Bundlers are profit-maximizing entities. Their primary incentive is to capture MEV and transaction fees, not to uphold network neutrality. This creates a direct conflict where censoring certain transactions becomes the rational economic choice.
smart-contract-auditing-and-best-practices
Blog
Why Bundler Censorship is Inevitable
Account abstraction's promise of permissionless user operations will be broken by the political reality of regulated bundlers. This is a systemic risk, not a bug.
introduction
THE INCENTIVE MISMATCH
Introduction
Bundler censorship is a structural inevitability, not a bug, driven by misaligned economic incentives between users and infrastructure operators.
Permissionless entry is a red herring. While anyone can run a bundler client like EigenLayer or Pimlico, the capital requirements and operational scale needed for profitability create de facto centralization, mirroring the miner/validator dynamic in Bitcoin and Ethereum.
User intents are opaque and exploitable. The ERC-4337 standard separates transaction declaration from execution, allowing bundlers to reorder, drop, or front-run user operations based on profit, not fairness.
Evidence: The dominant PBS (Proposer-Builder Separation) model on Ethereum L1 demonstrates that when builders (analogous to bundlers) control block construction, censorship resistance is outsourced and becomes a market commodity, not a protocol guarantee.
thesis-statement
THE ECONOMIC REALITY
The Core Argument
Bundler censorship is not a bug but an inevitable consequence of the economic incentives baked into the ERC-4337 architecture.
Bundlers are profit-maximizing entities. The ERC-4337 standard creates a competitive market where bundlers select the most profitable user operations from the mempool. This profit motive inherently prioritizes transactions with higher fees, creating a natural economic filter.
Censorship is a feature, not a bug. Unlike validators in a base layer, bundlers have no protocol-level slashing for censorship. Their primary constraint is reputation risk, which is a weak deterrent compared to the immediate financial incentive to exclude low-fee or sanctioned transactions.
The mempool is not neutral. The shared UserOperation mempool is a design choice that centralizes transaction flow. This creates a single point of control where entities like Ethereum Foundation's Pimlico or Stackup can, even unintentionally, set de facto policy by their inclusion criteria.
Evidence: The PBS (Proposer-Builder Separation) model on Ethereum L1 demonstrates this dynamic. Builders already exclude transactions for maximal extractable value (MEV) and compliance. Bundlers are simply account abstraction's builders, inheriting the same economic logic.
key-trends
BUNDLER CENTRALIZATION
The Slippery Slope: Three Trends Making Censorship Inevitable
The shift to account abstraction and ERC-4337 is creating powerful new choke points where transaction censorship can be enforced.
01
The MEV Cartel Problem
Bundlers compete for proposer-builder separation (PBS) slots, creating a natural oligopoly. Top-tier builders like Flashbots and bloXroute control the majority of block space. A cartel of 3-5 major entities can easily enforce OFAC compliance by excluding sanctioned transactions from their bundles, setting a de facto standard for the entire network.
>80%
Block Share
3-5
Key Entities
02
Regulatory Pressure on RPCs
The entry point for user operations is the RPC. Major infrastructure providers like Alchemy and Infura are centralized, regulated entities. Under legal threat, they will filter transactions at the source before they even reach the mempool. This creates a pre-bundler censorship layer that is invisible and inescapable for compliant users.
~60%
RPC Market Share
0 ms
User Visibility
03
Economic Inertia & Lazy Validators
Validators are profit-maximizers, not censorship-resistors. If the most profitable bundles are pre-censored by the dominant cartel, validators have zero economic incentive to rebuild blocks. The cost of forgoing $100M+ in annual MEV revenue to include a few censored tx is a non-starter. The system's economic design makes censorship the path of least resistance.
$100M+
Annual MEV
0%
Incentive to Resist
CENSORSHIP VECTORS
Bundler Landscape: Who Controls Inclusion?
Comparison of bundler models based on their susceptibility to censorship and centralization of transaction ordering power.
| Censorship Vector | Permissioned Bundler (e.g., Alchemy, Blocknative) | Permissionless Bundler (e.g., Pimlico, Stackup) | Sovereign Bundler (e.g., User-Op Rollup) |
|---|---|---|---|
Entry Barrier | Whitelist / KYC | Stake ~50 ETH | Deploy a rollup |
MEV Capture | Full control over ordering | Competitive via PBS & auctions | Sovereign control, can be shared |
Primary Censorship Risk | Regulatory compliance (OFAC) | Validator-level filtering (e.g., relay policies) | Sequencer-level filtering |
User Op Latency | < 1 second | 1-12 seconds (auction window) | ~1 block time (12 sec) |
Cost to Censor One TX | $0 (policy decision) |
|
|
Decentralization Horizon | None (centralized service) | Medium (decentralized validator set) | High (rollup ecosystem) |
Key Dependency | Bundler operator | Ethereum consensus & relay network | Underlying rollup stack (e.g., Arbitrum, OP) |
deep-dive
THE BUNDLER MONOPOLY
The Architecture of Control
Bundler censorship is a structural inevitability, not a temporary flaw, due to the economic design of account abstraction.
Bundlers are natural monopolies. The role requires high capital efficiency and low latency to win block space auctions, favoring large, centralized operators like EigenLayer AVS or specialized L2 sequencers. Decentralization is a cost center.
The paymaster relationship dictates censorship. The entity paying for gas—whether a dApp like Uniswap or a wallet—ultimately controls transaction ordering. This creates a direct financial incentive for bundlers to comply with payer demands.
Intent-based architectures centralize power further. Systems like UniswapX and CowSwap shift complexity from users to centralized solvers. The solver, which becomes the de facto bundler, has complete visibility and control over the execution path.
Evidence: Over 90% of ERC-4337 bundles on Ethereum mainnet are processed by just two bundler implementations, demonstrating extreme centralization pressure from day one.
counter-argument
THE INCENTIVE MISMATCH
Counter-Argument: Can't We Just Build Permissionless Bundlers?
Permissionless bundlers fail because their economic incentives are structurally misaligned with censorship resistance.
Permissionless entry is insufficient. A network of independent bundlers does not guarantee censorship resistance. The economic design of MEV creates a centralizing force where the most profitable bundlers win, consolidating power.
Profit-maximizing bundlers will censor. A bundler's revenue comes from user tips and MEV extraction. Refusing a profitable transaction bundle for censorship reasons is economically irrational. This is identical to the miner dilemma in Proof-of-Work.
Real-world evidence is clear. The evolution of Ethereum block building (Flashbots, mev-boost) proves this. Despite permissionless relay and builder markets, dominance concentrates with a few entities optimizing for profit, not neutrality.
The solution is protocol-level. True censorship resistance requires in-protocol PBS (Proposer-Builder Separation) with slashing for censorship, not just an open market. This is the core innovation of EigenLayer's restaking for decentralized sequencing.
risk-analysis
WHY BUNDLER CENSORSHIP IS INEVITABLE
Systemic Risks for Builders and Protocols
The shift to modular, intent-based architectures outsources critical execution to a new class of intermediaries—bundlers. Their economic and operational logic creates systemic censorship vectors.
01
The MEV-Censorship Nexus
Bundlers are profit-maximizing entities. Censorship is not a bug but a feature of their revenue model. They will naturally exclude transactions that threaten their extractable value or align with blacklists.
- Profit Motive: Blocking transactions that enable competing MEV searchers or arbitrage opportunities is rational.
- Regulatory Pressure: Compliance with OFAC sanctions becomes trivial when you control transaction ordering, creating a centralized choke point.
- Network Effect: Dominant bundlers like those in the Ethereum PBS ecosystem set de facto standards for what gets included.
>44%
OFAC-Compliant Blocks
$1B+
Annual MEV
02
The Liquidity Gatekeeper Problem
In intent-based systems (e.g., UniswapX, CowSwap), the solver/bundler is the liquidity gateway. Whoever controls the bundler controls market access.
- Vertical Integration: Bundlers affiliated with specific DEXs or L2s will prioritize their own liquidity, censoring routes to competitors.
- Cross-Chain Control: Bridges like LayerZero and Across rely on relayers—a form of bundler—creating censorship risk for entire asset flows.
- User Lock-in: Protocols become dependent on a few bundled liquidity sources, losing sovereignty over their own transaction flow.
~80%
DEX Volume via Solvers
5-10
Major Bundlers
03
Centralized Technical Stack
Bundler infrastructure is highly centralized, running on AWS, Google Cloud, and other censorable services. The software stack itself creates single points of failure.
- RPC Reliance: Most bundlers use a handful of centralized RPC providers (e.g., Alchemy, Infura), which can filter transactions upstream.
- Fast Finality Trade-off: To achieve ~500ms latency, bundlers must make centralized, pre-confirmation decisions, which are inherently censorable.
- Opaque Logic: The proprietary matching engines in solvers and bundlers are black boxes, making detection of subtle censorship nearly impossible.
>60%
AWS/GCP Hosting
<1s
Decision Latency
04
Solution: Enshrined Sequencing & Proposer-Builder Separation (PBS)
The only credible mitigation is to bake credibly neutral transaction ordering into the protocol layer itself.
- L1 PBS: Ethereum's roadmap aims to enshrine PBS, separating block building from proposing, but builder centralization remains a risk.
- L2 Enshrined Sequencers: Rollups like Fuel and Espresso are exploring decentralized, shared sequencer sets to prevent single-operator censorship.
- Force Inclusion Lists: Protocols like Arbitrum have mechanisms to bypass sequencers, but they are slow and costly, a last resort.
- Sovereign Rollups: By posting data to Celestia or EigenDA and letting anyone produce blocks, they eliminate the dedicated bundler role entirely.
0
L2s with Decentralized Sequencers
2025+
Ethereum PBS ETA
05
Solution: Permissionless Bundler Pools & Reputation
If bundlers are unavoidable, the system must be designed to punish censorship through economic slashing and competitive routing.
- SUAVE: Aims to create a decentralized block builder marketplace, but its own sequencer set could become centralized.
- Reputation-Based Routing: Users/clients could route intents based on a bundler's historical censorship score, creating a market for neutrality.
- Staked Bonding: Requiring bundlers to post slashable bonds for liveness and censorship resistance, similar to EigenLayer restaking for AVSs.
- Multi-Bundler Clients: Wallets and protocols must integrate multiple bundlers and RPCs, forcing competition on inclusion, not just price.
$1M+
Potential Slash
Multi-Route
Client Requirement
06
Solution: Intent Standardization & User Sovereignty
Reduce bundler discretion by making user intents explicit, verifiable, and executable by any compliant party.
- Standardized Intents: Define a common schema (e.g., ERC-7521) so intent fulfillment is a verifiable computation, not a discretionary service.
- Open Solver Networks: Create open auctions for intent fulfillment where any solver can participate, breaking bundler monopolies. CowSwap's CoW Protocol is a model.
- User-Signed Constraints: Allow users to attach specific requirements (e.g., "must not use these OFAC addresses") that are cryptographically verifiable, making censorship detectable.
- Fully On-Chain Auctions: Move the bundler auction on-chain with programmable rules, as explored by Astria and Radius.
ERC-7521
Intent Standard
100%
Verifiable Execution
future-outlook
THE INEVITABLE FILTER
Future Outlook: The Compliance Layer
Bundlers will become mandatory compliance checkpoints, transforming from neutral infrastructure into regulated financial intermediaries.
Bundlers become regulated gatekeepers. Their role in ordering and submitting transactions is indistinguishable from a money transmitter under frameworks like the EU's MiCA or FinCEN guidance. This legal reality forces censorship-by-design.
Compliance is a competitive moat. The winning bundlers, like Pimlico or Stackup, will be those with the strongest KYC/AML integration, not the cheapest gas. Neutrality is a liability, not a feature.
Private mempools are the norm. To screen transactions pre-submission, bundlers will route all user ops through private, compliant channels like Flashbots Protect or BloxRoute, eliminating the public mempool for ERC-4337.
Evidence: The OFAC-sanctioned Tornado Cash addresses are already censored by major relayers like BloXroute and Eden. This precedent establishes the technical and legal blueprint for all future compliance.
takeaways
WHY BUNDLER CENSORSHIP IS INEVITABLE
Key Takeaways for CTOs and Architects
The promise of permissionless user operations is undermined by the economic and regulatory realities of the bundler role.
01
The MEV-Bundler Convergence
Bundlers are just specialized block builders. Their profit is derived from maximal extractable value (MEV), not just base fees. This creates an inherent conflict: a user's transaction can be censored if it threatens a more profitable MEV opportunity for the bundler or its searcher partners.
- Economic Inevitability: Profit-maximizing bundlers will always prioritize the most valuable bundle.
- Centralization Pressure: Only large, well-capitalized entities can compete for top-of-block positioning, leading to oligopoly.
>90%
Builder Market Share
$1B+
Annual MEV
02
Regulatory Pressure as a Kill Switch
Bundlers are identifiable, on-chain entities with clear fiat off-ramps. This makes them low-hanging fruit for regulators enforcing sanctions lists (e.g., OFAC). Compliance is not optional for sustainable businesses.
- De Facto Censorship: Compliance-driven bundlers will filter sanctioned addresses, fragmenting the mempool.
- Legal Precedent: The Tornado Cash sanctions set the template; bundlers are the next logical enforcement target.
~45%
OFAC-Compliant Blocks
100%
Identifiable Entity
03
The Ineffectiveness of Permissionless Entry
Simply having a permissionless bundler set doesn't prevent censorship. The economic and latency advantages of professional bundlers are insurmountable for hobbyists.
- Stake & Latency Arms Race: Winning the auction requires high-performance infrastructure and significant stake (e.g., EigenLayer AVS), creating barriers.
- Solution Path: Censorship resistance must be engineered at the protocol level via mechanisms like proposer-builder separation (PBS) and inclusion lists, not assumed from decentralization.
<100ms
Bid Latency
$1M+
Stake Required
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall