[HN Gopher] Escaping the Dark Forest ___________________________________________________________________ Escaping the Dark Forest Author : CyrusL Score : 200 points Date : 2020-09-24 17:09 UTC (5 hours ago) (HTM) web link (samczsun.com) (TXT) w3m dump (samczsun.com) | gabereiser wrote: | When's the movie script due? This was an amazing read mainly for | the multiple perspectives and story. Great job! | pavlov wrote: | Nice work, but honestly I'm not sure why they bother. | | The article states that the purpose of these smart contracts is: | | "Stake your tokens with us and you could be the next | cryptocurrency millionaire" | | That's an obvious scam. Anyone who gave real money to such a | cause has already lost it. So why is the author giving away his | time to help the scammers? | SiempreViernes wrote: | For the glory? Because even chumps deserve justice? Because | _someone_ needs to defend the reputation of digicoins? | snake_plissken wrote: | I still don't understand what's happening at the core of this and | the other dark forest post from a few weeks ago. How exactly are | these bots front-running/stealing the ethereums? | | My understanding: -these bots scan the smart | contracts that are waiting to be executed by the miners | -the bots find vulnerabilities (another grey area in my mind) in | the contract -the bots adjust the destination address of | where the contract is supposed to send the the ethereums | -then the bots continually execute the vulnerable smart contract | code | schoen wrote: | My understanding of the front-running issue in these two cases | is that a _human being_ found vulnerabilities in particular | smart contracts, which would allow _anyone_ to claim the value | protected by a particular contract. The human beings wanted to | use these vulnerabilities to transfer the value somewhere, such | as to an escrow account or to the original owners of that | value. However, since the vulnerabilities allow _anyone_ to do | this, the front-runners could take this value for themselves by | noticing the humans ' attempt to execute the transactions, and | then more quickly executing the exact same transaction with a | different destination. | | You can't take advantage of a "normal" cryptocurrency | transaction this way because the "normal" transaction is like a | super-minimal smart contract that's designed to pay only one | hard-coded recipient. Therefore, that transaction either | happens or doesn't happen, but its recipient can't be altered. | Nor can you take advantage of a non-vulnerable smart contract | this way, because the non-vulnerable smart contract can't be | triggered to perform an action that its creators would consider | inappropriate. But for a vulnerable smart contract, there's a | series of events that would cause it to send value to an | _arbitrary_ address (and not in exchange for some other | adequate compensatory value). It 's this case where the front- | runners want to find a way to swap in their own addresses for | these transactions, and that's also why obfuscation could deter | that -- making it hard for the front-runners to notice that | that was possible. | AgentME wrote: | I think it's an important detail to point out that legitimate | transactions mostly aren't vulnerable to the "Dark Forest" | issue. A lot of comments I'd seen on the original "Ethereum | is a Dark Forest" blog post seemed to be under the impression | that this was a general Ethereum issue affecting normal | users. | 3np wrote: | Arbitrage trades and related activities like MakerDAO | keepers would be legitimate transactions vulnerable to this | (essentially someone else extracting the value from their | discovery). Granted that is a very small subset of users. | drchopchop wrote: | Basically a human realizes that smart contract X is broken, and | tries to enlist others to fix it. However, given the | decentralized and generally shady nature of crypto, the process | of disclosure also means a bad actor could get wind of the bug | before it's addressed, and use the exploit to steal all of the | money. | | Thus, you have white hats racing to siphon money out of a | buggy, immutable contract which also happens to be worth | millions of real dollars. It'd be funny if there wasn't so much | real money involved. | renewiltord wrote: | You put your gold in a box and stuck it in the ground in a | ranch in the middle of nowhere. No one knows there is gold in a | box in the ground so it's safe. But people know that other | people but gold in boxes and stick it in the ground. | | One day you go to get it so you load up your pickup with gold | digging equipment and drive to the ranch. On the way are | spotters. They see your truck has gold digging equipment. They | see that the road you're going down leads to the ranch. It's | obvious what you're going to do. | | They load up their faster Ford Ranger and blaze down the road. | You can't catch up. They have a faster car. You get there. They | have taken your gold. | | If you hadn't gone there, the gold was relatively safe. Maybe | some day someone happens on it but realistically probably not. | | But you went. By looking for it you revealed you were looking | and you revealed where you were looking. | Sniffnoy wrote: | It's much simpler than that. (Also, you appear to have a few | concepts mixed up. For instance, one doesn't execute smart | contracts, but rather transactions. Smart contracts just sit | there until someone sends a transaction to one, at which point | it executes that transaction.) | | What the bot does is that it checks each transaction that is | waiting to be executed and simulates sending that transaction | itself on a private blockchain forked from the real network. If | the simulation results in a profit, it frontruns that | transaction -- i.e., it sends the transaction itself for real, | but bidding a higher price than the original sender did, so | that its transaction will get executed rather than the the | original transaction it's copying. | | It doesn't need to perform any sort of vulnerability scan; it | just mimics _other_ people exploiting arbitrage or | vulnerabilities and pays more to get there first. | | Similarly, it doesn't need to adjust any destination addresses. | It's just looking for arbitrage opportunities or | vulnerabilities that will direct ether _to the sender_. Smart | contracts are entirely capable of getting the address of the | message sender, and using that as a destination to send ether | to. So the bot doesn 't need to adjust the transaction data at | all, which would be substantially more complicated. | danielvf wrote: | Imagine that everyone agreed that just one slow computer would | handle banking, contracts, and the stock markets for the entire | world. This gets rid of any pesky concurrency issues. To move | money from person to person, or to execute contracts or | programs, you write up a sticky note with what you want to have | done, sign it, and attach some money to it. Once every couple | minutes, the computer administrators come out, collect a couple | notes with the most money on them, and feed those into the | computer. | | The Dark Forest attack is possible because everyone can see all | the notes on the board waiting to be processed, and everyone | can simulate exactly, precisely what the really slow computer | will do with a given note. | | Suppose you found someone wanting to sell TSLA stock for $5 and | someone wanting to buy it for $400. You would write up a note | to buy it for $5 and sell it for $400, and stick it on the | board. However, the moment you put the note on the board, the | attackers and their automated telescopes have simulated that | this note results in the holder having $395 more than they | started with, and gave nothing away in return. The attacker | then simulates an alternate future in which they post the note | instead, and verify that they get the money. It works! So the | attacker copies your note, signs it themselves, puts a much | bigger wad of cash on it than you did, and slaps it up on the | board. | | When the operators come out, they collect the attackers note | first (more cash) and by the time your note is run, the | opportunity is no longer there. | SilasX wrote: | Great analogy! The only thing I would add is that, if your | arbitrage trade takes away too much money from an account | belong the core devs (which would be like, the regulators | responsible for the computer), they would retroactively undo | that transaction in the computer's logic (force a hard fork). | | https://news.ycombinator.com/item?id=14819268 | 3np wrote: | That's an unfair representation of what actually unfolded. | dash2 wrote: | It sounds like the whole system has a huge public goods | problem. In the real world stock market, buying TSLA is a | signal that you believe the price is good, and if you're a | big enough investor, your buy might move prices up before you | complete. In this world, other people can steal that signal | and move the price before your transaction even starts. Isn't | this a design flaw? | AgentME wrote: | There are ways to make marketplace contracts which allow | buy and sell orders like this that aren't vulnerable to | front-running. It's possible to have the buy and sell | orders happen off-chain and then be settled on-chain later | (Loopring works this way; there are other benefits to this | system too such as speed of execution and lower fees), or | for a marketplace contract to require orders to be preceded | by a precommitment transaction, which includes a hash of | the upcoming order, so the upcoming order can't be frontrun | because the frontrunner would need to do their own | precommitment transaction first. | | Note that a marketplace contract like this isn't the only | kind of smart contract; it's not the case that all smart | contracts have the potential for front-running | vulnerabilities. For example, there are smart contracts | that do things like manage community funds and require | people to vote on how the funds are spent, which don't do | anything that could be vulnerable to front-running. | NKosmatos wrote: | Nice read! That's why I respect whitehat hackers, to be tempted | by ~10million and then proceed doing the right thing. I wonder if | they got a reward/bounty for managing to save all this ETH. | ve55 wrote: | Very interesting story, it really does sound like a scifi | thriller to me. | | It also makes me wonder what type of legal battle would ensue if | a blackhat were to have taken all of these funds instead, I'm not | sure I've seen any public high-profile cases like that yet. | Analemma_ wrote: | This is all very interesting to read about, but in the same way | epic battles in Eve Online are interesting to read about but not | participate in. I hope the author doesn't think this article is | functioning as an enticement to use ETH myself, because it's only | confirming for me that I never, ever want any of my money near | that shambling wreck. | kevinpet wrote: | Makes me think of salvage operations, and then raises the | question of how do people get paid? They're providing a valuable | service. I think in shipping there are both conventions and an | ability to quickly negotiate that allows contracting for a | salvage ship to rush to the aid of a grounded or sinking | container vessel. | Animats wrote: | Yes, there are. It's the Lloyds Open Form.