Research Summary - Quantifying Blockchain Extractable Value: How dark is the forest?


This paper attempts to establish a framework for the concept >of Blockchain Extractable Value (BEV). Borrowing and >expanding upon the concept of Miner Extractable Value (MEV), BEV defines the many ways value can be extracted >from a blockchain.

The researchers analyzed the Ethereum blockchain looking for BEV and found that over two years, various types of BEV activities yielded roughly 28.8M USD in returns.

Core Research Question

Does blockchain extractable value (BEV) promote behaviors that could potentially destabilize blockchain security?


Qin, K., Zhou, L., & Gervais, A. (2021). Quantifying Blockchain Extractable Value: How dark is the forest?. arXiv preprint arXiv:2101.05511.


Miner Extractable value (MEV): The profit that miners can obtain via manipulation of transactions when mining blocks. Miners are typically compensated simply via transaction fees and block rewards. To obtain MEV, miners can insert, omit, reorder, or replace transactions on a blockchain for the purpose of frontrunning or otherwise exploiting vulnerabilities in DEXes.

Blockchain Extractable Value (BEV): Though BEV is not explicitly defined in this paper, it is considered by the author to be a more general term relative to Miner Extractable Value. If BEV is extractable by a miner, it is referred to as MEV.

Private transactions:

Front-running: When an attacker has prior access to market information and is able to make trades benefiting their position and potentially damaging the position of others.

Transaction Replay attack: An attack in which a transaction is observed, then maliciously rebroadcast to the network by the attacker in an attempt to extract value from the trade before the original transaction can be completed.

Sandwich attacks: Attacks in which a nefarious actor observes a transaction, then front runs the transaction, allows the targeted transaction to take place, then back-runs the transaction.

Mempool: The memory pool in which transactions are stored and ordered to be executed within the next block.

Mempool priority: The priority determines the order of transactions within a queue. If a single transaction is repeated, the transaction with the highest priority will be executed first.

Transaction fee: The financial cost to users for calling smart contract functions, which is then paid to miners. They are usually denominated in Gwei (a fraction of ETH) and are a result of the gas cost of transactions and the current miner-set gas price.

Gas: The unit of measure of computational cost for Ethereum smart contracts.

Destructive Front-running: If an attacker front runs a victim and causes the victim’s transaction to fail, that is considered a destructive front-running attack.

Cooperative Front-running: If a front-runner ensures that the transaction being front-run goes through, that is classified as a cooperative front-running attack.

Back-running: Similar to a front-running attack where an attacker has prior knowledge of market information, which gives them the chance to make a trade that comes after other trades have been executed within a block during an arbitrage attempt.

Clogging: When an attacker jams or spams the blockchain with the intention of preventing users or bots from executing transactions. Would be the equivalent of a Denial of Service attack on a blockchain.

Block State Arbitrage: This occurs when an arbitrage trader listens to confirmed blockchain states, then attempts to destructively front-run all other market participants

Network Arbitrage: If a trader sees a large pending trade on the network (which is likely to raise the value on other exchanges), the trader can attempt to delay other traders’ capacity to arbitrage the trade by clogging the network, and attempting to back-run the transaction.


From analyzing two years of data gathered, the researchers identified 1,379 independent Ethereum addresses and 455 smart contracts performing 21,001 sandwich attacks on Uniswap v1/v2, Sushiswap, Curve, Swerve, 1inch, and Bancor (which cumulatively represent 82% of the DEX market.)

Over the course of two years, there were 237 blockchain clogging events on the Ethereum blockchain with the longest period lasting 5 minutes (24 blocks with a corresponding cost of 39 ETH).

93.67% of clogging events lasted under 2 minutes (10 blocks).

At least 4/10 of the most significant clogging events attempted to extract monetary value from a gambling protocol.


The researchers analyzed exchanges, blockchain transactions, the relative number of hidden transactions compared to public transactions, as well as the fees associated with those transactions. The researchers established their definitions of attacks and identified indicators of an attack to then analyze blockchain activity to measure observable attacks.

In measuring these attacks, the researchers quantified the value extracted by the attackers to determine the BEV across the analyzed chains within the period observed. The researchers observed a total of 144 cryptocurrencies across 767 exchanges for the period between December 2018 and November 2020.

The researchers also created their own algorithms that would simulate trades based on the arbitrage opportunities seen on the network. These algorithms followed rules established to determine the parameters for extracted value.


Researchers found 1.64% of transactions were privately mined.

8.35% of private transactions invoked smart contracts.

26% of miners mined transactions privately.

There were instances of pools attempting to occlude private mining transactions by paying the gas prices associated with public transactions to prevent the transaction from standing out among other transactions as a flag.

There is a contract referenced by the researcher for which all incoming transactions are mined by SparkPool and not broadcast to the P2P network. This contract appears to be involved in trading based on analysis of the EVM bytecode, suggesting that SparkPool is engaging in MEV.

The replay algorithm produced by the researchers would have yielded an estimated 51,688.33 ETH in profit over two years, giving insight into the potential profit-motive associated with acting as a malicious miner, privately mining, and extracting value through front-running, back-running, or a combination of replay attacks.

Discussion and Key Takeaways

The researchers found no sandwich attacks on Curve, Swerve, or 1inch exchanges. They concluded this was due to those exchanges specializing in pegged assets which experienced very little slippage to create arbitrage opportunities.

