- The paper shows that no TFM can simultaneously eliminate both user and scheduler risk under execution uncertainty due to inherent computational limits.
- It introduces a formal risk allocation framework comparing user-friendly, scheduler-friendly, and even-steven mechanisms through different scheduler utility models.
- The study proposes the Object-Weighted Transaction Fee Mechanism (OW-TFM) to mitigate shill attacks while balancing practical fee design trade-offs.
Perils of Parallelism: Transaction Fee Mechanisms under Execution Uncertainty
Introduction and Context
This paper presents a rigorous investigation into the vulnerabilities and limitations of transaction fee mechanisms (TFMs) in blockchains employing parallel execution, with a particular focus on execution contingency and adversarial behavior. As blockchain protocols shift their primary throughput bottleneck from consensus to execution, parallel execution is increasingly adopted to maximize system efficiency. However, the complexity induced by resource contention, conditional (contingent) execution, and adversarial maneuvers undermines traditional and recent TFM designs. This work provides an analytically robust framework to formalize and quantify these tensions, evaluates existing and novel mechanisms, and establishes impossibility and complexity-theoretic results that delineate the boundaries of secure and efficient fee design under parallelism.
Execution Contingency and Inherent Trade-offs
The core technical contribution is the formalization of contingent transactions—transactions whose resource footprint depends on runtime-determined state. The analysis reveals two fundamental types of risk:
- User Risk: Overpayment by users for resources declared but not utilized in contingent transactions.
- Scheduler Risk: Revenue loss for schedulers when reserved resources, booked per declarations, go unused due to contingent execution paths.
The paper proves a strong impossibility result: in the presence of execution uncertainty intrinsic to Turing-complete smart contract environments, no TFM can simultaneously eliminate both user and scheduler risk without either full prior execution or collapsing to trivial constant fees (Theorem 1). This result follows from the fact that determining actual object usage for a contingent transaction is P-complete (Theorem 2), precluding efficient ex-ante resolution. Thus, TFM design becomes an exercise in explicit risk allocation.
Risk Division Mechanisms and the Design Spectrum
The authors introduce a precise parameterization of TFM risk allocation mechanisms:
- User-Friendly (a=0): Users pay only for realized usage, bearing no user risk but exposing schedulers to maximum risk.
- Scheduler-Friendly (a=1): Users pay for all declared objects, bearing full risk regardless of actual resource usage, fully insulating the scheduler.
- Even-Steven (a=0.5): Equal splitting of contingency-induced surplus/deficit.
These mechanisms are evaluated against three scheduler utility models (optimistic—executes-for-max, pessimistic—executes-for-min, and median—statistical average), allowing explicit analysis of revenue variance and fairness. The separation of attainable fee, baseline fee, user-ideal fee, and realized paid fee defines a multidimensional design space wherein any choice implies a linear trade-off between user risk and scheduler risk. The authors rigorously argue that this allocation cannot be evaded or obfuscated in expressive execution environments.
Shill Attacks and Mechanism Vulnerabilities
An essential insight of this work is the introduction of adversarial shill attacks under parallel execution TFMs. The authors extend and critique previous Gas Computation Mechanisms (GCMs), including Shapley and Time-Proportional Makespan (TPM) strategies [3], by modeling both the user and the scheduler as rational agents capable of introducing strategically chosen shill transactions:
- User Shill Attacks: Fake transactions are injected to alter execution schedules and arbitrage lower effective fees for real transactions.
- Scheduler Shill Attacks: Schedulers manipulate their schedules (or inject fake transactions) to inflate aggregate fees without commensurate utility.
The paper introduces the formal property of shill-proofness, which is shown to be fundamentally at odds with essential properties such as efficiency (e.g., gas equals makespan). No general GCM with parallelism can guarantee both scheduler shill-proofness and efficiency—an inescapable trade-off in practical protocol design.
Moreover, execution contingency drastically lowers the cost and increases the effectiveness of shill attacks; a user only pays for failure if resources are realized, resulting in zero or minimal fee in failed branches.
Object-Weighted Transaction Fee Mechanism (OW-TFM)
The paper proposes the Object-Weighted Transaction Fee Mechanism (OW-TFM) as a robust instantiation within the family of TFMs. Instead of pricing transactions solely on declared compute or serial time, OW-TFM multiplies declared compute by per-object prices updated using historical utilization (mirroring concepts from Ethereum’s EIP-1559). Under appropriate parameterization (e.g., sufficient risk allocation to users), OW-TFM achieves shill-proofness with respect to both user and scheduler attacks, except for long-range manipulations across blocks. Its fee independence from real-time parallelism circumvents cyclical scheduling dependencies and allows for robust, anticipation-based pricing.
The adoption of OW-TFM provides a practical and theoretically sound response to the inevitability of the user-scheduler risk trade-off and shill-resistance requirements under parallel execution.
Implications and Future Directions
Practical Protocol Security
The findings underscore the necessity for protocol designers (e.g., Sui, Monad) to carefully select and justify their position on the user-scheduler risk spectrum, matching desired fairness and liveness properties against exploitable attack vectors. The demonstrated shill attacks, not eliminated in many current academic and industrial proposals, point to significant real-world risks for both protocol stability and economic fairness.
Theoretical Ramifications
The established impossibility and P-completeness results indicate that efficient, fully fair and manipulation-resistant TFMs for general-purpose, parallel blockchains are unattainable under reasonable computational assumptions. This necessitates explicit risk disclosure and management in protocol documentation and design.
Research Trajectories
- Probabilistic and semantic-aware mechanisms: The possibility of employing probabilistic models (informed by historical usage or empirical semantics) for “expected risk” fee allocation is suggested, though it introduces new adversarial surfaces.
- Atomicity and context-switching: Extensions to execution environments with infinite threads or fine-grained atomic chunking could alter some of the impossibility results, meriting further exploration.
- Empirical convergence analysis: The findings cast doubt on past critiques of multidimensional fee mechanism convergence [14], prompting calls for empirical validation in systems with recent upgrades (e.g., EIP-4844).
Conclusion
This paper rigorously delineates the mechanism-design boundaries for transaction fee markets in parallel-execution blockchains. It proves the unavoidability of user-scheduler risk trade-offs under contingency, provides formal definitions of shill-proofness inaccessible to existing GCM and TFM designs, and offers object-weighted fees as a robust path forward. The analysis has immediate normative implications for fee market engineering and future research seeking to balance scalability, fairness, and security in decentralized blockchains.
Reference: "Perils of Parallelism: Transaction Fee Mechanisms under Execution Uncertainty" (2604.04193)