Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
samczsun Profile picture
samczsun
@samczsun
hunter @paradigm, powered by @openai. art by @Keiseeaaa,@vincywp. reach out via telegram https://t.co/1IDOUbRX6v

Apr 3, 2023, 12 tweets

Block 16964664: A user managed to drain five MEV bots by exploiting a bug in mev-boost-relay.

Here's the block: etherscan.io/block/16964664
Here's the user: etherscan.io/address/0x3c98…
Here's the patch: github.com/flashbots/mev-…
Here's the longer explanation:

One of the core ideas behind Proposer-Builder Separation is that proposers cannot be allowed to see the contents of the block they're signing until they've signed the block. Proposers must trust mev-boost to return the most profitable header to them.

Theoretically, this makes it extremely hard for a malicious proposer to deconstruct bundles, as they would have to
1) double sign for a single slot, which is slashable
2) win the race against the relay to submit the block to the network, which is highly unlikely

However, a little under 12 hours ago, a malicious validator managed to win the race anyways. This is the block they used to do it. Notice anything strange?

The relay certainly didn't like it.

It turns out that mev-boost-relay will return all the transactions as long as the producer signed the block correctly. The assumption is that the signed block will then be broadcasted to the network, meaning the validator would have to race the relay in order to send a new block.

Unfortunately, if the signed block was invalid, then it would never be accepted by the network, so there would be no race at all. By setting both the parent root and the state root to zero, that's exactly what the malicious validator did.

Because the relay was never able to broadcast the block, it was a simple matter of taking the revealed transactions, deconstructing the bundles, and claiming the liquidity from the MEV bots unlucky enough to be included in the block.

The patch itself is as simple as the vulnerability is. Now, mev-boost-relay will refuse to return the transactions if the block was not successfully sent to the network. Then, just for good measure, it delays the response by a second too.

The community is working to fully roll out the patch to all relays, and will be publishing a complete postmortem shortly. I'll drop a link to it in this thread when it's out.

Thanks to:
- @punk3155 and @bbbb for flagging this
- @drakefjustin for spearheading the warroom
- @metachris and @mmrosum for authoring the patch
- @mikeneuder, @hasufl, @alphamonad, and so many others for jumping on to triage and resolve this issue

Here's the postmortem

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling