserting legal control, they are functionally part of the base layer (e.g., to “remove” such a smart contract from the blockchain, it would require the cooperation of an overwhelming majority of validators). Also, strictly speaking, end users may also interact with some base-layer participants, e.g., by submitting transactions directly to a node’s remote-procedure-calls (RPC) interface.
 See also Miles Jennings, Regulate Web3 Apps, Not Protocols, a16z (Sep. 29, 2022), https://a16zcrypto.com/web3-regulation-apps-not-protocols.
 Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies, Financial Crimes Enforcement Network (May 9, 2019), https://www.fincen.gov/resources/statutes-regulations/guidance/application-fincens-regulations-certain-business-models.
 There has been some controversy regarding the legality of sanctioning the autonomous smart contracts deployed by Tornado Cash. See Paul Grewal, Sanctions Should Target Bad Actors. Not Technology., Coinbase (Sep. 8, 2022), https://www.coinbase.com/blog/sanctions-should-target-bad-actors-not-technology; Jerry Brito & Peter Van Valkenburgh, Coin Center Is Suing OFAC Over Its Tornado Cash Sanction, Coincenter (Oct. 12, 2022), https://www.coincenter.org/coin-center-is-suing-ofac-over-its-tornado-cash-sanction; Steve Engel & Brian Kulp, OFAC Cannot Shut Down Open-Source Software, Dechert LLP (Oct. 18, 2022), https://ipfs.io/ipfs/QmTC9q5yidSWoM2HZwyTwB3VbQLVbG5cpDSBTaLP8voYNX.
 Executive Order, supra note 3, at Sec. 1; On cryptocurrencies’ promise for financial inclusion, including in situations especially needing privacy (e.g., domestic violence, authoritarian regimes), see, e.g., Alex Gladstein, Finding Financial Freedom in Afghanistan, Bitcoin Magazine (Aug. 26, 2021), https://bitcoinmagazine.com/culture/bitcoin-financial-freedom-in-afghanistan; Charlene Fadirepo, Why Bitcoin Is a Tool for Social Justice, CoinDesk (Feb. 17, 2022), https://www.coindesk.com/layer2/2022/02/16/why-bitcoin-is-a-tool-for-social-justice; How Cryptocurrency Meets Residents’ Economic Needs in Sub-Saharan Africa, Chainanalysis (Sep. 29, 2022), https://blog.chainalysis.com/reports/sub-saharan-africa-cryptocurrency-geography-report-2022-preview.
 See, e.g., Andy Greenberg, Inside the Bitcoin Bust That Took Down the Web’s Biggest Child Abuse Site, Wired (Apr. 7, 2022), https://www.wired.com/story/tracers-in-the-dark-welcome-to-video-crypto-anonymity-myth.
 For an explanation of Tornado Cash’s functionality, see Alex Wade, Michael Lewellen, & Peter Van Valkenburgh, How Does Tornado Cash Work?, Coincenter (Aug. 25, 2022) https://www.coincenter.org/education/advanced-topics/how-does-tornado-cash-work.
 See also Peter Van Valkenburgh, Open Matters: Why Permissionless Blockchains Are Essential to the Future of the Internet, Coincenter (December 2016) https://www.coincenter.org/open-matters-why-permissionless-blockchains-are-essential-to-the-future-of-the-internet.
 Zooko Wilcox & Paige Peterson, The Encrypted Memo Field, Electric Coin Co. (Dec. 5, 2016), https://electriccoin.co/blog/encrypted-memo-field; View Key, Moneropedia, https://www.getmonero.org/resources/moneropedia/viewkey.html; Wade, Lewellen, & Van Valkenburgh, supra note 18.
 Crypto Crime Trends for 2022: Illicit Transaction Activity Reaches All-Time High in Value, All-Time Low in Share of All Cryptocurrency Activity, Chainanalysis (Jan. 6, 2022), https://blog.chainalysis.com/reports/2022-crypto-crime-report-introduction.
 Action Plan to Address Illicit Financing Risks of Digital Assets, U.S. Dep’t of the Treasury (Sep. 20, 2022), https://home.treasury.gov/system/files/136/Digital-Asset-Action-Plan.pdf.
 A query for “anonymity-enhancing technologies” in the Google Scholar database returns about 40 results, while a query for “privacy-enhancing technologies” returns more than 30,000 results. See https://scholar.google.com/scholar?q=%22anonymity-enhancing+technologies%22 (accessed Oct. 28, 2022); https://scholar.google.com/scholar?q=%22privacy-enhancing+technologies%22 (accessed Oct. 28, 2022).
 U.S. Department of the Treasury, supra note 6.
 U.S. Department of the Treasury, supra note 22.