PBS creates a trust sandwich. The protocol delegates block construction to specialized builders, but the user must trust the builder's execution and the relay's censorship resistance. This shifts trust from a single validator to a builder-relay cartel.
the-ethereum-roadmap-merge-surge-verge
Blog
The Hidden Trust Assumptions in PBS
Proposer-Builder Separation (PBS) is hailed as a cornerstone of Ethereum's post-Merge roadmap. But beneath its elegant auction mechanism lurk critical, unspoken dependencies on trusted third parties. This analysis dissects the trust you're forced to place in builders, relays, and the MEV supply chain, revealing why PBS is a step towards, not the final state of, credible neutrality.
introduction
THE HIDDEN TRUST
Introduction: The Trustless Mirage
Proposer-Builder Separation (PBS) introduces new, opaque trust vectors that undermine its core decentralization promise.
Relays are centralized choke points. Builders like Flashbots, bloXroute, and Titan submit blocks through a handful of dominant relays. This creates a single point of failure for censorship and MEV extraction, contradicting Ethereum's credibly neutral design.
The trust is in the black box. Users cannot verify a builder's execution path or the relay's filtering logic. This opaque execution layer reintroduces the need to trust intermediaries, the very problem decentralization aimed to solve.
Evidence: Over 90% of Ethereum blocks are built by five entities and relayed through Flashbots. This concentration creates systemic risk where a relay outage or malicious update can halt the chain.
key-trends
HIDDEN ASSUMPTIONS
The Three Pillars of PBS Trust
Proposer-Builder Separation's security model rests on three critical, often overlooked, trust vectors.
01
The Relayer Cartel Problem
Centralized relay operators like Flashbots, bloXroute, and Titan control the flow of blocks to validators. Their honest behavior is assumed, but they can censor, front-run, or go offline.\n- Single Point of Failure: Top 3 relays control >90% of PBS blocks.\n- Trusted Execution: Relays see the full block content before validators.
>90%
Market Share
~12s
Latency Window
02
The Builder Monopoly Risk
Specialized builders like Jito Labs and builder0x69 dominate MEV extraction. Their dominance creates systemic risk if they collude or are compromised.\n- Economic Centralization: Top builder captures ~30% of slot revenue.\n- Code Trust: Validators must trust the builder's software stack is not malicious.
~30%
Revenue Share
$1B+
Extracted MEV
03
The Enshrined Verifier Gap
Validators blindly sign block headers without verifying the full block contents. This trust is enforced by the protocol but creates a verifier's dilemma.\n- Blind Signing: Validators cannot check for censorship or invalid transactions.\n- Protocol Enforcement: Ethereum's consensus rules require this trust in the relay-builder duo.
0ms
Verification Time
100%
Assumed Honesty
deep-dive
THE PROPOSER-BUILDER SEPARATION AUDIT
Auditing the Trust Stack: Builders, Relays, and the MEV Cartel
Proposer-Builder Separation centralizes trust in a small cartel of builders and relays, creating systemic risk.
PBS centralizes trust. The protocol delegates block production to a competitive builder market, but that market collapsed into an oligopoly. The top three builders like Flashbots and bloXroute consistently produce over 80% of Ethereum blocks.
Relays are trusted oracles. A relay's role is to attest to a block's validity and payment. This makes them a single point of censorship and failure, as seen in OFAC compliance post-Merge. Builders must trust relays not to steal their blocks.
The MEV supply chain is opaque. Builders source transactions from private mempools and searchers, creating a trusted off-chain order flow. This re-introduces information asymmetry and front-running risks that PBS aimed to solve.
Evidence: In Q1 2024, the top two relays, BloXroute and Agnostic, relayed over 60% of blocks. A single relay failure or malicious act disrupts the entire chain's liveness and neutrality.
