8 months after the full implementation of PBS, how is the BNB chain performing?

BNB Smart Chain implemented BEP 322 (the Proposer-Builder Separation Mechanism PBS) this year, which brought about a series of changes in the on-chain ecology and gave rise to risks and opportunities.

BSC chain validators have a high ranking in the ecological chain and have the right to speak in the BSC chain ecology. The entry threshold of BSC validators is high, and the number of validators has been maintained at 40+ for a long time. Compared with the millions of validator nodes of Ethereum, BSC validators have a stronger influence on the chain ecology.

After the implementation of PBS, the Builder market has formed a head-waist-tail pattern. The top players in the Builder market, Blockrazor and 48Club-pussaint, contributed nearly 80% of the block construction, while Bloxroute, Blocksmith and Nodereal contributed about 19% of the block construction, and the tail players only contributed sporadic block construction. In addition, the vertical integration of Validator-Builder on the BSC chain may further cause centralization risks.

The new mechanism gave rise to on-chain transaction risks and risk prevention products. BSC's unique 0Gwei transaction mechanism reduces transaction costs, and on-chain phishing activities are frequent. Under the PBS mechanism, the mechanism of Builder receiving transaction bundles reduces the cost of sandwich attacks, and transactions are more vulnerable to sandwich attacks, giving rise to the formation of privacy RPC products that prevent MEV.

Background

BNB Smart Chain implemented BEP 322 (i.e. Proposer-Builder Separation Mechanism PBS) this year, which is a major update to the BSC chain ecological mechanism, giving birth to the BSC Builder market and bringing some new ecological gameplay. We hope to start from the mechanism of BEP 322, through research on the similarities and differences between BSC PBS and Ethereum PBS mechanisms, the development of Builder and Validator, etc., to describe the implementation of BEP 322 from multiple perspectives such as underlying mechanisms and ecological performance, as well as some potential on-chain security risks, and then provide our users with security risk response suggestions.

Differences between BSC and Ethereum PBS mechanisms

In terms of the PBS mechanism, BSC has adopted most of the implementation mechanisms of Ethereum. However, considering that BSC has certain differences from Ethereum in terms of consensus mechanism, validator network topology and other factors, there are some detailed differences between BSC and Ethereum in the implementation of the PBS mechanism:

① The Relay mechanism is cancelled: Due to the small number of BSC validators, there is no need for a centralized Relay to reduce the complexity of communication between the Builder and the Validator. In addition, considering that the interval between each block of BSC is short, the way of forwarding transactions by Relay will increase the communication link between the Builder and the Validator and increase the interaction time. As a supplement to Relay, BSC introduced the mev-sentry service. Each validator runs its own sentry, and the sentry service directly interacts with the Builder. This sentry-validator separation mechanism can better protect the validator. At the same time, unlike Relay, the Validator can directly obtain the block content of the Builder bid through sentry, and the validator can verify the validity of the Builder bid by itself, which can further protect the interests of the validator. In addition, in each block interval, the Builder can only send no more than 3 bids to sentry, which also leads to a large difference in the bidding strategy between the BSC Builder and the Ethereum Builder.

② Differences in Coinbase transfer settings: Ethereum's PBS mechanism allows the Builder to change the coinbase to the Builder's own address. This mechanism allows the Ethereum priority fee to be redistributed by the Builder once, while BSC's PBS mechanism does not have the above capability, which limits the Builder's bidding and allocation capabilities to a certain extent.

③ 0Gwei transaction support: Before the BEP-322 upgrade, the 0Gwei mechanism was first introduced by 48Club. The mechanism was launched as a member feature of 48Club. It can be used by holding 48 member tokens KOGE and meeting certain conditions. It is a value-added service provided by the verifier to the outside world. After the BEP-322 upgrade, BSC verifiers are allowed to receive blocks with 0Gwei transactions. Unlike the dynamic Base Fee mechanism of Ethereum, the transaction Base Fee of the BSC chain defaults to 0, that is, transactions with a Gas Price of 0 are allowed. As a supplement to the minimum GasFee guarantee mechanism, the BSC chain sets a limit that the Effective Gas Price of the block cannot be lower than 1. This special mechanism allows the Builder to include transactions with a Gas Price of 0 when building a block, so that the block space can be more fully utilized.

Builder Market Development

Similar to Ethereum, after the implementation of PBS, the Builder market was formed and went through a period of development, eventually forming a head-waist-tail pattern.

According to statistics provided by Dune, a total of 8 Builder players participated in the BSC Builder market game. In the early days of PBS implementation, Nodereal, Blocksmith and Blockrazor briefly dominated the entire market. With the entry of 48Club and Bloxroute into the game at the end of June, the market began to enter a tug-of-war. Up to now, Blockrazor and 48Club have contracted more than 80% of the block construction on the entire BSC, becoming the top players in the Builder market, while Bloxroute, Blocksmith and Nodereal have become mid-level players, while Jetbldr, Blockbus and Darwin have only sporadic blocks.

Validator Development

Unlike Ethereum, due to different entry barriers, the number of validators on BSC always remains in a stable range.

On Ethereum, you only need to stake 32 ETH to become a validator, which means the number of validators on Ethereum has exceeded 1 million. Validators connect to the Builder by integrating Relay, obtain the builder's block proposal and complete the block.

On BSC, becoming a validator requires staking a large amount of BNB, which greatly increases the entry threshold for validators. Currently, there are only 45 validators on BSC, of which 21 are Cabinet validators and the remaining 24 are Candidates. According to BSCScan statistics, the 45 validators have staked a total of 29,244,219 BNB, and the validator with the least stake has staked 73,446 BNB.

The difference in validator concentration has led to some degree of ecological differences between BSC and Ethereum. For example, due to the low link cost between Builder and Validator on BSC, there is no market space for Relay services. At the same time, the influence of validators has led to the need for the development of the on-chain ecology to prioritize the interests of validators, which will affect the competitiveness and enthusiasm of project parties other than the validator group in the public chain co-construction ecology.

Potential risks on the chain

There is a significant phenomenon of Builder-Validator vertical integration on BSC. We have counted the distribution of Builder blocks among all Validators from 00:00:00 on December 1 to 00:00:00 on December 18. The block production of some validator nodes deviated significantly from the market average, indicating that there is vertical integration between Builder-Validators. (Nodereal has a 100% share in TWStaking, Bloxroute has a 100% share in Figment, and 48Club has a >90% share in Turing, The48Club, Shannon, Lista, Feynman, and Avengers). The potential risks brought by this vertical integration are different from the common Searcher-Builder integration on Ethereum. There is a possibility of using the Builder-Validator integration mechanism to control the flow of transactions and transmit transactions only to specific validators, which will cause user loss of interests and further centralization risks.

The 0Gwei transaction mechanism has room for being exploited by phishing contracts. 0Gwei transactions allow phishing contracts to transfer money at zero cost, exacerbating the rampant nature of phishing attackers. We have detected multiple 0Gwei phishing contracts on BSC, which initially used 48Club's 0Gwei transactions by holding 48Koge tokens. Although 48Club has imposed certain restrictions on this, as of press time, we have still observed several phishing operations conducted through 48Club's 0Gwei transaction service.

 How to avoid various phishing attacks and track lost assets, related reading: https://blocksec.com/blog/how-phishing-websites-bypass-wallet-security-alerts-strategies-unveiled）

The current PBS mechanism has reshuffled the MEV attack market, and users need to master the MEV protection methods under the new pattern. Sandwich Attack is the most notorious MEV attack on the current blockchain. The principle of Sandwich Attack is:

1. Monitoring of target transactions: The attacker monitors the transaction pool (mempool) on the blockchain and looks for target transactions. The target is usually a large token exchange transaction (such as exchanging ETH for USDT in DEX).
2. Front-running: The attacker sends a transaction (front-running) before the target transaction in order to influence the market price before the target transaction is executed. For example, the attacker buys the target token to drive up the price.
3. Back-running: After the target transaction is executed, the attacker sends a transaction in the opposite direction (back-running transaction) to sell the tokens in the previous transaction and profit from the price fluctuations caused by the target transaction.

 For more background on MEV, please read: https://blocksec.com/blog/harvesting-mev-bots-by-exploiting-vulnerabilities-in-flashbots-relay

Before PBS, transactions were in the public transaction pool and were completely exposed to attackers. Attackers could analyze all profitable transactions and control the transaction order by controlling the gasprice to complete the attack.

The PBS mechanism provides a private channel for transactions, which can send user transactions to a private transaction pool that is only visible to the Builder, ensuring that the transaction will not be discovered by attackers (unless the Builder deliberately leaks it), thereby protecting user transactions. We found that the head sandwich bot (0x00000000004e660d7929B04626BbF28CBECCe534), which once carried out sandwich attacks by controlling gasprice, was completely shut down more than 100 days ago, indicating that BSC's PBS mechanism has caused a reshuffle of the MEV attack pattern.

However, by observing on-chain behavior and analyzing statistical data (https://dune.com/hildobby/sandwiches?Blockchain_e8f77a=bnb), we found that after PBS (May 2024), the number of sandwich attack transactions on the BSC chain has increased significantly.

The main reason is that most traders and project owners do not make good use of the transaction privacy channel brought by PBS, and still send transactions to the public transaction pool. For attackers, the cost of obtaining attack opportunities has not increased significantly. On the contrary, attackers use the mechanism that Builder can accept Bundles to form a Bundle with the attacked transaction and the attacking transaction and submit it to Builder. If the Bundle is successfully uploaded to the chain, the sandwich attack is successful. If it is not successfully uploaded to the chain, Seacher will not suffer any losses, which makes the sandwich attack more cost-effective and effective.

In the new environment after BSC PBS, new means need to be adopted to deal with the increasingly rampant and diverse MEV attacks.