MEV infrastructure centralizes power. Builders like Flashbots and bloXroute control transaction ordering, enabling them to exclude specific transactions from blocks entirely.
security-post-mortems-hacks-and-exploits
Blog
The Future of Censorship: How MEV Tools Can Silence Transactions
An analysis of how the infrastructure built for extracting value (MEV) and protecting users (private order flow) creates a powerful, low-cost vector for systematic transaction censorship on Ethereum and other blockchains.
introduction
THE CENSORSHIP VECTOR
Introduction: The Double-Edged Sword of MEV Infrastructure
The same infrastructure that democratizes MEV extraction creates a centralized censorship surface for transaction ordering.
Censorship is a protocol-level failure. The OFAC compliance mandates for Tornado Cash transactions demonstrated how builder-level filtering becomes a systemic risk, not just a theoretical concern.
The solution is credibly neutral infrastructure. Protocols like SUAVE and MEV-Share attempt to decentralize the block-building process, separating the power to order from the power to censor.
key-trends
THE CENSORSHIP-ENABLING STACK
Executive Summary: Three Inconvenient Truths
The infrastructure for extracting MEV is becoming the same infrastructure that can be weaponized to suppress transactions.
01
The Problem: Censorship is a Feature, Not a Bug
Block builders and relays are the new gatekeepers. By controlling transaction ordering, they can silently exclude sanctioned addresses or entire protocols from blocks, achieving soft censorship without hard forks.\n- Key Insight: Compliance is a profit center for centralized builders like Flashbots.\n- Key Risk: AOFAC sanctions lists become de facto blockchain policy, enforced by ~90% of Ethereum blocks.
90%
Blocks Compliant
0
Forks Needed
02
The Solution: Credibly Neutral PBS
Proposer-Builder Separation (PBS) must be designed with neutrality as a first-class property. This requires commit-reveal schemes and permissionless builder entry to prevent a cartel from controlling the inclusion list.\n- Key Entity: Ethereum's enshrined PBS is the long-term hedge.\n- Key Mechanism: MEV-Boost++ with forced transaction inclusion via builder-side encryption.
100%
Permissionless
~500ms
Reveal Latency
03
The Wildcard: SUAVE as a Censorship Battleground
Flashbots' SUAVE aims to be a universal mempool and block builder. If it centralizes order flow, it becomes the single point for global censorship. If it decentralizes correctly, it could be the most resilient anti-censorship layer.\n- Key Conflict: The same cross-chain MEV tools that power UniswapX and Across could blacklist chains.\n- Key Metric: Control of >33% of cross-domain order flow creates systemic risk.
>33%
Critical Threshold
1
Single Point
thesis-statement
THE INCENTIVE
The Core Thesis: Censorship as a Byproduct of Optimization
Censorship is not a bug of MEV infrastructure but a direct consequence of its economic design.
Censorship is profitable optimization. Block builders like Flashbots and bloXroute maximize revenue by excluding transactions that reduce their extracted value, creating a rational economic incentive for censorship.
The mempool is now private. The rise of private order flow (PFOF) channels, dominated by Jito and bloXroute, removes transactions from public view, making censorship a default, invisible operation.
Proposer-Builder Separation (PBS) centralizes control. PBS outsources block construction to a few specialized builders, creating a centralized chokepoint where censorship can be efficiently enforced at scale.
Evidence: Post-Merge, over 90% of Ethereum blocks are built by three entities, and Flashbots' MEV-Boost relays have demonstrably censored OFAC-sanctioned addresses, proving the thesis.
MEV TOOLING LANDSCAPE
Censorship Attack Vectors: A Comparative Analysis
A comparison of how different MEV infrastructure components can be weaponized for transaction censorship, detailing their mechanisms, effectiveness, and countermeasures.
| Attack Vector / Metric | Builder-Level Censorship (e.g., Flashbots, bloXroute) | Validator-Level Censorship (e.g., Lido, Coinbase) | User-Level Protection (e.g., MEV-Boost++, Shutter Network) |
|---|---|---|---|
Primary Mechanism | Exclusion from block-building process | Refusal to include or propose specific blocks | Pre-execution encryption (TEEs/MPC) |
Censorship Effectiveness |
| Varies by validator market share (e.g., Lido: ~33%) | Prevents frontrunning; base-layer censorship still possible |
Detection Difficulty | High (private mempools, opaque order flow) | Medium (public mempool analysis, missed slots) | Low (encrypted payloads are observable) |
Key Enabling Entity | Block Builders (e.g., Titan Builder, rsync) | Staking Pools / Solo Validators | Threshold Networks / Secure Enclaves |
Countermeasure Example | MEV-Boost++ (crLists), SUAVE | Distributed Validator Technology (DVT) | Integration with intent-based systems (e.g., UniswapX, CowSwap) |
Time-to-Censor | < 1 slot (12 seconds) | 1+ slots (12+ seconds) | N/A (preemptive protection) |
Economic Cost to Attacker | Builder revenue opportunity cost | Block proposal reward forfeiture (~0.05 ETH) | Requires breaking TEE/MPC cryptography |
Real-World Precedent | OFAC-sanctioned addresses post-Merge | Hypothetical; risk of staking pool compliance | Active development, no major deployment yet |
deep-dive
THE CENSORSHIP VECTOR
The Mechanics of Silent Exclusion
Silent exclusion is a censorship attack where validators or builders drop transactions without signaling their removal, making detection impossible.
Silent exclusion is undetectable censorship. Unlike a public mempool where missing transactions are obvious, proposer-builder separation (PBS) and private order flow to builders like Flashbots Protect or bloXroute create a black box. A malicious builder can filter transactions from a sanctioned address before the block is ever proposed, leaving no public record of the attempted transaction.
The attack exploits PBS architecture. In a PBS system, the block builder's role is to construct a valid, profitable block for the proposer. The builder has unilateral power to exclude any transaction. This is distinct from Maximal Extractable Value (MEV) extraction, which reorders for profit; silent exclusion removes value entirely for compliance or coercion.
Detection requires indirect inference. Protocols like MEV-Boost relays or EigenLayer's EigenDA could theoretically log transaction inclusion requests to create an attestation layer. Without this, users must rely on probabilistic checks, monitoring if their transaction eventually lands on an alternative builder or chain like Arbitrum via a cross-chain messaging layer.
Evidence: Real-world precedent exists. In 2022, OFAC-sanctioned Tornado Cash addresses saw transactions excluded from >50% of Ethereum blocks post-merge, demonstrating builder-level compliance. This proved the infrastructure for silent exclusion is operational and economically rational for regulated entities.
case-study
THE FUTURE OF CENSORSHIP
Case Studies: From Theory to On-Chain Reality
MEV is no longer just about extraction; it's a powerful, programmable tool for transaction-level control.
01
Flashbots SUAVE: The Censorship-Agnostic Future
Decouples block building from proposing, creating a neutral marketplace. This neutralizes the power of OFAC-compliant validators by routing transactions to the highest bidder, regardless of origin.
- Universal Order Flow: Creates a competitive, permissionless market for block space.
- Intent-Based Routing: Users express what they want, not how to do it, bypassing blacklists.
- Proposer-Builder Separation (PBS): Enforced at the protocol level to prevent centralized control.
~100%
Block Coverage
0
OFAC Slots
02
Shutter Network: Encrypted Mempool Execution
Uses threshold cryptography to encrypt transactions until they are included in a block. This prevents frontrunning and makes transaction censorship impossible before execution.
- Pre-Execution Secrecy: Validators commit to encrypted bundles blind.
- Key-Split Trust: Decryption keys are distributed across a decentralized keyholder set.
- Compatible with PBS: Can be integrated into builders like mev-boost and SUAVE.
TEE/MPC
Tech Stack
>66%
Honest Assumption
03
EigenLayer & Restaking: Economic Slashing for Censorship
Turns economic security into a programmable resource. Operators who engage in censorship (e.g., filtering OFAC transactions) can have their restaked ETH slashed.
- Programmable Trust: AVSs can define and enforce anti-censorship rules.
- Pooled Security: Leverages Ethereum's $50B+ staked ETH to secure other networks.
- Enforcement Layer: Provides the teeth for protocols like SUAVE or Shutter.
$50B+
Securing Pool
Slashable
Enforcement
04
The OFAC Tornado Cash Sanction: A Live Stress Test
The 2022 sanction created a real-world lab. Compliant validators (like Coinbase, Kraken) began filtering transactions, leading to ~50% of blocks being OFAC-compliant at peak.
- Revealed Centralization: Exposed reliance on a few major block builders.
- Catalyzed Innovation: Directly spurred development of SUAVE, Shutter, and encrypted mempool research.
- Proof-of-Censorship: Tools like mevwatch.info emerged to track compliance in real-time.
~50%
Peak Censorship
2022
Catalyst Event
05
MEV-Boost Relay Cartel: The Centralized Chokepoint
The dominant mev-boost relay-builder ecosystem (e.g., BloXroute, Flashbots, Manifold) became a de facto censorship vector. A few entities control the flow of transactions to validators.
- Single Point of Failure: Centralized relays can impose filtering rules.
- PBS Imperfection: Current PBS is permissioned and trusted.
- Market Pressure: Builders face regulatory pressure to comply, creating systemic risk.
~90%
Relay Market Share
<10
Major Relays
06
Private RPCs & Order Flow Auctions: User-Side Defense
Tools like Flashbots Protect RPC and Bloxroute's Private RPC allow users to submit transactions directly to builders, bypassing the public mempool. This is a tactical, immediate solution.
- Frontrunning Protection: Hides transactions from searchers.
- Censorship Bypass: Routes to builders who don't filter.
- Market Fragmentation: Creates parallel, non-censoring transaction lanes, but is not a protocol fix.
~500ms
Latency Added
Tactical
Solution Type
counter-argument
THE INCENTIVE MISMATCH
Counter-Argument: The Market Will Self-Correct
The economic argument for censorship resistance is flawed because searcher and builder incentives are misaligned with user sovereignty.
The censorship premium fails. The theory that users will pay more for inclusion ignores that MEV searchers are the real payers. Searchers arbitrage profitable transactions, not politically sensitive ones. A sanctioned OFAC transaction offers no arbitrage profit, so no searcher will bid for it, regardless of any hypothetical user fee.
Builder cartels are rational. The block production market consolidates into a few dominant entities like Flashbots, bloXroute, and beaverbuild. Their incentive is to maximize MEV extraction and minimize regulatory risk, not to uphold a decentralized ethos. A cartel that collectively filters transactions faces no competitive penalty if all major builders comply.
Private mempools enable silent censorship. Tools like Flashbots Protect and Taichi Network route transactions directly to builders, bypassing the public mempool. This creates a black box for transaction filtering where exclusion is invisible. Users cannot prove censorship occurred because their transaction never entered a public ordering layer.
Evidence: After OFAC sanctions, over 70% of Ethereum blocks were built by compliant builders. The market did not route around this censorship; it optimized for it. The economic activity of searchers and builders, not end-users, dictates the chain's political neutrality.
risk-analysis
CENSORSHIP VECTORS
Risk Assessment: Who's Most Vulnerable?
MEV-based censorship is a systemic risk, but its impact is not uniform across the ecosystem.
01
The Privacy-Conscious User
Tornado Cash users or those using privacy mixers are primary targets. Their transactions are flagged by OFAC and are the easiest for builders to identify and exclude without economic penalty.
- Risk: Direct, non-economic censorship via block-level exclusion.
- Vector: Reliant on builders' compliance policies, not just searcher competition.
100%
Exclusion Rate
OFAC
Primary Driver
02
The High-Value Arbitrageur
Searchers running complex, multi-DEX arb strategies are vulnerable to targeted frontrunning. A dominant builder can silently censor their profitable bundles to capture the MEV for themselves.
- Risk: Economic censorship disguised as competitive exclusion.
- Vector: Builder can analyze mempool and private order flow to identify and block rival bundles.
~$100M+
Annual MEV at Risk
Stealth
Attack Type
03
The Small-Stakes DeFi User
Users swapping small amounts on AMMs like Uniswap are vulnerable to generalized censorship during peak activity. Their low-fee transactions are the first to be dropped when block space is contested, effectively silencing their economic activity.
- Risk: Indirect, economic censorship via fee market dynamics.
- Vector: Reliant on PBS; if builders exclude low-profit transactions, users are forced to overpay.
>50%
Fee Spike Needed
PBS-Dependent
Systemic Flaw
04
The Cross-Chain Bridge
Protocols like Across and Stargate that rely on fast, guaranteed finality for security are at risk. A censoring builder can delay or reorder bridge settlement transactions, creating arbitrage opportunities or triggering insolvency.
- Risk: Protocol-level insolvency and broken security assumptions.
- Vector: Attack on time-sensitive transaction ordering, not just inclusion.
$1B+
TVL Exposed
Settlement Risk
Critical Failure
future-outlook
THE CENSORSHIP DILEMMA
Future Outlook: Protocol Fixes and Existential Questions
MEV tooling designed for extraction is evolving into a powerful vector for transaction censorship, forcing a fundamental redesign of block building.
MEV tooling enables censorship. Builders like Flashbots Protect and BloXroute's Max Profit bundle now filter transactions pre-block, creating a permissioned mempool. This centralizes the power to exclude addresses or dApps at the builder level, not the validator level.
Proposer-Builder Separation fails. PBS was meant to decentralize MEV capture but created a builder cartel. The dominant builder can now censor with impunity, as seen when OFAC-sanctioned Tornado Cash transactions were excluded for months.
Enshrined Proposer-Builder Separation (ePBS) is the proposed protocol fix. It bakes PBS into the Ethereum protocol itself, removing the builder's ability to withhold blocks from honest validators. This makes censorship a coordinated social attack, not a technical default.
Encrypted mempools are the endgame. Protocols like Shutter Network and EigenLayer's MEV Blocker encrypt transactions until inclusion, preventing frontrunning and making censorship decisions impossible without the proposer's key. This shifts power back to the decentralized validator set.
takeaways
CENSORSHIP-RESISTANT INFRASTRUCTURE
Key Takeaways for Builders and Investors
The tools that extract MEV are becoming the same tools that can suppress it, creating a new battleground for transaction integrity.
01
The Problem: Builder-Level Censorship is a Protocol-Level Threat
When dominant builders like Flashbots or Jito exclude OFAC-sanctioned transactions, they create a centralized failure point. This isn't just about compliance; it's about the liveness guarantee of the base layer.
- Risk: A single builder cartel can effectively blacklist addresses.
- Impact: Violates the credibly neutral settlement promise of Ethereum and Solana.
- Metric: Builders control ~90% of Ethereum blocks, making censorship trivial.
~90%
Block Share
1
Failure Point
02
The Solution: Enshrined Proposer-Builder Separation (PBS)
Formalizing the separation of block building from proposing at the protocol level is the only long-term fix. This forces validators to choose from a competitive market of builders, breaking cartels.
- Mechanism: Proposers commit to blocks via a cryptographic commitment before seeing the full contents.
- Outcome: No single builder can be sure their censored block will be chosen.
- Entity: Ethereum's PBS roadmap is critical, but Solana and other L1s must adopt similar principles.
Protocol
Level Fix
Market
Forces Applied
03
The Hedge: Permissionless Encrypted Mempools
While PBS is built, encrypted mempools like Shutter Network or EigenLayer's MEV Blocker offer a practical hedge. They hide transaction content from builders until inclusion, making targeted censorship impossible.
- How it works: Transactions are encrypted with Threshold Encryption and only decrypted after block finalization.
- Trade-off: Introduces ~1-2 second latency but preserves neutrality.
- Adoption: Look for integration with Uniswap, CowSwap, and major wallets as a signal.
~1-2s
Latency Add
0%
Visibility
04
The Investment Thesis: Neutrality as a Service
The market will pay a premium for credible neutrality. This creates opportunities for new builder entities, RPC providers (like Blast API), and staking pools that can cryptographically prove non-censorship.
- Metric: Stakers may shift delegations to pools with >99% inclusion scores.
- Product: Auditable, real-time dashboards proving transaction inclusion are a new compliance tool.
- Valuation Driver: Infrastructure that guarantees liveness becomes a core primitive, not a feature.
>99%
Inclusion Score
Premium
Staking Yield
05
The Regulatory Trap: Compliance is a Slippery Slope
Builders complying with OFAC today may face demands for generalized keyword filtering tomorrow. This is a technical and legal quagmire. The only sustainable position is protocol-level neutrality.
- Precedent: Tornado Cash sanctions set the stage for address-based filtering.
- Escalation: Next could be DAO treasury transactions or privacy-preserving transfers.
- Defense: Builders must advocate for technology neutrality in regulation or face existential risk.
OFAC
Starting Point
DAO Tx
Next Target
06
The Builder's Mandate: Architect for Adversarial Assumptions
Assume your transaction flow will be watched and potentially censored. Design systems that are resistant by default using tools like SUAVE, intent-based relays, and direct integration with neutral builders.
- Tactic: Use MEV Blocker or Flashbots Protect RPC as a default for retail UX.
- Architecture: Move towards intent-based systems (UniswapX, Across) where user preferences are fulfilled off-chain, obscuring the target.
- Bottom Line: Censorship resistance is no longer a theoretical concern; it's a required spec.
Default
Resistance
Intent
Architecture
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall