Header should only be sent to next slot proposer after authentication to avoid non-sealed auction

[Ruteri]

If anyone but given slot's proposer is allowed to call builder_getHeader and receive best header, the header auction is no longer sealed and builders will try and bid for the lowest possible transfer to the proposer.

Only proposer for the given slot should be able to call builder_getHeader, this ensures sealed bid as long as relay can be trusted (is not submitting the bids off chain).

[metachris]

Implications:
1.builder_getHeader must include a signature by the validator
2. the builder must return an error if the request doesn't contain a valid signature by the proposer of that slot

[lightclient]

It seems unlikely that we'll continue relying on a direct line of communication between the validator and relay/builder in the short/medium term, therefore the bids will be available on the p2p network. We might be able to avoid that by encrypting them to the proposer.

This is because we want to defend against relays withholding blocks after the validator signs the header, and the only way this is possible is if the mev-boost network i) observes the relay's solicitation of the proposer via a bid for including a certain header, ii) observes the signed blind beacon block from the proposer and iii) observes the absence of the relay's unblinded header. Without any of these steps, the network cannot attribute the fault to either the validator or the relay.

In the long term, PBS will require builders to gossip bids so that proposer can pick the best one. With SSLE, the network won't even know who the next proposer will be.

With that said -- we may have to sign the GetHeader request in a p2p context to avoid spam.

[obadiaa]

related issue #112

[metachris]

Should we close this in favor of #112?

[metachris]

Closed in favor of #112