How do preemptive trading robots intercept funds? How to avoid the doom of being preemptively traded?
Author: Alex Manuskin, a blockchain researcher at ZenGo, a cryptocurrency wallet. The author authorized Chain Wen to publish the Chinese version of this article. Compilation: Perry Wang
The monsters in the dark forest of Ethereum are no jokes after dinner. These pre-trading robots can analyze smart contract instructions and functions that they have never used in smart contracts before to extract potential benefits.
To better understand these robots, this article provides a roaming journey to explore the dark forest of Ethereum. Let us go further into this dark forest and understand how rampant they are.
We managed to “use traps” to capture some common types of preemptive trading robots and analyze their behavior.
In this roaming journey, we studied the efficiency of these preemptive robots and the possibility of various transactions being pursued by them. Of course, we also tested different ways to avoid them.
Below, enjoy.
What is preemptive trading?
Generally speaking, preemptive transaction refers to the behavior of jumping in the execution queue to cash out a transaction before a known future transaction occurs.
A simple example of preemptive trading is an exchange bid. Suppose someone is about to buy a large amount of ETH on Uniswap, which is enough to drive the price of ETH up. One way to benefit from this situation is to buy ETH immediately before this massive purchase of ETH, when the price is still low. Then, after the price of ETH soared, immediately sell to lock in profits.
In addition to this kind of arbitrage trading examples, there are many ways to use preemptive transactions to grab value, including liquidation, buying rare NFTs, or simply creating user errors . (The extractable value of the transaction or transaction sequence is called “miner extractable value MEV”)
Preemptive transactions in Ethereum can be achieved by paying a gas price slightly higher than the normal level . In this way, miners can be encouraged to prioritize their transactions when building blocks. The higher the transaction fee, the higher the order of execution. Therefore, if both transactions will profit from the same instruction that calls the smart contract in the same block, only the transaction that is executed first will eventually profit.
Animal behavior
In a blog post jointly written by Dan Robinson and Georgios Konstantopoulos, ” Ethereum is a dark forest “, they described the experience of being intercepted by an arbitrage robot in an attempt to save 12,000 USD worth of tokens in a smart contract of Ethereum . These super predator robots are very advanced and can track any valuable transaction in the Ethereum transaction pool and intercept them by means of preemptive transactions.
Link Wen Note: “Ethereum is a dark forest” Chinese version of the article can be found:
https://www.chainnews.com/articles/124072923888.htm
The story of the Dark Forest is so “creepy” that it was impossible to believe it when I first read the article. In fact, there are indeed reasons to question the existence of such super predator robots . Why can anyone take money from the Uniswap agreement? Is this platform being watched by countless robots? Are these robots just a group of ordinary “arbitrageurs”?
Earlier this year, we published an analysis article that confirmed that they are not ordinary “arbitrage robots.” As far as we know, they can manage to call smart contract functions that have never been called before . Even if transactions are obscured through proxy smart contracts, these robots can still rob funds through such operations.
To say the least, this is shocking. The ability to monitor any transaction in the transaction pool is a powerful weapon. What is disturbing is that some service providers have begun to openly provide a ” dark pool ” transaction layer.
The “dark pool” transaction layer does not need to use services such as Infura or even private nodes. It sends the transaction directly to the miner. The miner promises not to broadcast it to the rest of the nodes in the network, thus ensuring that the transaction avoids predators Radar.
The famous white hat samczun used a similar method in the operation of saving US$9.6 million from a flawed smart contract with multiple partners. It is not difficult to imagine that miners will start to manipulate preemptive trading robots while only providing a secure channel for traders who pay extra.
Link Wen’s Note: For the Chinese version of the story, see:
https://www.chainnews.com/articles/551492636558.htm
These robots are different from other elements of Ethereum and can only be active on the Ethereum main network, while smart contracts can be tested in the development environment or test network. Except for some preliminary experiments, it makes no financial sense to let these bots try to preempt transactions on the testnet. In addition, since the logic is hidden, the operating rules of these robots may vary.
We do not know the conditions under which these leading trading predators decide to launch an attack. Therefore, in some ways, tracking these predators is similar to chasing rare animals.
We do not target all leading trading robots, but only specific, that is, generalized types of such robots.
We want to make sure that the preemptive trading robots we seize are “real” broadly preemptive traders and require a unique “trap”. The trap is a newly created smart contract , initiated with a secret string of SHA256 hash value, and accompanied by some funds. Anyone can withdraw the locked funds only by giving a secret contract. The funds will be sent directly to the sender of the withdrawal transaction.
The idea of this trap is to send a ” bait ” transaction by providing the correct secret contract to see if someone tries to copy and give out the secret contract to intercept funds. If someone intercepts the funds before the bait transaction, it means that someone can analyze the transaction pool while in the transaction pool, copy the relevant content and give out the secret contract.
What’s interesting is that robots can give out a secret contract that they don’t know before to intercept funds in an unprecedented smart contract-they are indeed a real generalized preemptive trading robot.
The working mechanism of a generalized preemptive trading robot
An indispensable part of this experiment is to understand the working mechanism of the generalized preemptive trading robot. But if someone builds a money-making machine, they cannot share it on Github. Therefore, we can only observe and reverse engineer the behavior of predatory robots.
Two components are usually required to build a generalized preemptive trading robot:
- The first component is an Ethereum account , with or without a smart wallet agent, and their tampered transactions will be sent to this wallet.
- The second is the ” back end “, which is the brain of the operation, which usually happens off-chain.
The operators of these robots use a certain technique to scan each transaction in the transaction pool, analyze it, replace its parameters (for example, the transaction caller), and determine whether it is profitable to intercept it.
Preemptive trading robot workflow
A rational robot will not launch an interception attack for transactions whose transaction costs exceed the possible profit. The total transaction cost may be high, especially when the gas price is high. Therefore, in order for the preemptive trading robot to attack our decoy transactions, a certain minimum profit is required .
In addition, since the robot needs to analyze every transaction in the transaction pool (of which there are many transactions), time is also important. On average, Ethereum takes 12 seconds to produce a block. If the gas price of a transaction is high enough, it must be analyzed and replaced quickly enough before the next block is generated.
This is a process with a certain probability. After the transaction is broadcast, a block may be dug out immediately, causing the robot to have no time to successfully analyze the transaction and broadcast a preemptive transaction.
Considering these factors and some ideas, we tested the conditions for the preemptive trading robot to take the bait.
Set a trap
The initial balance of our smart contract ( payer Giver ) was 0.035 ETH when it was set up, which was worth about $20 at the time. Anyone who provides the correct secret contract to the hash stored in the contract can take these funds. The transaction that takes these funds will trigger the predator’s preemptive transaction action, and another account (the taker) will try to give a suitable secret contract to withdraw funds.
The first round: directly call the contract
In order to ensure the normal operation of the benchmark trap, we first used the receiver account to call the contract. In the first attempt, the gas price was relatively high (determined by the Ethereum framework), and we were able to successfully recover the funds.
Our success may be because the profit of this transaction was too low to impress predators, or because the transaction was quickly written into the block and the robot did not have time to take action. Obviously this is not the result we expect, our goal is to lure predators into our trap.
Round 2: Give predators time to think
In this round, we solved the problems we encountered earlier. We have increased the potential profit and lowered the Gas price, so the transaction will not be written into the block too quickly, so that the robot has time to find it. The balance of the contract increased to 0.04 ETH (the balance increased by 0.005 ETH over the previous period).
This time we were attacked. The transaction stayed for about 3 minutes before being written into the block, and finally failed to extract value from the trap smart contract. We reviewed the internal transactions of the contract and found that the funds were intercepted by others.
Chain Wen Note: The transaction address is
https://etherscan.io/tx/0x5bfd9294747686cddf8a0be649605ac700bd45363204bbb53dc091f193e0085c
This preemptive transaction cost 25.000001111 Gwei (.000001111Gwei higher than the number of Gwei we used), and the transaction was written into the same block as ours, which was obviously an action of interception.
Chain Wen Note: The address of this preemptive transaction is
https://etherscan.io/tx/0x5b8221dea090c630e056e7160f065a590138eea8680c634c9134b2c37c7c394a
Implant tracker
Now that our trap has successfully captured a robot (we also paid a certain price), we can extract some interesting insights.
First, the transaction shows that the call to the smart contract is not directly executed. Instead of copying the transaction and blindly sending it from the account it owns, the bot also passed the transaction through the proxy smart contract , and its proxy smart contract acts as a smart wallet to execute these transactions.
We can now track previous and future transactions and take a closer look at how supernatural this robot is and how it works .
This bot uses its own agency contract
Decompiling the contract shows two main functions:
” Withdraw ” is mainly to send all funds in the contract to the robot operator. Another function accepts some parameters: the contract to be called, the parameter list and the value parameter is passed.
With this function, this proxy contract acts as the smart wallet of the robot operator. In addition to performing the function of calling external functions, it can also ensure that the balance at the beginning of the transaction is at least equal to the balance at the end, otherwise the transaction can be restored , thereby avoiding the possible loss of funds (not including Gas) when calling unknown contracts.
Using the Dune Analytics tool, we can see that this robot has gained a lot since it started operating in May 2018 .
Assuming that this robot has always used the same smart agent and payment address to initiate preemptive transactions, we can estimate that it has earned a total of about 17 ETH .
Funds earned by the robot in different time periods (in ETH)
Round 3: How smart are these robots?
Now that we are convinced that this robot program is actively attacking us, we want to test whether we can confuse our calls to the contract through the second contract (agent contract), so as to successfully withdraw bait funds from the contract, the agent will call a Function to extract bait funds from the bait contract (giver). (The contract also has a “collection” function, which can return funds to us).
We deployed the ProxyTaker contract, called the appropriate function, and tried to withdraw funds. Since the cost of the action through the agent is slightly higher than before, the balance of the giver contract has been increased to 0.055 ETH. As a result, our transaction was immediately preempted by another robot.
Chain smell note:
The ProxyTaker contract address is
https://etherscan.io/address/0x68b1b608034e9f4d34e777e1529bc157e17f60c8The calling address is
https://etherscan.io/tx/0xf4b8b57a6e61e97b954da6f9c6b66494aa764bdf0b3a4643e3beb8b276fd7b07The robot’s preemptive transaction address is
https://etherscan.io/tx/0x8b358f45f28d27eb4910bd3a244527399c627c6066c70efc1c3fcb6ffc8517da
This time the robot’s technique is even more breathtaking. The robot can not only detect our withdrawal transaction, but also recognize the transaction from the internal call of a completely different smart contract ! And all this was completed in a record short time. Our withdrawal transaction was written into a new block after a few seconds , as was the predator’s preemptive transaction.
The identity of the robot is also interesting. The robot’s smart contract is mainly operated by this account . The account posted a comment on Etherescan. The main post was a white hat discussion about saving funds from a vulnerable Bancor smart contract.
Information in the operator’s account (source: etherscan)
Taking into account the same behavioral characteristics of the robot (using account A to call the agent and transfer funds to account B), and the proximity to the above transaction, it is reasonable to suspect that this robot has also carried out a generalized rescue operation of the white hat in the above incident Be the first to trade.
This robot is much smarter than the one we encountered before. It not only targets ETH transactions, but also conducts various arbitrage transactions .
Judging from its account balance alone, its harvest results are also much higher. At present, the balance in the account is about 300 ETH (current price 180,000 US dollars). We can also calculate all the inflows and outflows from the contract address to estimate its revenue, the total amount is about 900 ETH .
This is only a rough estimate, because the account may have conducted transactions unrelated to its preemptive trading activities. Here is a list of all profitable transactions of the robot.
In order to make the challenge more exciting, we made a more vague attempt, this time using the proxy contract OwnedTaker that only we can use.
This trap is very similar to the third round. The Giver contract balance is 0.05 ETH. The same transaction also includes the transaction of returning funds to us instead of staying in the contract.
In the first attempt, the transaction that funds paid to the OwnedTaker contract took about 1 minute to write into the block, and we finally recovered the funds.
We then repeated this experiment. This time the giver contract balance was increased to 0.06 ETH , the highest balance we have used so far, to ensure that the value is too low to make the preemptive trading robot feel that it is not worth the shot.
The value of Gas is also deliberately set at a lower value . The transaction was held for about 7 minutes , but we still successfully withdrew funds.
Joining an Owned proxy contract that can only be forwarded by the contract owner makes it impossible for the two known leading trading robots to successfully parse the data and intercept the two transactions.
Successful withdrawal
Perhaps it is the requirement that only the contract owner is allowed to execute the call, or the fact that funds are sent to a different destination address than the calling contract, can help avoid preemptive transaction attempts by robots .
The robot is likely to be trained to consider self-protection first. After all, they are calling an unknown contract, which may execute arbitrary code. It is reasonable to assume that if profits cannot be guaranteed, they will avoid unnecessary risks or loss of transaction fees.
It depends on how you look at it. We used a new contract, but only we knew of this secret contract. Obviously, the two leading trading robots we found are all trading in the trading pool, and judging from their profits, they are doing very well.
Why did we avoid the doom of being preempted in the final attempt?
The specific reason is difficult to judge. It may be that the robot is reluctant to risk communicating with an authenticated contract , or the fact that the funds were transferred to another address is unexpected.
This definitely does not mean that this is a completely feasible way to avoid being traded ahead. Most likely, there are more complex robots lurking in the Ethereum trading pool. They just don’t want to risk such a small profit at all .
In this brief experiment, we can show the existence of a generalized preemptive trading robot and how intelligent it is .
Of course, we are well aware that our experiment is neither complete nor uncertain. There are many other robots with completely different trigger mechanisms and operating methods . Factors such as potential profitability, communication characteristics, and minimum complexity (for example, via gasLimit) may affect their operating methods.
However, we are convinced that our work provides a proof of concept that allows people to further understand the modus operandi of these generalized preemptive trading robots.
The current shocking reality is that if there is a transaction where anyone can call a smart contract to make a profit, even if it is very obscure, the reality is that it is very likely that a preemptive trading robot will be the first to steal funds.
Therefore it is important to understand these robots and how they operate so that we can build safer systems now and in the future. Projects such as Flashbots try to do this by democratizing MEV extraction and making it a public resource. We hope this research will help achieve this goal.
Thanks to Tal Be’ery, Omer Shlomovitz, Oded Leiba, Dan Robinson, and others who helped review this article.
Link News Note: The relevant contract code used by the author in the article can be viewed in the original appendix:
https://medium.com/zengo/ethology-a-safari-tour-in-ethereums-dark-forest-677566d7c575
Source link: ChainNews
