Hacker Neue

Preferences
downandout parent
I write MEV bots for a living. I can tell you that the Beanstalk "hack" was evidence of extremely poor design. One of the key security aspects of designing a DAO is that you are not supposed to let the results of a vote take effect in the same transaction or even the same block. This was entirely on the designers of that protocol. It's so negligent and downright stupid that I would be quite surprised if it weren't an inside job. The fact that it took more than a day for anyone to notice this is truly shocking.
mik3y
I’m not remotely in DeFi but your comment suggests there’s a world of design rules & patterns within it, which are always somewhat interesting to learn about. Where would you go to learn this stuff (other than as a practitioner eg with access to mentors)?
downandout OP
At this point, alot of this stuff floats around Twitter and substack. It's still a bit of a dark art. If you'd like to read some stuff about MEV, start here:

https://twitter.com/bertcmiller/status/1402665992422047747?s...

and here

https://twitter.com/0xmisaka/status/1525964196181057537?s=20...

You can go pretty far down the rabbit hole on crypto twitter.

This was also a cool event, there is 7 hours of video and slides, which have more of the kind of info I think you're looking for...discussions about protocol flaws and design etc.

https://flashbots.notion.site/flashbots/mev-day-836f88806995...

UncleMeat
How can something both be a dark art with no actual organized space for best practices and also have it be extreme negligence and stupidity for somebody to fail to follow these best practices? I'm not aware of any other area of software engineering where best practices are only just floating around on twitter.
downandout OP
Fair point. I probably should have directed him to:

https://www.openzeppelin.com/contracts

That’s the closest thing to a collection of standard contracts for protocol builders to use that I am aware of. I’m more on the MEV side - I try to profit from protocols rather than build them. So it wasn’t my first thought.

mik3y
Thank you for the pointers!
FailMore
Would you be interested in interviewing somebody on this? I run an interview platform called Taaalk (https://taaalk.co), and I'd be happy to organise an interview with somebody relevant
forum_ghost
one way would be to review https://rekt.news on how NOT to do things?
bushbaba
reentrancy attacks are also well known. Yet many DEFI projects continually get hacked from them.
pru567
Is there a list of common attacks with names? This is the first time I've heard the term "reentrancy attack", there's probably a dozen other terms I've never heard of, but would like to read about.
anony23
Search for ethernaut for a good overview of exploitable solidity bugs.
vmception
Was this a reentrancy attack though

I don’t think it counts as one, I was thinking that needs the governance contract to either recursively call itself or call an external unrelated contract

downandout OP
Correct, the Beanstalk thing was not a reentrancy attack. That was a governance attack on the world's most insecure DAO. The Rari Capital exploit was a reentrancy attack.

https://twitter.com/BTCTN/status/1520425720631156736?s=20&t=...

forum_ghost
what are the best designed DAOs from your experience as MEV'er?
hsuduebc2
How people make money with mev bots these days? I find it hardly possible even a year back.
downandout OP
On the ETH chain, Flashbots [1] has decimated profits, by turning MEV into a race to the bottom, where miners wind up with most of the profits that bots ("searchers") create. On other chains there is much more profit to be had. People are making large amounts of money, as you can see here [2] (check out BSC on there, most of those profits go to the actual bot owners).

It's gotten incredibly competitive, and there has been quite a bit of consolidation. You used to be able to make a bot that could just make a few thousand dollars per day. Now you're either making 6 figures per day as part of a team, or a few hundred dollars per day on your own. One of the reasons you need a team and financing is that much of it is infrastructure based - being right next to miners/validators in the same server rack, etc. It takes significant resources to have nodes exactly where you need to have them, in various parts of the world.

It's also feast or famine. Sometimes, you'll wake up with hundreds of thousands of dollars from thin air. Here [3] is a loan liquidation using a flash loan from last week that netted the person that submitted it $366K (that was the value at the time) - in a few milliseconds. The only money they had to have to do this tx was the $1.50 transaction fee. The ~$8 million necessary for the liquidation was flash borrowed from a Pancakeswap pair.

[1] https://docs.flashbots.net/

[2] https://eigenphi.io/

[3] https://bscscan.com/tx/0x73d37b728ebd55088d0d7ccd3f82a485ac3...

srmarm
I don't know much about this at all so apologies if this is a stupid question, but presumably the owner of that $8m was compensated out of the profit of the deal and the $366k is what is left over for the person who set this deal up.

If so that was a great deal and worked out, but if the deal hadn't worked out for whatever reason, a bug in the code for the bot etc what would the downside be and how would it be enforced?

downandout OP
The owner of the $8 million was a smart contract, in this case a DEX (decentralized exchange) pair on Pancakeswap. Yes, the contract is designed to do this. I believe the fee on that pair is 0.25%. Technically this was a “flash swap,” not a flash loan, but they are functionally equivalent for purposes of this discussion.

If the contract loans the tokens and isn’t paid back by the end of the transaction, it reverts as if nothing ever happened. Ethereum transactions are “atomic” - either all parts of the tx succeed, or they all fail. So there is no risk to the lender, they always get paid back.

srmarm
Ah OK that makes sense, thanks for taking the time to explain!
ge96
Everytime I read these seems too good to be true. $1.50 -> $366K? Who doesn't want that.
downandout OP
It is and it isn't. Getting to the point where you were the one bot fast enough to get into the right position to snag that liquidation involves writing the bot itself, writing the smart contract, understanding the lending protocol and how their liquidations work, understanding how oracle transactions work, working out the math such that every input and output is precisely correct to 18 decimal places, having your server in the right rack in the right datacenter to beat the others, and on and on, are not easy tasks.

But yes, once you do all of that...it actually is a money printing machine that will never end as long as markets have volatility. It's a bit like living in the movie Ready Player One...once you are clever enough to run the gauntlet, riches are yours.

MomoXenosaga
Lol that's like saying anyone could be a moviestar if they had the looks and talents of a moviestar.
downandout OP
Yes, but it’s a meritocracy. I don’t control whether or not I look like Brad Pitt. I do control whether or not I am educated enough in this space to carry out a strategy like this.

If you can show that you have the knowledge to do it, getting the money to do it is absurdly easy these days. Crypto VCs are far different and much more accessible than traditional Silicon Valley VCs that only talk to connected startup bros from Stanford or MIT. They’ll all listen to what you have to say if you know what you’re doing. They also move with lightning speed relative to their SV counterparts, and they seem genuinely interested in helping those they invest in. My experiences with them have been off-the-charts amazing, compared to 100% disappointment I have had with SV VCs/angels.

ge96
> precisely correct to 18 decimal places

Yeah this is tough. Even just dealing with CBP (8 decimals) I was losing fractions of cents here and there, not sure how they get it right, sometimes seems like randomly round to come out even (cases like emptying ballance).

wildmanx
> But yes, once you do all of that...it actually is a money printing machine that will never end as long as markets have volatility.

And despite this being inherent in the DeFi world, people still believe that such systems are better than fiat money?

2 More Comments →

This item has no comments currently.

Keyboard Shortcuts

Story Lists

j
Next story
k
Previous story
Shift+j
Last story
Shift+k
First story
o Enter
Go to story URL
c
Go to comments
u
Go to author

Navigation

Shift+t
Go to top stories
Shift+n
Go to new stories
Shift+b
Go to best stories
Shift+a
Go to Ask HN
Shift+s
Go to Show HN

Miscellaneous

?
Show this modal