Ethermine has lost about 100 eth to a token that successfully exploited their frontrunning defi bot/s.
Ethermine recently announced the launch of a defi frontrunning system where a purchaser is exploited by a unique miners’ advantage in controlling transaction ordering.
At its basics, this is a simple cheat. Ethermine sees a transaction that wants to swap say eth for uni, and while this transaction is waiting to confirm, ethermine pushes its own almost zero fee transaction to buy uni – so increasing its price – to then sell that now more expensive uni to the defi user.
This works better for a less liquid token where a small purchase can cause a big slippage, earning ethermine guaranteed profits because they have a known buyer with the miner so jumping the queue.
In traditional markets this is called market making, where you have bids and asks and try to benefit from the spread.
However everyone is free to do so and thus there is fierce competition which in the end benefits everyone because it narrows the spread. While here it is increasing the spread because only miners can frontrun in this way and they are doing it with almost perfect knowledge of who wants to buy, how much, and when, in addition to having the almost assured ability of jumping in front of the buyer due to miners processing their own transactions ahead of the defi user.
Thus to some this is an outright attack on defi. An eth dev therefore, who appears to be working on LocalCoinSwap, has come up with a counterattack.
The dev details how he set up a token that has a poisonous transfer function which “returns 10% of the specified amount – despite emitting event logs which match a trade of the full amount.”
In short while the miners’ bot thought they had a great opportunity to frontrun the buyer to sell at a premium, they ended up getting just 10% of a worthless token which they can’t even sell on because no one wants to buy it except for two whitelisted addresses that are part of the trap.
Devs and Miners Go To War?
“In order to compensate the upcoming mining reward reduction caused by the adoption of EIP-1559 we have launched our MEV beta program,” Bitfly, the parent company of Ethermine, said.
“We’ll never endorse nor pariticipate in any kind of hostilities by miners against the network,” they added, while emphasizing they launched this program to ‘compensate’ miner due to the potential loss of income from EIP-1559 which is not even live yet.
“These concerns could get mitigated by adopting EIP-3368,” Bitfly said. That being a proposal to increase block subsidy to 3eth from the current 2eth with Tim Beiko, the eth 1.0 coordinator, saying “in short, EIP-3368 is not going into London.” London being the fee market fork expected this summer that includes EIP-1559, a change that sets a base fee and thus mitigates this defi exploit by miners.
“Being a DeFi degenerate is a lot of fun, but be careful in your trading – because this game is highly adversarial and we play for keeps,” Nathan, the miners’ bot exploiter, said.
“Pools should stick to being pools not DEFI traders,” an apparent miner said concerning the events, with it unclear whether Bitfly will now change its mind in regards to its hijacking of the hashrate entrusted to Ethermine in order to attack the defi ecosystem by being exploitative in transaction processing rather than neutral.
“I’ll let my latest mining get paid out on Ethermine and switch to another pool. If they’re greedy enough to try this, they’re greedy enough to push it onto the miners or have been shaving off the payments,” another miner says.
There’s no evidence they’re shaving off payments, but mining pools operate based on trust and since there is no opt in or opt out of individual hashrate in regards to this defi attack, arguably they have abused that trust by using the hashrate for purposes other than entrusted to them.
There could thus potentially be legal liability where individual miners are concerned for breach of contract, especially if this leads to greater losses as it may well do because brick shelvers are no match for the hundreds or even thousands of defi coders who have their projects put at some risk as it makes defi less attractive compared to centralize exchanges where miners can’t so openly cheat.
One therefore should expect many more such trap contracts in what sounds like a cat and mouse game between coders and some miners.