SIP-45: Prioritized Transaction Submission #45
Conversation
|
Looks like this SIP could enable sandwich attacks on Sui? |
No. This cannot be used to carry out sandwich attacks as there is no public mempool on Sui. |
|
|
||
| ## Motivation | ||
|
|
||
| Currently, there is no deterministic gas ordering for the transactions, even when these transactions are submitted within an extremely short time window (less than 100ms). This is due to the fact that different transactions are randomly submitted by different validators, and the validator that is supposed to submit the transaction can have latency jitters. We propose a mechanism to mitigate the random factor and enable prioritized transaction submission. |
There was a problem hiding this comment.
I think this is not widely known/understood, and making gas prices work more like folks would intuitively expect is valuable.
|
|
||
|
|
||
| We propose the following changes: | ||
| - Increase the maximum allowed value of gas price from `99,999` to `1,000,000,000,000` (1T). |
There was a problem hiding this comment.
I was wondering if 1T MIST is big enough to express a very strong preference, and convinced myself that the answer is "yes". Sharing my reasoning in case other readers are wondering the same thing
- 1T MIST = 1000 SUI
- The smallest computation unit gas bucket, is 100,000, so even on the cheapest possible tx a submitter could choose to pay up to 1M SUI (which seems more than good enough to express the strongest possible preference)
wriches
changed the title
wriches
added
the
active
| - `Amp%` represents the percentage of amplification from that bucket. | ||
| - `Cum Amp%` represents the cumulative % of amplification from that bucket and all preceding buckets. | ||
|
|
||
| From the data above, we predict that consensus bandwidth will be increased by no more than 12% should the proposal get implemented. In return, non-deterministic factors will become minimum, which makes actors able to compete by trying to outbid each other, where the participants will have to pay a much higher gas fee than before, in exchange for the certainty of reliably winning, should one outbid everyone else. |
There was a problem hiding this comment.
Unclear why consensus bandwidth is expected to increase by 12%. Removing latency jitters could reduce effective throughput by allowing more duplicates. Also, high-priority transactions may increase object dependencies, reducing execution throughput and, by feedback, consensus throughput. While this issue likely existed before, the proposed changes make users pay more.
There was a problem hiding this comment.
We assumed most on-chain txs are not competitive in nature (meaning that they are not competing to land before the others do). For those txs, having priority does not change anything.
For competitive txs, once there is priority, the number of txs will be reduced (actors will seek paying higher prices rather than sending more, because simply sending more does not work anymore) - this may slightly increase consensus bandwidth required.
The proposal naturally works with the object congestion, since the congestion control algorithm prefers to select txs with higher gas prices. When there is a congestion (this often but not always means there is a competition), txs with higher gas price win. In this sense, high-priority txs do not lead to congestion, market does. For users, this brings more fairness - whoever pays more gets sequenced first, if there is a competition.
There was a problem hiding this comment.
Iiuc the increase is in effective throughput, it is expected to come from fewer transaction duplicates for these high-priority transactions. If I am willing to pay a high price, why should I not send my transaction to more than 1 validator, say K? It would increase my chances of getting into the current checkpoint. Then, in the worst case, we have K copies of my transaction, possibly decreasing the effective throughput.
There was a problem hiding this comment.
Yes. With higher gas prices, N gets bigger, meaning more 'copies' of the transaction will be sent to consensus.
The term 'consensus bandwidth' from the SIP actually refers to network bandwidth (or put it another way, network traffic), not the capacity for consensus to process txs.
The data is to show that despite more copies will be sent over the network, the percentage of competitive txs is small, which do not lead to a significant increase overall.
|
|
||
| We have located and analyzed multiple CEX-DEX trading bots and found no exception other than using a constant gas price (for example, 850 MIST), despite the fact that they are competing with each other. | ||
|
|
||
| As of today, there is little one can do about the case, other than submitting many different transactions that are further submitted by different validators, or simply resort to luck. |
There was a problem hiding this comment.
Another way to guarantee fast transaction submission is for validators to bypass latency jitter. Afaik, jitter isn’t verifiable or enforced—validators can take off-chain tips and prioritize transactions. With this SIP, while off-chain prioritization can still occur, transaction reordering (post-consensus) ensures that gas price determines final order. This mitigates the off-chain fee market by prioritizing those who pay the correct gas price.
There was a problem hiding this comment.
Yes. The choice of validator also matters in this off-chain fee market case.
For example, cooperating with a validator in Asia would unlikely lead to desired result.
Some other factors may also have impact on this, such as leader schedule and the timing of block proposing.
You don't need a public mempool. All professional (solana) sniper bots run a validator. In Sui, you run a validator and listen to the RPC nodes to request for a transaction signature. You send your attack transaction with higher fees and then slightly delayed the signature. You would need 1/3+x stake to guarantee success with the delay. But higher fees could be enough. |
It will theoretically work. It will even work without priority fees. Our argument is that, with or without this proposal, despite it is possible to construct such successful sandwich attacks occasionally, any validator that attempts this will find it hard to make it economically sustainable. That is, a sandwich attempt may result in a success or a failure, but over a longer period of time (looking at a day or a week), losses add up much faster, and the actor overall has a negative gain. There are several pitfalls to the method:
|
| - $N$ is a function of gas price, defined as: | ||
|
|
||
| - if $`gas\_price < K \times RGP`$ then $N = 1$ | ||
| - else $`N = gas\_price / RGP + 1`$ |
There was a problem hiding this comment.
What is the downside of using N = gas\_price / RGP here? The advantage is that it would be simpler to reason about, and there will be a constant gas\_price / N which can be considered as per-submission cost.
There was a problem hiding this comment.
That works as well! Originally the thought was to have a slightly higher amplification than simply submitting multiple transactions, so to remove the incentive of doing that. But the upside is minor and we can choose simplicity over it.
I have several questions and concerns about the priority fees mechanism:
I believe we need to carefully evaluate whether the benefits of priority fees outweigh these potential security risks, particularly in DeFi contexts where transaction ordering is critical. |
It is irrelevant to the sandwich attack. The gas fee mechanism (you call it priority fees) already exists. It just does not behave deterministically. This proposal simply removes the (unwanted) randomness of transaction submission. It does not enable another attack vector that wasn't possible before. It makes the system fairer by allowing transactions that pay more to get higher priority. We believe this is a fair feature for Sui. @sblackshear @mwtian might be able to provide some insights from Sui's perspective as well? |
Thanks for providing feedback @Iamknownasfesal. To clarify, today ordering of transactions in Sui is first determined by which consensus commit the transaction is included in, then transactions are ordered within each consensus commit by gas price before their execution. There are more details: transactions touching different objects can execute in parallel, transactions touching overloaded objects can be deterministically postponed to execute with a later consensus commit etc. But these are the high level ideas. If we consider the issue of too many transactions trying to use the same shared objects (for example liquidity pools), prioritizing these transactions based on their gas prices ("priority fee") seems to be the most sensible way, which provides the most value to the network. Current protection against sandwich attacks comes from the fact that it should be easy to detect validators carrying out the attack and avoid using these validators for transaction submissions. If you have concrete proposals on alternative ways to order transactions that provide stronger protection against sandwich attacks, feel free to write up an issue at https://github.com/MystenLabs/sui and we can discuss there. As mentioned by @shio-coder, this proposal is basically to allow transactions to use consensus bandwidth proportional to its gas price, which improves the reliability of having a transaction included in the next consensus commit instead of a later one. Ordering within the consensus commit will be determined by gas prices as discussed above, which is the existing behavior. |
## Description This is one of the change that is proposed from [SIP-45](sui-foundation/sips#45). Planning to make another separated PR for protocol config, that is: - Let K be a part of protocol config. - Increase max gas price in protocol config. ## Test plan CI
This PR creates a new SIP draft, that intends to enable effective prioritized transaction submission.