These actors yielded a total profit of 1.51M USD paying an average transaction fee of 0.04 ETH.

They found that fixed spread liquidation protocols such as Aave, Compound, and dYdX (cumulatively 66% of the DeFi lending market) showed a total of 16,031 liquidations that yielded an accumulated profit of 20.18M USD.

Of those liquidations, 12.71% tried to back-run the price oracle update transaction with 87.29 attempting to front-run competing liquidation transactions.

The researchers identified 789 smart contracts which were shown to have performed 51,415 trades yielding a total profit of 7.11M USD.

Of those transactions, 60.08% were network state arbitrages which indicates that there were transactions being back-run by traders analyzing previous trades within a block.

Implications and Follow-ups

The capacity for private mining to prevent front-running attacks gives miners an unfair advantage. This concentration of influence might undermine the decentralization of the network.

Miners’ willingness to extract and compete over MEV is one of the biggest risks to the consensus mechanism securing blockchains.

The researchers allude to the study being limited by their focus on sandwich attacks, liquidations, and arbitrage. They assert that not all of the BEV was captured. Future studies attempting to capture BEV should acknowledge the limitations of their heuristics with the understanding that there can be no exhaustive measurement of BEV.


The researchers assert that blockchain security can be analyzed across different layers, including the CPU, network, consensus, application, and smart contract layers. This study focused on the application layer and the parts of the application layer that interacted with the smart contract layer. They articulate that there is a difference between destructive and cooperative front-running to create nuance in the definition of extracted value.

The most commonly captured attacks were double-spends, selfish mining, and bribery attacks. Future research and development could potentially focus on ways to develop reputational incentives for miners to avoid selfish mining or bribery. The researchers also note that in the presence of a presumed trusted hardware solution, there is a potential to prevent front-running attacks from occurring on-chain.


Larry - thank you for creating this fascinating paper and launching what I hope will be an interesting discussion about the blockchain ecosystem. How does user anonymity come into play?


Anonymity is agnostic inherently. The issue is that an agnostic system is not resistant to compromising influence, and in fact may be more susceptible to identity attacks by the very nature of decoupling an identity from a public key.

This means that a small group of individuals could very easily manipulate sentiment by engaging sock-puppets to give the appearance of consensus at scale.

This begs the question: how can consensus be achieved if it is unknown who is voting on consensus. In other words, if we cannot confirm a 1:1 ratio of votes per user, can we truly say “consensus” has been achieved? In that framework, it seems that true “consensus” may not be possible in an anonymized environment.

Even in an environment where identities are tied to votes, votes can be bought. So again, we cannot ever say “consensus” can be proven unless we can confirm there was no off-chain collusion which is obviously impossible.

Not to make the framing too abstract, but the article begs the question “How do we know for whom consensus has been achieved if we don’t know who is voting on consensus?”

This is likely the reason the authors framed the paper as “How Dark is the Forest?” as a metaphor for opacity being an obstacle to true consensus for the “forest” and not consensus “for a few trees”.


The idea that the majority of miners include transactions that were never seen in the mempool is astonishing.

One interesting area that I believe the authors left out is the percentage of value that the privately mined transactions constitute in a block. Although 1.64% is a small figure relative to transaction overall count, it might be a large portion of value transacted in that period.

Seems like MEV is evolving into out-of-band payments, where miners receive a commission for directly including transactions in a block. If this is the case, it would be important to understand what is the percentage of value abstracted via private transactions relative to the value abstracted via higher gas prices.


That is a very salient observation! I am wondering if such an analysis would be possible with private transactions since the transaction is effectively masked. I assume one can obviously analyze an account’s balance before and after a transaction, but wouldn’t it be extremely difficult to actually quantify the value of a private transaction? I assumed the authors had to analyze accounts to estimate the value of the private transactions, but I could have misread.


I wonder when applications begin to transition to layer 2 scaling solutions like optimistic and zk rollups if the amount of BEV (or I suppose REV in this case; rollup extractable value) will increase proportionally or if a greater percentage of transactions become REV related due to the lower gas pricing making the frontrunning/backrunning of lower slippage trades more profitable. I also wonder, given the many rollups that plan to or already use a centralized sequencer, if the percentage of privately mined transactions will increase due to the monopoly given to a single entity. Maybe they have sufficient incentive to not do so, as least in the beginning, to promote usage of their rollup. In general, I think there are benefits to privately mined transactions in the sense it allows users to prevent the frontrunning of their trades, but on the other hand it’s a bit like paying off the mafia for “protection” given the sequencer/miners offering privately mined transactions into blocks is often the one performing the frontrunning on user transactions as well. These are open questions that probably won’t be answered until rollups are used at scale, but it’s an interesting consideration in regards to BEV.


I think the question you’re dancing around is: is there a way to incentivize miners or those executing rollups to NOT extract value, and I think at this point in time the answer is a clear “no”.

There may be something that emerges eventually to change this, but currently, there is no real incentive to not extract value.

The one potential solution I have seen emerge is effectively just turning around to extract value from the value extractors. The Salmonella token was designed to trap sandwich attackers, and has been successful at doing such:

Defi-Cartel/salmonella: Wrecking sandwich traders for fun and profit (

At this point in time, I cannot see a viable way to disincentivize front-running, back-running, or sandwich attacks besides the Salmonella trap.