Sybil Attacks in Auction Based Inclusion Lists (AUCIL)

Inclusion lists (ILs) are the talk of the town as a censorship resistance primitive for Ethereum under proposer builder separation (PBS). Two major designs have been developed as per my understanding:

  1. FOCIL, which relies on underlying consensus with fixed slot wise participants and no explicit pricing, and
  2. AUCIL, which is an auction based inclusion list design that relies on economic incentives with strategic participation and price formation.

With FOCIL (EIP-7805) proposed to headline the forthcoming Hegota upgrade, the robustness of IL designs is an immediate concern. It is worth noting that neither design is fully Sybil proof or bribery proof.

FOCIL is inherently sybil resistant at committee selection, but its fee mechanisms can weaken once fake transactions and bribery are allowed. Fortunately, Stouka, Ma and Thiery [1] gave a comprehensive analysis for bribery attacks and safe mechanism design for FOCIL but I do not remember seeing a corresponding analysis for AUCIL.

This blog asks only two questions:

  1. Where can Sybil attacks enter AUCIL and how do they change their censorship guarantees and incentives? and
  2. What would a Sybil proof AUCIL mechanism for Ethereum look like? How can we improve this?

Quick Background For The Uninitiated

AUCIL by Wadhwa et al. [2] operates with a mempool and a committee of IL proposers . Each proposer may submit an input list containing at most transactions, with bounded by the available block capacity. A transaction offers an inclusion fee , which is also treated as its utility (keeping all other utilities constant). The protocol assumes rational parties, a common mempool and a synchronous network (at most delay). I will informally lay out the design (please refer to the original paper for proofs).

Phase I: Input list allocation

Rather than letting every proposer independently choose the highest fee transactions like in FOCIL, the protocol computes a recommended allocation using a greedy algorithm. Let be the number of proposers assigned transaction , and let denote the probability that an assigned input list becomes available. Since the fee is divided among the proposers contributing the same transaction, proposer ’s expected input-list utility is

The greedy allocation repeatedly assigns the transaction with the greatest marginal payoff. At the resulting correlated equilibrium, replacing an assigned transaction with an unassigned transaction cannot increase ’s utility:

Thus, transaction coverage and proposer rewards depend directly on the number of proposer identities assigned to each transaction.

Phase II: Aggregation using Auction (Is it really an Auction?)

Each proposer broadcasts its input list together with an availability flag and obtains a private VRF generated bias

Proposers aggregate the available input lists into candidate inclusion lists. If candidate contains available input lists, its auction score is

(So this is an example of a scoring auction then?)

The block proposer selects the highest scored valid candidate and proves that it beats at least other bids, where is the number of tolerated crashes. The winning aggregator receives an aggregation reward , split between the bid selected immediately and the highest bid observed over later rounds. Proposers also receive their shares of the transaction fees contained in the winning list.

The paper proves that guaranteed censorship through aggregation stage bribery costs at least

Nice right?

Okay So What If I Pull Up With My Friends?

From standard mechanism design literature, Incentive Compatibility Sybil Proofness and I have some claims that make me believe that it is the same for AUCIL too.

More formally, let be an attacker who controls members of the IL proposers.

Thus, splitting one principal into several identities must not increase its total reward or reduce its cost of censoring a transaction.

We already know for a fact that this is violated in both phases because there exists an AUCIL list allocation that is stable against every individual proposer but unstable against an attacker controlling two proposer identities.

Example. Let

and consider two transactions:

Algorithm 1 selects transaction , then , then , because the successive marginal rewards are

Suppose the resulting allocation is

Each identity assigned receives

while the identity assigned receives .

Now we see that no individual attack is profitable (IC property):

and

Now suppose A controls identities and . Its prescribed utility is

If identity remains on while identity switches to , obtains

Thus,

even though the deviating identity individually loses utility:

The attacker accepts that loss because the attack raises the reward of its other identity from to .

Therefore, Algorithm 1 can be IC with greedy allocation and equilibrium while failing to be sybil proof. More interestingly not that the multiplicity of transaction falls from

to

A Sybil attack can therefore reduce the number of input lists protecting a transaction, even without an external bribe. Let us formalize this a bit more:

Looks hard but the utility expression simply follows by summing AUCIL’s fee shares and the difference is obtained by direct subtraction. For censorship, the controlled identities omit freely and only the remaining identities require compensation.

AUCIL’s original Phase I guarantee is Thus, for , so the original lower bound no longer holds. The exact new cost depends on the replacement transactions available to each proposer.

What Does This Mean and Where Do We Go?

We have barely scratched the surface on an analysis of the ramifications of a sybil attack on AUCIL. There’s tons of other ideas such as a whole theory of Sybil Proof Auction Based Inclusion Lists that we can solve for and we also have not grounded this in formal mechanism design theory such as optimal auctions as well as welfare analysis among the different proposers (a huge income inequality between the proposers will definitely incentivise competition and attacks) and maybe we can improve on the scoring auction set up here (equitable auctions is a thread we can see?). One big improvement that I can see that can solve the problem is using stake based partitions of fees instead which will also discourage sybils and improve aggregation complexity as well in a way. More concretely:

  1. Can we use stake based partitions for fees and improve upon the correlated equilibrium greedy algorithm to optimize for equity?

  2. Can we improve the scoring auction design in Phase II to deal with the Sybil Proofness case as well? How about if instead of the VRF sample, we can design a stake weighted lottery?

I hope AUCIL is implemented sometime in the future and I am excited to see the implementation of FOCIL this time around. Thanks for reading.

I have been Abhimanyu Nag.

References

  1. Stouka, A. P., Ma, J., & Thiery, T. (2025). Multiple proposer transaction fee mechanism design: Robust incentives against censorship and bribery. arXiv preprint arXiv:2505.13751.

  2. Wadhwa, S., Ma, J., Thiery, T., Monnot, B., Zanolini, L., Zhang, F., & Nayak, K. (2025). AUCIL: An Inclusion List Design for Rational Parties. Cryptology ePrint Archive.

No comment found.

Add a comment

You must log in to post a comment.