BNB Smart Chain implemented BEP 322 (the Proposer-Builder Separation mechanism PBS) this year, bringing a series of changes to the on-chain ecosystem and creating both risks and opportunities.
The BSC chain validators have a relatively high position in the ecosystem chain and control the discourse power of the BSC on-chain ecosystem. The access threshold for BSC validators is high, and the number of validators has been maintained at over 40 for a long time, which is much lower than the millions of validator nodes on Ethereum. BSC validators have stronger influence on the on-chain ecosystem.
After the implementation of PBS, the Builder market has formed a head-waist-tail pattern. The head players of the Builder market, Blockrazor and 48Club-pussaint, contributed nearly 80% of the block construction, while Bloxroute, Blocksmith and Nodereal contributed about 19% of the block construction, and the tail players only had sporadic block construction contributions. In addition, the phenomenon of Validator-Builder vertical integration that has appeared on the BSC chain may further cause centralization risks.
The new mechanism has created on-chain transaction risks, and risk prevention products have been formed. The 0Gwei transaction mechanism unique to BSC has reduced transaction costs, and phishing activities on the chain are frequent. Under the PBS mechanism, the mechanism of Builders receiving transaction Bundles has reduced the cost of sandwich attacks, making transactions more susceptible to sandwich attacks, and has led to the formation of privacy RPC products to prevent MEV.
Research Background
BNB Smart Chain implemented BEP 322 (the Proposer-Builder Separation mechanism PBS) this year, which is a major update to the BSC chain ecosystem mechanism, giving rise to the BSC Builder market and bringing some new ecosystem gameplay. We hope to start from the BEP 322 mechanism, through the study of the similarities and differences between the BSC PBS and Ethereum PBS mechanisms, the development of Builders and Validators, etc., to describe the implementation of BEP 322 from the perspectives of underlying mechanisms and ecosystem performance, as well as the potential on-chain security risks, and then provide security risk response suggestions for our users.
Differences between BSC and Ethereum PBS Mechanisms
In the PBS mechanism, BSC has adopted most of the implementation mechanisms of Ethereum, but considering the differences between BSC and Ethereum in consensus mechanism, validator network topology and other factors, there are some detailed differences in the implementation of PBS mechanism between BSC and Ethereum:
① Cancellation of Relay mechanism: Due to the small number of BSC validators, there is no need for a centralized Relay to reduce the complexity of communication between Builders and Validators, and considering the short block interval of BSC, the Relay-based transaction forwarding method will actually increase the communication link between Builders and Validators and increase the interaction time. As a supplement to Relay, BSC has introduced the mev-sentry service, with each validator running its own sentry, and the sentry service interacting directly with the Builder, this sentry-Validator separation mechanism can better protect the validators. Unlike Relay, Validators can directly obtain the block content of Builder bids through sentry, and Validators can self-verify the validity of Builder bids, which can further protect the interests of Validators. In addition, within each block interval, Builders can only send no more than 3 bids to the sentry, which also leads to significant differences in the bidding strategies between BSC Builders and Ethereum Builders.
② Difference in Coinbase transfer settings: The Ethereum PBS mechanism allows Builders to change the coinbase to the Builder's own address, which allows the priority fee in Ethereum to be redistributed by the Builder, while the BSC PBS mechanism does not have this capability, which to some extent limits the Builder's bidding allocation capability.
③ Support for 0Gwei transactions: Before the BEP-322 upgrade, the 0Gwei mechanism was first introduced by 48Club, which was launched as a member-only feature, where users holding a certain amount of the 48Club member token KOGE could use it, which was an added-value service provided by the validators to the outside. After the BEP-322 upgrade, BSC validators allow the acceptance of blocks containing 0Gwei transactions, unlike Ethereum's dynamic Base Fee mechanism, the default Base Fee on the BSC chain is 0, i.e. transactions with Gas Price of 0 are allowed, as a supplement to the minimum GasFee guarantee mechanism, BSC chain has set a limit that the Effective Gas Price of the block cannot be lower than 1. This special mechanism allows Builders to include transactions with Gas Price of 0 when constructing blocks, so that the block space can be more fully utilized.
Builder Market Development
Similar to Ethereum, after the implementation of PBS, the Builder market has formed and gone through a period of development, eventually forming a head-waist-tail pattern.
According to the statistics provided by Dune, there are 8 Builder players participating in the BSC Builder market game. In the initial stage of PBS implementation, Nodereal, Blocksmith and Blockrazor had briefly dominated the entire market, but with the entry of 48Club and Bloxroute into this game at the end of June, the market began to enter a tug-of-war. As of now, Blockrazor and 48Club have taken over more than 80% of the block construction on BSC, becoming the head players in the Builder market, while Bloxroute, Blocksmith and Nodereal have become the waist players, and Jetbldr, Blockbus and Darwin only have sporadic block construction contributions.
Validator Development
Unlike Ethereum, due to the different access thresholds, the number of validators on BSC has always remained in a stable range.
On Ethereum, one only needs to stake 32 ETH to become a validator, which has led to the number of validators on Ethereum exceeding 1 million, with the validators connecting to Builders through integrated Relays to obtain block proposals from Builders and complete block production.
On BSC, becoming a validator requires staking a large amount of BNB, greatly increasing the entry threshold, and currently there are only 45 validators on BSC, of which 21 are Cabinet validators and the remaining 24 are Candidate validators. According to BSCScan statistics, the 45 validators have collectively staked 29,244,219 BNB, with the validator with the least staked amount holding 73,446 BNB.
The difference in validator concentration to some extent leads to the differences in the ecosystems of BSC and Ethereum, such as the lack of a Relay service market on BSC due to the lower connection cost between Builders and Validators. At the same time, the influence of validators means that the development of the on-chain ecosystem needs to be oriented towards the interests of the validator group, which may affect the competitiveness and enthusiasm of project parties other than the validator group in the public chain co-building ecosystem.
Potential On-Chain Risks
There is a significant phenomenon of Builder-Validator vertical integration on BSC. We have conducted statistics on the distribution of Builder block production among all Validators in the time period from December 1, 00:00:00 to December 18, 00:00:00, and found that the block production of some Validator nodes was significantly different from the market average, indicating the existence of Builder-Validator vertical integration. (Nodereal has a 100% share in TWStaking, Bloxroute has a 100% share in Figment, and 48Club has a share of >90% in Turing, The48Club, Shannon, Lista, Feynman, Avengers). This vertical integration poses potential risks different from the common Searcher-Builder integration on Ethereum, with the possibility of using the Builder-Validator integration mechanism to control the flow of transactions and only transmit transactions to specific Validators, which may cause user losses and further centralization risks.
The 0Gwei transaction mechanism has the potential to be exploited by phishing contracts. 0Gwei transactions allow phishing contracts to transfer at zero cost, exacerbating the rampancy of phishing attacks, and we have detected multiple 0Gwei phishing contracts on BSC, which initially used the 0Gwei transaction service of 48Club by holding 48Koge tokens, although 48Club has made certain restrictions on this, but as of the time of writing, we still observe several phishing actions through the 48Club 0Gwei transaction service.
How to avoid various phishing attacks, track lost assets, related reading: https://blocksec.com/blog/how-phishing-websites-bypass-wallet-security-alerts-strategies-unveiled)
The current PBS mechanism has reshuffled the market for MEV attacks, and users need to master the MEV protection methods in the new landscape. The Sandwich Attack is the most notorious MEV attack on the current blockchain, and the principle of the Sandwich Attack is:
- Monitoring of target transactions: The attacker monitors the transaction pool (mempool) on the blockchain, looking for target transactions. The target is usually a large token swap transaction (such as exchanging ETH for USDT on a DEX).
- Front-running: The attacker sends a transaction (front-running transaction) before the target transaction, in order to influence the market price before the target transaction is executed. For example, the attacker buys the target token, thereby driving up the price.
- Back-running: After the target transaction is executed, the attacker sends a transaction in the opposite direction (back-running transaction) to sell the tokens acquired in the front-running transaction, profiting from the price fluctuations caused by the target transaction.
Learn more about the background of MEV, related reading: https://blocksec.com/blog/harvesting-mev-bots-by-exploiting-vulnerabilities-in-flashbots-relay
Before PBS implementation, transactions were in the public transaction pool, fully exposed to the attacker's view, and the attacker could analyze all profitable transactions and control the transaction order by controlling the gas price to complete the attack.
The PBS mechanism provides a privacy channel for transactions, allowing users' transactions to be sent to a private transaction pool only visible to the Builder, ensuring that the transactions will not be discovered by the attacker (unless the Builder deliberately leaks them), thereby protecting the user's transactions. We found that the top sandwich bot (0x00000000004e660d7929B04626BbF28CBECCe534) that used to carry out sandwich attacks by controlling the gas price has completely shut down more than 100 days ago, indicating that the PBS mechanism on BSC has reshuffled the MEV attack landscape.
However, by observing on-chain behavior and analyzing statistical data (https://dune.com/hildobby/sandwiches?Blockchain_e8f77a=bnb), we found that the number of sandwich attacks on the BSC chain has actually increased significantly after the PBS implementation (May 2024).
The main reason is that most traders and projects have not made good use of the transaction privacy channel brought by PBS, and are still sending transactions to the public transaction pool, so the cost for attackers to obtain attack opportunities has not increased significantly. On the contrary, attackers can utilize the mechanism that Builders can accept Bundles, and include the targeted transaction and the attack transaction in the same Bundle to submit to the Builder. If the Bundle is successfully included in the Block, the sandwich attack succeeds, and if it fails, the Searcher will not incur any loss, making the sandwich attack more cost-effective and efficient.
In the new environment after the PBS implementation on BSC, new measures need to be adopted to address the increasingly rampant and diverse MEV attacks.
