Flaws in Ethereum’s EIP-1559
EIP-1559 added a mechanism for the Ethereum network to establish a base transaction gas price that dynamically changes depending on the load of the network, measured by gas consumed by blocks. This base gas price is called base fee by the EIP. In this article we show that EIP-1559 is unstable and rational miners may collaborate and easily get rid of it increasing their net revenue 400% until more miners can join, and the block difficulty is adjusted upwards. Even active users may benefit from collaborating with the miners. We show how a simple smart-contract in Ethereum can coordinate the removal of the base fee, for the benefit of all the miners. We compare EIP-1559 with RSK’s minimum gas price system. Finally, we present a partial solution to the EIP-1559 incentive problem which involves reducing the amount of fees burned.
Before we start, we note that the term base fee is misleading, because the actual fee amount is computed by multiplying the price by the amount of gas consumed, so in this article we’ll use base gas price instead. With EIP-1559, transactions have a new field, and are serialized using a new format. Instead of specifying a single unique gas price, the fee is specified as a maximum gas price to be paid and a miner tip (called a “priority fee”), which establishes an amount that will be paid to the miner above the base gas price. Since the tip must be positive, the gas price to be paid will always be higher or equal to the base gas price. When processing a transaction, the total fee (price multiplied by gas consumed) is split in two amounts: the base amount is burned and the miner tip amount is paid to the miner of the block.
When most blockchain protocols need to burn native coins, it is generally to punish a certain party for misbehaviour. If a bounty is given to a party that flags misbehavior, then a misbehaving party can denounce itself to avoid being denounced by others. In these protocols, no matter who denounces, the sequence of actions that the parties execute always lead to the coins being burned. However, in the case of EIP-1559, the same actions that led to coins being burned can recover the coins if they occur in a different order or time. Similar to MEV, the coins present a revenue that can be shared if all involved parties could collaborate.
Let’s list the protocol participants’ short-term incentives:
- Miners want to collect more fees, from users or by reducing the base gas price.
- Active users want to pay less fees, either reducing the tip or the base gas price.
- Passive users want the base gas price to be high so more coins are burned and the value of the coin goes up.
All active parties would benefit from a reduction of the base gas price. The main problem is that a joint action between active users and miners to reduce the base gas price is difficult to accomplish. These are the obstacles for coordination: (1) both groups are anonymous and dynamic, (2) the number of active users is high, (3) coordination would require some initial time or monetary effort, (4) defectors could spoil the plan and (5) the remaining users can take advantage of the situation and transact at lower fees, rising the base gas price, without participating in the common effort.
While coordination is dismissed by EIP.-1559, the EIP may not have foreseen the enormous incentives that today exist to reduce the base gas price. Today, the priority tips represent less than 6% of the base gas price. In other words, miners could earn 16 times more from transaction fees by lowering the base fee. Eric Voskuil’s book on Cryptoeconomics explains that the transaction fee is the cost of censorship resistance, and currently Ethereum is paying too little for it. This means that transactions can be, at least in theory, very easily suppressed, all of them. The suppression of transactions causes the base gas price to be lowered to zero quickly, which increases the miner’s revenue after wallets adapt to the change.
If the base gas price is lowered to zero, both users and miners could split their savings 50/50 on future transactions. Users would transact at a 50% discount but miners would receive 8X more revenue from transaction fees! Since transaction fees paid (burned + unburned) have reached parity to the block subsidy, this leads to a 50% increase in payed block rewards. Since the net revenue of miners is a small percentage of the reward due to electricity and other operational costs, this new revenue stream could represent a 300% increase in net revenue, even while sharing 50% of the new revenue with users. This is clearly a very unstable situation. If only the Ethereum blockchain could coordinate the two groups, or if transactions could be censored, then it would be game-over for EIP-1559.
If transaction the base gas price is magically and instantaneously lowered to zero by a perfect coordination system, then more users would try to transact, pushing the transaction fees back to the same levels than before. However, assuming the coordination system between miners subsists, then the base gas price can stay at zero forever. Miners would have a steady net revenue that is 400% higher than before.
In this article we show there are several ways (some cheap) to coordinate a reduction on the base gas price. While some of these coordination mechanisms may be imperfect and may fail at first, it is commonly said that a vulnerability can only get worse. People will improve the coordination system to fulfil the goal. The sole existence of so many ways to achieve coordination shows the current state of fragility of the Ethereum network under EIP-1559.
What is clearly missing from the research presented in this article is an analysis of Ethereum’s wallets fee management code. It’s expected that wallets will correctly handle a reduction of the base gas price and revert to arbitrarily increasing the tip to get a transaction confirmed, as prior EIP-1559 wallets did. However, wallets may implement sanity checks that prevent the old fee market from working again. An in-depth analysis requires reviewing most of the existing wallets’ source code to see if EIP-1559 compatible wallets have hard-coded restrictions to prevent paying high tips compared to the base gas price.
It’s also important that the closer the PoS Merge is, the higher the incentives for the PoW miners to act selfishly and as a group.
Coordination by Miners without a “Classical” 51% Attack
Let’s suppose there is a majority of miners (say 60%, in terms of hashrate) that are open to collaborate to reduce the base gas price. Let’s call them the coordinated majority (CM). A CM has the ability to arbitrarily increase or decrease the block gas limit, and our first coordination method will make use of this ability.
EIP-1559 compares the existence of a CM group to a 51% attack. But this is not the case! The classic miner 51% attack is to discard the blocks of a minority of miners to increase the profits of the majority. In a CM, the majority of miners provide benefits to the minority. From the miners’ perspective, it is the opposite of an attack. It’s a donation! From the perspective of a miner’s rationality, all miners are incentivized to collaborate with a CM behind the curtains, even if for political reasons they do not join the CM.
This brings us to the first method of sidestepping the base gas price control mechanism. Currently the block gas limit is 30M gas. If 60% of the miners create blocks with 15M gas consumed, while the others fill them to 120M gas, this equates to a throughput of 57M gas/block. We can assume the demand for gas will fill that offer, since BSC chain has a 80M block gas limit and fills some of its blocks. Therefore if a CM decides to raise the block gas limit 4X to 120M while the CM artificially limits the gas consumed by their own blocks to 15M gas, all of the miners win. This holds even if the gas price decreases inversely proportional to the throughput expansion.
To show why this strategy benefits all miners, we can see that if the minority fully consumes all gas available in blocks, each non-CM block will increase the base gas price by 12.5% (the maximum increase permitted by the protocol). Each of the CM blocks that targets 15M gas results in a decrease of the base gas price by 10.9%. Because the CM mines 60% of the blocks, the result is a continuous net reduction of the base gas price. It takes 190 blocks to reduce the base gas price by 90%.
The attack needs a preparation phase, where the CM raises the gas limit to 120M, which takes 1422 blocks (~6 hours). In such a short time, the community won’t have an opportunity to coordinate a response, less alone a hard fork. But what would happen during this period of rapid gas supply expansion is unclear. If the demand does not match the supply during the preparation phase, the base gas price could decrease. It may be possible that with the sole expansion of the supply makes the base gas price go to zero and also the tips are reduced provoking a net reduction in miners’ rewards. This could be seen by the CM as an investment for future returns, but the “investment” could reach 800K USD at today’s ether prices (6 hours revenue). However, we’ll present better coordination mechanisms.
Coordination by Miners with a 51% Attack
If we assume that the block limit is raised to 120M gas, but the CM starts orphaning blocks from the non-CM miners that consume more than 15M gas (the 51% “attack”), then it only takes 24 blocks to lower the base gas price to 10% of the original value. To avoid going to an open orphaning war with the other miners, the CM would provide in advance a single-line code patch (or even it may be a configuration change) to all miners, so that the miners artificially cap their blocks to 15M gas.
The end result is that within 6 hours, the block gas limit may be raised to 120M, the network capped to 15M gas blocks, and all miners collecting more than 2 additional ether in each block, doubling their income.
Coordination by a third Party
EIP-1559 targets all blocks to be filled approximately at 50%, except during high demand. One of the properties of EIP-1559 is that if all odd blocks are left empty, and all even blocks are filled 100% at 30M gas (achieving the same average targeted throughput), then the base gas price decreases continuously. After only 300 of alternating empty and full blocks (~1.25 hours) the base gas price reaches 10% of its original value. Note that it’s not necessary that 100% of the miners decide to create empty odd blocks. If only 30% of the miners create empty odd blocks, after 300 blocks the base gas price is reduced by 50%, and after 1000 blocks (~4 hours) by 90% again. We see that a majority of miners is not required.
Note that if all miners fill blocks less than 47%, the base gas price also decreases and reaches 10% after 316 blocks, but the throughput slightly decreases by 1.5%.
The break-even point that compensate miners for any momentary loss for mining empty blocks is much sooner than 1.25 hours. With only 40% miner engagement, and in only 15 minutes (60 blocks), the base gas price can be decreased 20%, and that’s enough to compensate them for any loss due to empty blocks. The downward spiral of the base gas price has been triggered.
Now we’ll invite a third party help to reach the break-even point. Let there be a hidden coordination party called Charles that is willing to invest money to reward miners who create empty odd blocks for 15 minutes, reimbursing each one for their potential loss when creating empty blocks, plus a 10% bonus. Assuming one block every 15 seconds, the maximum cost for Charles corresponds to the reimbursements of tips that could have been paid in 60 blocks (30 tips to empty block producers), multiplied by 1.1 to provide a bonus. We assume ether price is 3200 USD/ether, every block contains 2.12 ethers paid by users in fees, and from those fees 2 ethers are burned (fee and price statistics are taken from this site, fee slightly decreased to make numbers simpler).
Assuming Charles used the average tips in the last 15 minutes as reference, this results in a budget of 13K USD. With only a 40% engagement, and if the market reacts to the capped gas supply by raising the tip amounts, then just 15 minutes later, all miners have collectively earned up to 40K USD more in fees, preventing them from being burned! The 40% participating has earned 16K USD more.
Charles could accept donations on-chain for creating the incentives for continued even/odd mining patterns. But this is not necessary. Charles can say it will pay the bonus only if less than 40% engage in mining empty odd blocks. This means that miners never lose money: either Charles compensates them, or they get compensated by the users paying higher gas price tips. Since the most probable outcome is that miners participate, Charles can save the bounty and re-use it for the next round. After miners realize their power to lower the base gas price, it is most probable that miners just keep mining empty odd blocks as a new Schelling point, even if Charles goes away! The downward spiral has started.
Coordination by a Smart Contract
If you’re not convinced that a new Schelling point can be reached, or that a third party can be trusted to coordinate it, then we show the same goal can be achieved with the power of smart contracts: we can replace the external party Charles by an open and secure smart-contract that brings miners together. Let’s call it Gatherer. Miners would interact directly with Gatherer without trust on any external entity. It only requires that miners know about the contract, and any miner can ignite a chain reaction to increase miners’ revenue.
It’s clear that building Gatherer is possible in Ethereum using the BLOCKHASH opcode to obtain the hashes of the blocks in the last 15 minutes or more. Gatherer must provide some incentives for users or miners to submit the full block header information to the Gatherer contract, and Gatherer will check this information matches the block hashes securely obtained. With the block headers, the contract can learn all about its past blocks, and discover which miners have created empty odd blocks, and reimburse them accordingly. Detecting empty blocks is simple because the transaction root hash corresponds to the empty trie hash. Coordination is what Ethereum is good for, after all. Gatherer can easily decide to pay the bounty or re-use it for another 15 minutes, so the most probable outcome is that Gatherer only needs a 13K USD initial investment and that these funds will last forever. The bounty and bounty time can be extended if the tips take more time to raise due to the shorter gas supply. It’s a matter of parametrization, but not a matter of feasibility.
Coordination by a Minority of Miners and Private Users
One of the desired properties of EIP-1559 is that users can better estimate the transaction fees and avoid overpaying. But at the same time the base gas price must rapidly adapt to congestion. Currently it is common that the base gas price jumps 100% over a single day.
