Just published "Flash Boys 2.0: Frontrunning, Transaction Reordering, and
Consensus Instability in Decentralized Exchanges" - arxiv.org/abs/1904.05234

Key takeaways and some pretty graphs below! 👇

Decentralized exchange arbitrage is a budding cottage industry that results from interactions between blockchain consensus protocols and the DEXes that run on higher layers. This economy is worth millions a year today, conservatively.

These bots use Ethereum's gas-replacement mechanism and p2p network to play a complex auction game that contains aspects of high frequency trading, front-running, and other classic predatory behaviors typically found on Wall St.

Worse still, DEXes in general threaten the consensus security of Ethereum, even today. Miners could extract implicit "fees" from controlling the order of transactions in blocks, we call "order optimization fees". These OO fees are one form of "miner extractable value" (MEV).

MEV can subsidize two types of attacks, one of which is new. Undercutting attack: in this attack, miners may choose to ignore a block with juicy MEV in the hopes that they can orphan it at potentially huge profits. This destabilizes short-term consensus.

Time bandit attack (new): in this attack, miners rewrite trade history to steal money from DEXes *in the past*. They do this by inserting themselves on the other side of every trade it would have been profitable to take at today's market rate.

Because miners get pure ETH and leave no traces on centralized exchanges, this is an attractive incentive to perform 51% attacks. Today's Ethereum block reward is 25x lower than its DEX volume, making stealing MEV from DEXes possibly within grasp.

In general, abstractions hide important, security-critical interactions. Building your DEX assuming the underlying blockchain will keep working may actually stop this from happening in a self-fulfilling prophecy.

It is not possible in my opinion to study fee market economics without including ordering optimization fees. Block rewards and transaction fees must be reasoned about carefully in this context to argue for security against malicious mining behavior.

This issue extends to and has analogues in proof of stake systems and even permissioned blockchains, as we describe in the full paper.

Please read it!!! It is the culmination of over 1.5 years of work of mine and others'.

Special thanks to all our amazing co-authors @sgoldfed @relyt29 Yunqi Li, Xueyuan Zhao, Iddo Bentov, and @AriJuels!!

Also thanks to @NSFGRFP for funding me to do this (among other things), and to @NSF and ARO and @initc3org partners! And to Matt Weinberg for helpful comments 🥳.

And now for the graphs!! Here is one showing a "pure revenue" transaction; this is a transaction where a bot profits unconditionally from executing it successfully. In this case, the profit comes from a mispricing of "Free Coin" due to a typo on Tokenstore.

We've added a new feature to frontrun.me, frontrun.me/revenue, where you can browse all graphs like this from all programmatic multi-trade DEX transactions.

So if there's more bot that wants the money, who gets it?

This graph shows two bots warring over the "pure revenue" opportunity above in what we call a "priority gas auction", played on the Ethereum network through the replacement-by-fee mechanism.

Here is another picture of the measurement infrastructure we deployed to monitor PGAs, whose transactions are never mined on the network or confirmed by Etherscan. We collected over 700M observations on when we saw arbitrage bot transactions, at what time, and from what peer.

You would think that this competition between bots at extremely high speeds would squeeze all the profit out of the market. Not the case! While there is a spike around 0 profits, indicating some 0/negative sum games, most PGAs still leave a median 65% profit for the winner.

We will show that this profit is probably there because bots informally cooperate in an ad-hoc manner, stealing potential revenue from miners playing the game. These bots need to both cooperate with and compete against miners to maximize their own revenue.

The pure revenue market looks oligopolistic but dynamic; many bots enter and exit the market and enjoy sustained periods of profitability!

Hilariously, our release of GasToken (dotted orange line) fueled a clear change in market trends; here you can see bots optimizing gas costs down, until GasToken was released, which was further used immediately to aggressively optimize. Today, hard to be profitable without it!

Predictably, latency of the PGA bots' bids trends down over time, with bots issuing more bids per auction. This makes sense, because whoever had the last word to miners is more likely to be profitable in the long-term.

You can explore PGAs in-depth on frontrun.me.

Here comes the money graph. Our formal model (in the paper) predicts that bots should cooperate by always bidding the minimum raise. The Ethereum network's Parity client enforces 12.5%, and Geth enforces 10% by default to prevent DoS with gas replacement transactions.

Why should the bots bid the minimum raise? Imagine me and you running bots and competing against each other. If we are too aggressive, we bid all the profit out of the opportunity, and the only one that makes any money is the miner.

Instead, we converge on a detente whereby we each bid up the minimum each time, trying to outcompete each other on latency and other network factors. If we detect another party deviating from this, we raise our bids to match their deviation.

You can see early on in our market observations (left), bots tried all sorts of strategies: raising their own bids by 70%, 21% (lolSatoshi), and more. But over time, they converged on what *our model predicts* is the most best strategy: bidding the minimum (dotted green line).

Lastly, here's the big kicker. These are the graphs with the highest miner revenues from arbitrage, as well as the block rewards (brown) and transaction fees (red) in block.

In Ethereum, arbitrage opportunities *sometimes* exceed explicit fees and rewards by orders of magnitude.

This means that Ethereum is insecure, in a similar way as Bitcoin is as described in randomwalker.info/publications/m….

Even worse, miners can do what is called a time bandit attack, shown here, to subsidize their 51% attacks by rewriting history so they make dex trades *in the past*.

This form of consensus instability was thought to originate from only fees exceeding the block reward, an event expected in Bitcoin in 2140. We show that it may be profitable to induce today on Ethereum, which is too insecure at current params for mass-adoption defi.

MEV and OO based attacks aren't limited to dex arbitrage; CDP liquidations, oracle manipulation, ponzi/gambling game manipulation, ICO manipulation, and more may form profitable vectors for miners to extract clean ETH into their accounts with a 51% attack.

So, build you protocols carefully!! And again, pleasepleaseplease check out the full paper at arxiv.org/abs/1904.05234!! 🥳🙏