Sorry everyone, long overdue, but its time for a new MEV thread
Today we look at the Flashbots auction and the searchers that were able to game it using a super clever exploit in how we priced and merged bundles
Let's go 👇🏻🧵
Today we look at the Flashbots auction and the searchers that were able to game it using a super clever exploit in how we priced and merged bundles
Let's go 👇🏻🧵
For our journey today you will need a deep knowledge of Flashbots bundles
Bundles are groups of transactions executed in the order they are provided. Either the entire bundle is executed, or none of it is
That allows users to express transaction preferences very granularly
Bundles are groups of transactions executed in the order they are provided. Either the entire bundle is executed, or none of it is
That allows users to express transaction preferences very granularly
For some time we could only support a single bundle per block, but recently Flashbots introduced the ability to merge independent bundles!
Here's a thread on that release
Here's a thread on that release
https://twitter.com/bertcmiller/status/1396961882121121799
Every block there are a huge number of bundles. How do we decide what goes on chain and in what order?
First each bundle is simulated individually on top of the latest block to find out what the bundle's expected gas price is.
First each bundle is simulated individually on top of the latest block to find out what the bundle's expected gas price is.
Then bundles are sorted by their expected gas price from highest to lowest.
If two bundles conflict then the bundle with a higher gas price is included. The other bundle is discarded.
If two bundles conflict then the bundle with a higher gas price is included. The other bundle is discarded.
Somewhere in the last two tweets was a slight gap in logic that searchers were able to find and exploit.
Did you catch it?
Did you catch it?
Bundles are sorted according to their simulated gas price at the top of a block
But with merging some bundles weren't actually at the top of the block! They are behind other bundles
The gap: there was no check ensuring that bundles have the same gas price before & after merging
But with merging some bundles weren't actually at the top of the block! They are behind other bundles
The gap: there was no check ensuring that bundles have the same gas price before & after merging
Bundles can pay tx fees via smart contracts. Thus, if a bundle could tell it was merged behind another bundle then it could dynamically reduce its fees to lower its gas price!
Miners would sort bundles expecting one gas price, but find a different gas price when they were mined
Miners would sort bundles expecting one gas price, but find a different gas price when they were mined
Here's what that looked like in practice
The green bundle looked like it would beat the yellow bundle, but actually it ended up paying way less!
The miner and the yellow bundle's author lost out on revenue while the green bundle's author profited at their expense
The green bundle looked like it would beat the yellow bundle, but actually it ended up paying way less!
The miner and the yellow bundle's author lost out on revenue while the green bundle's author profited at their expense
How was this done?
There's no way for a transaction to check where it is in a block natively, so searchers needed to get clever.
There's no way for a transaction to check where it is in a block natively, so searchers needed to get clever.
Searchers would send a "fake" bundle in parallel to their "real" bundle. The fake bundle had a high gas price & was designed to very likely be the 1st bundle in the block.
The "fake" bundle would cost searchers a bit of ETH to send, that was *the point*
The "fake" bundle would cost searchers a bit of ETH to send, that was *the point*
If the "fake" bundle had landed 1st in a block it would spend a bit of the searcher's ETH
Then in the "real" bundle searchers could check if their balance of ETH had decreased any in that block!
If so they knew their "real" bundle had been merged behind the "fake" one!
Then in the "real" bundle searchers could check if their balance of ETH had decreased any in that block!
If so they knew their "real" bundle had been merged behind the "fake" one!
With this knowledge that it had been merged behind the "fake" bundle, the "real" bundle could safely decrease its payment to the miner, thus gaming the auction
The fix for this was simple: check to make sure that bundles pay no less than we expect after being merged.
The MEV ecosystem is hypercompetitive. Searchers will find and use anything they can to gain an edge.
Uncle bandit attacks, tricking other searchers' simulations, and now this show that the reach of searchers goes beyond what is on-chain
Where will searchers find an edge next?
Uncle bandit attacks, tricking other searchers' simulations, and now this show that the reach of searchers goes beyond what is on-chain
Where will searchers find an edge next?
If you're excited by Flashbots and the work we're doing then check out our open jobs:
github.com/flashbots/pm/t…
Bonus points if you think you've found some edge in Flashbots and share it with us🙂
github.com/flashbots/pm/t…
Bonus points if you think you've found some edge in Flashbots and share it with us🙂
Lastly, check out our Github repo to learn more and hop in our Discord to join the conversation
flashbots.net
discord.gg/QXyxFRcx
flashbots.net
discord.gg/QXyxFRcx
• • •
Missing some Tweet in this thread? You can try to
force a refresh
