Hi, I’m Tei from Sunnyside Labs.
Sunnyside Labs is a core dev company of Optimism Collective and Ethereum. We’re scaling Ethereum by contributing and building products.

We’re sharing a high-level proposal to extend Flashtestation for decentralized, untrusted L2 block building. Feedback on onchain Builderhub, WS orderflow, payload propagation, and the path to MEV auctions is very welcome.

---

Beyond Flashtestations

Flashtestations is a framework that enables verifiable and trusted offchain workload execution by managing and validating TEE workloads onchain.

It was initially developed for Unichain, integrated with op-rbuilder, to prove priority fee ordering.

By extending this framework, we can delegate block building to fully untrusted parties and move toward a more decentralized L2 design, such as enabling MEV auctions.

This document discusses the additional development required to enable such an expansion. However, it does not cover the reasons for delegating block building to an external untrusted party (e.g., MEV).

It focuses on high-level design proposals and highlights key points for further discussion, with the goal of collaborating with the Flashbots team to build a truly decentralized L2 block-building architecture together.

Missing Parts & Proposed Solutions

Flashtestation is not yet production-ready.

While key components such as the onchain registry, DCAP contract, and TDX quote provider are mostly implemented, some detailed integrations—like the block proof transaction—are still in progress.

Since the design for these parts is already prepared and work is underway, this document will focus on discussing major remaining issues instead.

Orderflow(Mempool) Sharing

Existing OP Stack based L2 chains generally operate with a closed, private mempool structure.
Unlike L1, user transactions are not shared among public nodes but are directly forwarded to the sequencer.

While adopting an L1-style public mempool is one possible approach, if we assume that the chain operator prefers not to do so—especially since orderflow can be sensitive in future MEV-related solutions—we need a secure way to share mempool content with untrusted block builders.

Fortunately, we can find a solution in existing systems. Flashbots has developed and operates Buildernet, a decentralized and fair MEV block-building network for L1. Buildernet enables builders to share their orderflow with other builder nodes while ensuring that the node operators themselves cannot access the data.

This is achieved through aTLS, a system built on TEE attestation.

aTLS is currently being discussed for replacement with a simpler, lower-overhead system. However, since the core concept—verifying mutual trust between systems through TEE attestation before data exchange—remains the same, we will continue to describe it as aTLS here.

Each Buildernet node runs inside a TDX VM. TDX boots a fully deterministic VM image with a fixed application. During boot, the VM generates a new TLS certificate, whose private key never leaves the enclave. All of this can be proven by issuing a TEE attestation that includes the public key of the TLS certificate.

Before establishing connections, Buildernet nodes fetch and verify each other’s attestations.
This ensures that both sides are running the correct software and that orderflow data will not be leaked externally.

Moreover, since connections are only established against TLS certificates verified through attestation, each node can be confident that its communication peer is indeed a TDX VM.

By adopting this concept, we can enable op-rbuilders running inside TEEs to exchange attestations, verify each other’s software integrity, and securely share encrypted orderflow.

However, there are several improvements we can introduce beyond the current Buildernet approach.

1. Onchain Builderhub

In Buildernet, components such as TEE attestation, public key registration, and node discovery rely on a centralized service called Builderhub.

In the L2 context, we can take advantage of significantly lower gas costs to move these functions onchain.

Flashtestation’s existing implementation already supports basic onchain TEE workload registration and attestation verification, and this can be extended to manage public keys, TLS certificates, and connection permissions between workloads directly onchain.

This approach reduces central trust points and enables a truly decentralized solution, allowing onchain governance to take over the management authority of the Builderhub configuration.

There is growing interest and development around customized transaction ordering and other forms of block-building customization.
If we imagine a future where such features coexist with untrusted block building and even MEV auctions, it becomes possible to register custom policies—such as priority rules—on the onchain Builderhub to meet each chain operator’s specific business requirements.

2. Websocket Connections

When designing an L2 system, the key difference from L1 is the need to handle shorter block times and much higher throughput. Major L2 chains like Base process a far greater volume of transactions at significantly higher speeds compared to L1.

To avoid performance bottlenecks and enable further scaling, performance must be a top priority.
Using a simple transaction-sharing model similar to Buildernet—based on aTLS and HTTP—could introduce overhead that impacts performance.

To address this, L2 builder nodes should maintain persistent websocket connections to minimize aTLS handshake overhead and enable fast, bidirectional communication.

The entire process of establishing websocket connections between builders—including discovery, public key and certificate retrieval, and permission verification—can be implemented in a decentralized manner by relying on the onchain Builderhub described earlier.

Engine API & Block Payload Propagation

Beyond transactions, two more data streams must be shared securely: the sequencer op-node’s Engine API calls and the built (flash)block payloads. Details:

1. op-node → rollup-boost → op-rbuilder

   1. newPayload & FCU: Engine API calls that deliver the next canonical block payload and forkchoice state.
   2. FCU: An Engine API call carrying deposit transactions that triggers new block building.

2. op-rbuilder → rollup-boost → op-node

   The builder’s (flash)block payload.

As with TX pool sharing, we can use onchain-builderhub-based discovery and websocket connection.

If the number of builders exceeds what direct rollup-boost ↔ op-rbuilder links can handle, we can also consider a mesh topology where builders connect peer-to-peer and forward information.

In this extended design, the role of rollup-boost becomes more critical.

In the original flashblock-focused setup, its scope was relatively small (though important).
In a multi-builder architecture, rollup-boost must implement the key function of selecting a builder (payload) for each block. We won’t detail that logic here, but in future MEV auction–style systems it will likely be the core component.

In other words, rollup-boost effectively becomes the MEV-Boost/relayers for L2 in the full sense.

Future Discussion Topics

Progressive Permissionless

A fully permissionless system will likely require significant trial and error from both security and scalability perspectives.

To make it realistically shippable, we can start with a permissioned set—similar to L1 Buildernet—and progressively open the system over time.

This gradual approach can be easily supported through permission management implemented within the onchain Builderhub.

Incentive Design

Another essential component of a permissionless system is incentives.

True decentralization doesn’t come for free—different parties need a reason and reward to run block builders.

While an initial permissioned set or a few altruistic builder runners can provide minimal decentralization and basic liveness, a sustainable system ultimately requires a solid incentive structure.

The most promising model, as already well-known, is the MEV auction.

It not only serves as the incentive mechanism for decentralization but can also help reduce spam and provide additional revenue opportunities for chain operators.

This design will likely become the most important topic in the expansion of Flashtestation and the broader decentralized L2 block-building ecosystem.

Sunnyside Labs is excited to join the journey of building this future together.

Thanks to the Sunnyside Labs team for the proposal and for taking the time to meet with us during Devconnect. We appreciate the opportunity to dig into the design space together to solve emerging needs of decentralized L2 block building. Below is a summary of our discussion and some reflections on areas that seem most promising for exploration.

Summary

The core question behind the proposal can be reframed as: how to safely delegate L2 block building to untrusted parties, and what new infrastructure is required to make this practical from both a security and performance perspective.

We focused on OP Stack based L2 block-building path, which today relies on a centralized sequencer with exclusive access to a private mempool. This initial proposal aims to preserve that private orderflow property while allowing external builders to construct blocks. This introduce new needs for verifiable integrity, encrypted orderflow distribution, and mechanisms for selecting next block’s payload.

Most of the initial design reuse concepts from L1 BuilderNet: TEE attestation, aTLS (or its successor), and a builder hub. Because gas is significantly cheaper on L2, many of the coordination functions that BuilderNet currently performs off-chain could be migrated on-chain, potentially making the system even more transparent and decentralized.

However, adapting these concepts in an L2 environment come with extra challenges.

Secure Mempool Sharing

We suppose that L2s will continue using private mempools for user protection and performance reasons. To share that orderflow with untrusted builders, the proposal mirrors BuilderNet’s model: builders attest to their TEE-verified execution environment, establish mutually verified encrypted channels, and exchange transactions without exposing them to operators.

The idea of an on-chain Builderhub is a major point of interest. Moving attestation verification, certificate management, and permissioning into smart contracts with flashtestations could meaningfully reduce trust dependencies and give L2s much more flexibility in configuring builder participation and enforcing policies.

The remaining challenge is the network-level identity problem: publishing IP addresses or connection metadata on-chain without compromising the operational security of TEE-protected keys. This will need dedicated design work.

Block Payload Selection and Incentives

After secure orderflow distribution, the next key component is determining which builder’s payload becomes canonical and ensuring builder’s participation:

1. Leader election / payload selection, which could be implemented within rollup-boost.
2. Incentive design, since untrusted builders require a reason to participate.

Incentive modeling, especially for MEV auctions in an L2 setting, is still a new design space and deserves its own focused research. It is unclear today what model can sustainably motivate independent builder operators without introducing unsustainable incentives or degrading UX. This is an area where collaboration across teams seems especially valuable.

An adjacent line of R&D would be in evolving the OP-Stack sequencer in a more traditional “validator” role.

Decentralization, Specialization, and System Goals

Finally, we discussed broader motivation for moving to a multi-builder L2 architecture. Specialization of builders could enable higher-performance block production, reduce spam, or surface more efficient strategies. At the same time, distributing transaction flow among multiple parties introduces meaningful network overhead, making performance-driven protocol choices essential (e.g., persistent websocket connections).

We want to ensure that any L2 builder network materially improves the system beyond the current centralized approach, not only in decentralization properties. Alongside the broader research effort, rigorous engineering validation will be required to ensure that a decentralized L2 builder network does not degrade performance or reliability and, ideally, enhances both.

Next Steps

From the discussion, we can establish the following concrete next steps:

• Builderhub design: further work on the network identity, permissioning, and reputation system needed for an on-chain Builderhub.
• Focused research sessions: schedule deeper dives on the hardest open questions, particularly around incentives, secure network metadata, and builder specialization models.

We welcome Sunnyside proposal and we look forward to continuing this exploration together.