PROPOSER-BUILDER SEPARATION
The PBS Trust Matrix: Assumptions vs. Reality
Deconstructing the trust assumptions in Proposer-Builder Separation (PBS) implementations, comparing the idealized model with current centralized and decentralized realities.
| Trust Assumption / Metric | Ideal PBS Model | Current Centralized Reality (e.g., Flashbots SUAVE) | Decentralized PBS Future (e.g., mev-commit, shutterized PBS) |
|---|---|---|---|
Builder Censorship Resistance | |||
Proposer Censorship Resistance | |||
MEV Extraction Transparency | Full (on-chain) | Opaque (off-chain) | Controlled (encrypted mempools) |
Relayer Role | Permissionless | Permissioned Cartel | Permissionless Network |
Cross-Domain MEV Capture | |||
Time to Finality Impact | < 1 sec | ~12 sec (to proposer) | ~12 sec + decryption lag |
Key Trusted Third Party | None | Builder/Relayer Cartel | Threshold Network (e.g., DKG) |
Primary Failure Mode | Liveness | Censorship & Centralization | Complexity & Coordination |
future-outlook
THE TRUST MINIMIZATION IMPERATIVE
The Path Forward: Enshrined PBS and SUAVE
Proposer-Builder Separation (PBS) introduces new, often overlooked, trust vectors that enshrined PBS and SUAVE aim to eliminate.
Builder cartelization is inevitable without protocol-level intervention. The current outsourced PBS model centralizes block building in a few entities like Flashbots, bloXroute, and Builder0x69, creating a trusted relay layer. This centralization reintroduces the censorship and MEV extraction risks PBS was meant to mitigate.
Enshrined PBS eliminates relay trust. By embedding the auction mechanism into the protocol consensus, Ethereum removes the need for a trusted third-party relay. Builders submit their blocks directly to a decentralized auction, enforced by the validator set, which is the only trust assumption.
SUAVE addresses pre-confirmation trust. Even with enshrined PBS, users currently trust builders with transaction order. SUAVE, a shared mempool and order flow auction, decentralizes this by having specialized executors compete for order flow, separating it from block building. This mirrors the intent-based design of UniswapX.
Evidence: Flashbots currently dominates >90% of Ethereum MEV-Boost blocks. This market share demonstrates the systemic risk of the current trusted relay model, which enshrined PBS directly attacks.
takeaways
PROPOSER-BUILDER SEPARATION
TL;DR for Protocol Architects
PBS is not a trustless primitive; it's a trust-minimization framework with critical, often overlooked, assumptions.
01
The Censorship Trilemma: Builder, Relay, or Both
You cannot eliminate censorship risk, only shift it. A decentralized builder set is useless if the relay censors. A permissionless relay is useless if builders collude. The current equilibrium relies on trusted relays like Flashbots, creating a single point of failure for MEV extraction and transaction ordering.
>90%
Relay Dominance
1
Critical Failure Point
02
Enshrined PBS vs. SUAVE: The Centralization Fork
The core debate is where to place trust. Enshrined PBS (in-protocol) trusts the validator set's governance but risks protocol bloat. SUAVE-like solutions trust a new, external decentralized network, creating a competitive market but introducing cross-domain trust and composability risks. Neither is trustless.
Protocol
Governance Risk
External
Network Risk
03
MEV-Boost's Liquid Staking Dependency
PBS adoption is gated by liquid staking derivatives (LSDs) like Lido and Rocket Pool. Solo stakers cannot run competitive builders, so block production centralizes with whale stakers and LSD providers. This creates a feedback loop where PBS efficacy depends on the economic security of a handful of LSD protocols.
~33%
Lido Market Share
Centralized
Builder Set
04
The Time-Bandit Attack: Reorgs as a Service
PBS assumes rational, profit-maximizing builders. A builder with >33% hashrate/power can profitably reorg chains to steal MEV, violating settlement finality. This turns maximal extractable value into maximal attack value. Mitigations like proposer commitments add complexity and new assumptions.
33%
Attack Threshold
Finality
At Risk
05
Builder Collusion is The New Cartel
Nothing in PBS prevents builders from forming a cartel to exclude certain transactions or extract supra-competitive rents. With a small, centralized builder set (see Card 3), this is a credible threat. Monitoring and slashing are post-hoc and may be insufficient against sophisticated, off-chain collusion.
Oligopoly
Market Structure
Off-Chain
Collusion Risk
06
The Data Availability Blind Spot
Builders must reveal full blocks to relays for attestation, creating a data availability gap between builders and proposers. A malicious relay can withhold data, causing the proposer to miss their slot. Solutions like EigenLayer's Data Availability layer or EIP-4844 blobs introduce their own trust and cost trade-offs.
12s
Slot Time Risk
New Layer
Trust Assumption
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall