$7.5 million in counter-killing: when the biggest trap in the Ether factory stepped into its own trap
Author:Cathy Blanket Chain
Original link: https://mp.weixin.qq.com/s/clrzlG3EtooGx1Tlpu10qA
Statement: For the purpose of reproduction, readers can obtain more information by linking to the original language. If the author has any objection to the reproduction, please contact us and we will proceed with the modifications requested by the author. Reproduction for information-sharing purposes only does not constitute any investment proposal and does not represent the views and positions of Wu。
June 20th, 20th, 20th, 20th, 20th, 20th, 20th. Peoplejaredframsubway.eth's vault was emptied。
$7.5 million, a deal, a block。The automated hunter who entered tens of millions of dollars in trading years by “catching” others stepped into a trap in his own hunting grounds。
IT'S NOT THE FIRST TIME. THREE YEARS AGO, A HACKER DISGUISED AS AN ORDINARY CERTIFIER, WITH 32 ETH TICKETS, TOOK $25.2 MILLION OUT OF FIVE TOP-CLASS MACHINE POPULATION BAGS。
The predators end up hunting. But the part of the story that really deserves to be told isn't who wins and who losesIt's this arms race of "robots eating robots" that's shaking the security of the Ether House trade from its roots。
& nbsp; 01
You're stealing every deal
Let's get this straight。
In a decentralised exchange like Uniswap, your trading intent is to be thrown into a public waiting area called Mempool。Everyone can see what you're going to buy, how much you're going to buy, how much you're willing to accept。
The clamp robot is staring at this waiting area 24 hours. When you find out that you're going to buy some kind of token, it's going to put a bill in front of you and raise the price, and then a bill of sale behind you。
You've been caught in the middle, paid extra, dropped the coin。
It could be a few dollars a time, you wouldn't even notice. But that's where it's evil。
Tens of thousands of transactions are caught each day, accumulating a huge “hidden tax”。
It is not just ordinary traders who are being held hostage, but the situation of liquidity providers is even worse。
The AMM bid adjustment is always slower than a central exchange such as Binance, where external arbitragers can repeatedly use the delayed low price to roll assets out of the pool. The academic term is “rebalancing loss”. It was noted that the loss of value it caused to LP exceeded the sum of all sandwich attacks at the quantitative level。
That's itFROM THE SEARCHER TO THE BUILDER TO THE CERTIFYER, THE ENTIRE MEV INDUSTRIAL CHAIN EXTRACTS BLOOD FROM ORDINARY USERS EVERY DAY。
Jared is the number one player in this business, who once accounted for nearly 70% of the traffic in the ETA sandwich。
& nbsp; 02
66 traps and a cleanup
2026's anti-killing, smart as a criminal movie。
The hackers spent weeks deploying 66 counterfeit currency contracts, each with a false mobility pool。These pools are designed in precision mathematics, displaying extremely profitable arbitrage signals on the chain, specifically seducing Jared to hook up with a scanning algorithm。
Jared did come. Its procedures automatically launch a sandwich attack on these counterfeit tokens, and in the course of the interaction, the route contract grants a token transfer authority to the attacker ' s contract (a call was made)。
The point is next. Jared ' s developers did not include the logic of withdrawing authorization after the transaction was completed for the purpose of saving Gas fees。in the world of smart contracts, once a mandate is given, it is permanent unless there is no active call. this is the so-called “suspension authorization”。
After all 66 traps were put in place, hackers launched a transaction in the same block, calling TransFrom, to transfer all of the 1474.58 WETH, 2.87 million USDC and 2.09 million USDT from Jared's vault. It was then quickly converted to thousands of ETH remittances into Tornado Cash。
Then, disappear。
IN APRIL 2023, THE ATTACK WAS MORE VIOLENT AND DIRECTLY TARGETED THE FOUNDATION OF TRUST IN THE PBS STRUCTURE。
The hacker pledge of 32 ETH became a certifier and then launched a huge slide-point deal in a mobile, extremely dry Uniswap V2 pool (only 0.005 WETH and 4.5 STG), deliberately creating attractive sandwiches to attack space。
THE ROBOT'S HOOKED UP. TO SWALLOW THE ARBITRAGE, THEY HIT 2454 WETHS TO EXCHANGE THE POOR 4.5 SDGS, IT IS EXPECTED TO EARN LESS THAN 0.35 ETH IN RETURN。The ratio of transactions to profits is as high as 700:1。
This is a fatal blow. When it was the turn of the malicious certifier to pack blocks, it sent a deliberately constructed invalid block to the Flashbots relay. The relay code has a fatal error-management loophole:As long as the signature is validated, even if the block is invalid, the explicit transaction content of the clamp robot is returned to the certifying officer in advance。
UPON RECEIPT, THE CERTIFIER DROPPED THE INVALID BLOCK AND REASSEMBLED ONE: THE 2454 WETH PURCHASE ORDERS THAT SMASHED THE ROBOT WERE AT THE TOP OF THE LINE, THEN INSERTED INTO THEIR ATTACK CONTRACT AND ROLLED ALL THE WETH FROM THE POOL WITH 158 STGS。
NOT JUST WETH。IN THE SAME WAY, HACKERS MANIPULATED SEVERAL COIN POOLS SUCH AS AAVE, SHIB, CRV, UNI, MKR AND OTHERS, LOOTING MORE THAN $25 MILLION。THESE INCLUDE 7461 WETH, 5.3 MILLION USDC。
A 32 ETH TICKET, IN RETURN FOR NEARLY 800 TIMES THE RETURN。
& nbsp; 03
Everyone has the same hole in their wallets
These two incidents appear to be civil wars in the world of robots, but the problems revealed directly concern every ordinary user。
Jared's blacked-out suspension authorization may also exist in your wallet. Many people, using Uniswap or receiving airdrops, routinely clicked "Award an unlimited transfer amount"。Once the contract has been broken, hackers can clear your stabilizer with the same tranny From。
THE DEEPER THREAT IS THAT MEV IS MAKING THE ETHER HOUSE UNSAFE。
When arbitrage profits in a block far exceed a piece of reward, the certifying officer has the incentive to cheat:Ignoring new blocks that others have just emerged, they have re-established a chain at the height of historical blocks and have taken over high-profit transactions。Once such “time robber attacks” occur more frequently, the certainty of trading in the ETA collapses。
The high-frequency (HF) run-off and the Gas bid for MEV robots will also quickly consume large blocks of space and push the entire network of Gas charges. Even if you're just making a simple transfer, you have to pay for a game between robots。
The construction of blocks is also centralizing at an extreme speed。HIGH MEV CAPTURES ARE HEAVILY DEPENDENT ON HIGH PRECISION ALGORITHMS AND LARGE-SCALE INFRASTRUCTURE, WITH A FEW PROFESSIONAL BUILDERS CONTROLLING THE MAJORITY OF BLOCK-PACKING SHARES. ONCE THEY COOPERATE WITH THE REVIEW, ETA RESISTANCE BECOMES A PAPER COMMITMENT。
The response of the Taifang community has gone two ways。The protocol level PBS (ePBS) wants to put the relay function on the consensus level and eliminate third-party loopholes at the protocol level. Encrypted memory pools (e.g. Shutter Network) use time-locking encryption to keep the transaction in secret until the sorting is complete, leaving the sandwich attack at source without data entry。
However, these programmes are still far from full landing. There are two things that are practical right now。
First of allSwitching the wallet to Flashbots Products or MEV Blocker. Instead of passing through the open memory pool, the transaction is not only exempt from being caught, but also recovers a portion of the arbitrage from the order stream auction (OFA), with an average delay of one or two blocks。
SecondCheck regularly and revoke any token authorization that is not required in the wallet. A lot of people had granted an unlimited amount of money on a DEX six months ago, but the authorization was still on the chain. Sweep it with tools like Revoke.cash, for a few minutes。
Jared's $7.5 million in tuition, worth at least this lesson。
In the dark forest, hunters are hunted. But the first to bleed is never the one without protection。