The huge fee variability creates the incentives for users to negotiate fixed rates with miners. And as we’ll show, a mining pool we’ll call Mina can offer lower transaction prices to users, and at the same time receive a huge revenue boost, by mining empty blocks. The EIP-1559 presents this problem and disregards it: a miner who does not mine empty blocks will ruin Mina’s plans. However our simulations show it is not the case.
This is how Mina sets up her business: Mina offers fixed rate contracts to users, which we call Mina’s “private clients”. The offering is valid until a deadline given by a block number, and the private clients agrees to be penalized if they try to double spend a given transaction before the deadline.
The penalization mechanism is done by a smart-contract we’ll call Penelope. The private client deposits a collateral approximately equal to the cost of two transactions in Penelope. When the client sends a private transaction T with nonce N to Mina, it also signs a message M asserting he will refrain from creating any double-spend T´ until the deadline D. The message to be signed is the following: “The nonce N will be reserved to transaction TxId(T), until block D”. The private transaction T will specify a maximum fee that is lower (i.e. 3%) than the current base gas price, and this price is negotiated between the private client and Mina. If the private client double-spends the nonce N, then Mina will send the evidence to Penelope and collect the bounty. Note that it’s more probable that Mina’s private clients are large crypto exchanges, or other big players transacting, as they can more easily adapt their software to reduce the transaction cost and benefit at scale.
Mina is now free to collect as many other private transactions from other clients under the same agreement. Note that if Mina collects enough commitments (for example, she can fill a full block) then it also means she has removed from the market that amount of pending gas to be consumed, and blocks will be less filled, and the base gas price be lower, even before Mina has mined an empty block.
Currently in Ethereum the average tip represents less than 6% of the base gas price. To simplify our explanation, let’s assume the base gas price is 100 coins and the average tip is 6 coins. Mina’s private client’s transactions pay her a maximum of 103 coins (~3% less than 106), but they specify a tip of 15.5 coins (much higher than 6 coins like the rest). Mina cannot abuse of these private transactions because they are invalid in blocks with a base gas price of 100. Mina will wait. Let’s assume all blocks are half-filled, and the base gas price is stable. Let’s assume the gas limit of the block is 30 units of gas. Now we explain how Mina will benefit from these private contracts by mining empty blocks.
Once Mina collects a block full of transactions, she starts mining empty blocks. Each time she mines an empty block, the base gas price is reduced 12.5%, and the base gas price becomes 87.5 coins. If she happens to mine a block just after mining the empty block, she can fill it in full with private transactions and get 103–87.5=15.5 coins for each gas unit used. Since she fully filled the block to 30M gas, she gets 15.5*30=465 coins. Each time she mines an empty block, she loses approximately 6*15=90 coins of revenue. This means that as long as Mina can create two consecutive blocks every 5 blocks, she obtains a positive revenue.
A miner having 45% of the hashrate gets a higher chance to mine two consecutive blocks that one every 5 blocks. Therefore, it’s wrong to assume that a majority of miners are needed to profit from lowering the base gas price, as we showed that 45% of the miners can in fact profit.
We considered here that after an empty block is mined, the remaining miners fill their blocks to consume all gas that was not previously consumed, but this may not be the case. If not all gas is consumed, it is possible that Mina’s strategy triggers a continuous decrease in the base gas price, while the overall transaction cost stays constant, for the benefit of all the miners. In practice, what will actually happen depends on how wallets are programmed to bump the tip in case of confirmation delays.
We’ve not evaluated the consequences of Mina’s strategy on the remaining users (those not engaged in private contracts with Mina). Knowing about Mina’s strategy, users willing to transact may decide to wait until a block that lowers the base gas price is created, and immediately broadcast their transactions to compete for the block space with low base gas price, setting a low maximum fee. Using the numbers from our previous example, a possibility would be a tip of 10 coins with a maximum fee of 100 coins, saving 6 coins on success. This strategy benefits all miners, including Mina! Miners will almost double their revenue after empty blocks. Therefore, their incentive is still to protect Mina, even if they are not part of Mina.
Selfish Mining and EIP-1559
A miner that wants to pre-sell block space but doesn’t want freeriders to come after his empty blocks may attempt to selfishly mine, trying to create two private blocks in a row, and publish them together. If not possible, then the first block would be released to be included later as an uncle, losing at least ⅛ of the block subsidy. Currently, if 80% of the fee moved from the base gas price to the priority tip, then fees would provide a higher revenue than the block subsidy, which means that selfish mining could become a rational strategy for a miner with a large hashrate percentage. And again, once a decrease in base gas price is triggered, it may end with zero base gas price.
EIP-1559 After “The Merge” PoS
One of the problems with EIP-1559 in Ethereum PoS consensus is that a miner gets to know in advance when he will be able to mine two blocks in a row. A miner can pre-sell block space for a lower than average gas price and when the turn to mine the two consecutive blocks arrives, mine an empty block followed by a privately filled block. Ethereum PoS also makes it very easy for the miners to coordinate actions to lower the base gas price with prior or subsequent miners due to the open nature of the leader selection.
Comparison with RSK
It’s difficult to take revenue away from miners. The RSK protocol also provides undesired incentives for users to pay fees to miners over off-chain channels, but the RSK fee management design is harder to game. RSK has a minimum gas price that is controlled by the miners (same as the block gas limit), but all fees are distributed to a shared pool that is used to pay smoothed fees to subsequent miners by a smart-contract called REMASC. While some fees are burned, it is always less than 10%. However, the miner of a block gets only 10% of the miner’s shared pool in each block, and therefore she could be tempted to get the remaining 90%. To profit from offchain fees, the miner needs the minimum gas price to be lowered, and this requires the majority of miners’ votes.
The main difference is that in Ethereum with EIP-1559, normal transactions can be delivered privately to miners and be used to pay lower transaction fees, while in RSK those transactions won’t be valid unless the minimum gas price is already lowered to zero. Therefore, RSK transactions cannot privately pay a miner less than average fees. Even if users directly paid miners via a payment channel network, first the majority of miners would need to lower the minimum gas price. This makes gaming the RSK system more difficult, and requires a global offchain payment infrastructure that does not yet exist.
Solutions
We can’t find a perfect solution to EIP-1559 incentive problems. The solution that we propose is to burn only a part of the base fee (i.e. 20%) and give the rest to the miners, preferable to a miner’s pool, similar to RSK.
Some changes can reduce the incentives to coordinate. The simplest patch is to reduce the rate of change of the base gas price, from 12.5%/block to about 3%/block, but this changes the properties of EIP-1599 to communicate the congestion to users. Still, coordination via a smart-contract for extended periods cannot be prevented. Another partial solution is to put a hard limit in the block gas to 30M (there are several EIPs that attempt to do so).
Due to the fact that EIP-1559 has reduced the cost of transaction censorship below acceptable ranges, I suspect that EIP-1559 cannot be saved without reducing the amount of fee burned. Time will tell if EIP-1559 is stable or becomes unstable without the proposed changes. Community pressure on the miners can mitigate the risks, even if it is irrational for them not to bypass EIP-1559.
Summary
While EIP-1559 intentions are good for the Ethereum community, especially passive ether holders, we believe it is unstable. When all active participants can highly benefit from coordination, and the cost of coordination is low, it only takes a spark to trigger a change that reverts EIP-1559 to the prior state. A cascade of events can rapidly converge to a new Schelling point of mutual benefit to eliminate the base gas price. The source of the problem is that the base gas price can be altered using transaction censorship, and the cost of censorship has become extremely low in Ethereum. If the average throughput is kept at 15M/block, then suppressing transactions from odd blocks costs only 77K USD/hour at current ether prices.
In this post we’ve shown six different ways to achieve coordination in adversarial situations where some participants could defect, yet coordination can progress. We’ve also shown how the Ethereum coordination capabilities of smart-contracts can be used to facilitate the common good of eliminating EIP-1559. The fact that EIP-1559 benefits inactive users to the detriment of active users makes it unstable, because inactive users may be not paying attention to the state of the blockchain while cooperation to remove EIP-1559 starts. We propose a solution based on burning only a percentage of the base fee.
Note: This report shows a flaw in Ethereum’s protocol but we do not consider it a security vulnerability. It does not represent any security risk to the active users.