[1] "No Cure - No | Pay". This is the standard deal for salvage operations, and is | well over a century old. It's very simple, since it's intended | to be executed by someone on a sinking ship. It's sufficient | for the captain of a ship in trouble to contact a "salvor" and | say they accept the standard Lloyds Open Form. A message | "ACCEPT SALVAGE SERVICES ON BASIS LLOYDS STANDARD FORM LOF 90 | NO CURE NO PAY ACKNOWLEDGE" is enough. | | _Contractors' basic obligation: The Contractors identified in | Box 1 hereby agree to use their best endeavours to salve the | property specified in Box 2 and to take the property to the | places stated in Box 3 or to such other place as may hereafter | be agreed. If no place is inserted in Box 3 and in the absence | of any subsequent agreement as to the place where the property | is to be taken the Contractors shall take the property to a | place of safety._ | | _The Contractors' remuneration and /or special compensation | shall be determined by arbitration in London in the manner | prescribed by Lloyd's Salvage Arbitration Clauses in force at | the date of this agreement._ | | That's the deal. | | You need some agreed way to resolve how much the job is worth | for this to work. The Lloyds Open Form is an agreement to do | the job and discuss later how much it's worth. That's generally | settled by insurance adjusters. It's much like the aftermath of | auto accidents. | | How much does the salvor get? 15% - 35% of the recovered value, | reports Lloyds.[2] Of course, salvors work under tough | conditions. They have to have equipment and people ready 24/7 | to go somewhere and do something. That's expensive. Some | classic worldwide names exited in the past decade. Mammoet and | Titan both dropped out. | | All this is against accidental losses, not against an | adversary. Where there's an opponent, it's a much tougher | problem. Marine salvage is vs. the ocean. Whether this model | can be made to fit programmed contract problems or ransomware | is a big question. One worth pursuing. | | [1] https://www.lloyds.com/market-resources/lloyds- | agency/salvag... | | [2] https://www.tugadvise.com/wp- | content/uploads/2015/10/lloyds-... | MacsHeadroom wrote: | The people helping here did it for compensation in the form of | good will with key players and/or potential future customers of | their respective crypto products. | | If you're going to use two similar looking services for | something using ETH, do you go with the one by some no-name or | the one created and championed by community heros? | huac wrote: | you will pay a higher fee to a trusted miner to process your | transaction without sending to mempool. | itronitron wrote: | seems like a very interesting story however after the third voice | change I lost interest and the specialized tech jargon just makes | it sound goofy | AgentME wrote: | I was wondering why the article kept repeating details in re- | worded ways as if they happened to other people. I didn't even | realize that different parts were by different authors. | iameli wrote: | Love whitehat crypto postmortems like this. They always read like | heist movies. | | Curious about the use of SparkPool to bypass the mempool and get | the transactions minted directly into a block. It looks like | anyone can sign up and contribute their hashrate to SparkPool. Is | there a risk of malicious miners running workers in their | competitors' pools and then frontrunning? | bodski wrote: | AFAIK only the pool operator can see the full set of | transactions for the block being mined. Pool workers only get | to see the block header for the new block. This header only | contains the hashed root of the transaction tree, and so they | are unable to front-run private transactions in this way. | wins32767 wrote: | One of my good friends has a saying, "Humans are really good at | optimizing the hell out of the wrong thing." I can't help but | think that when reading about any sort of heroics involving | blockchain. | currymj wrote: | i tried writing some toy Ethereum smart contracts circa 2016. at | that time it was immensely difficult to write them in a secure | way -- even a simple "hello world" level Solidity contract could | easily have exploitable bugs if you don't code in an extremely | defensive style. | | i'm told things have improved since then -- can anyone who's used | Solidity more recently comment on this? is it true? | | this, plus the fact that putting information from the real world | onto the blockchain unavoidably requires some trust, seemed like | the two big problems then, and it seems like they haven't really | been fixed. | vvpan wrote: | Well, what are the fixes? Writing "smart contracts" is not | meant to be for anybody but very seasoned developers. Also if | you write a contract and do not get it audited by 3rd parties | than nobody will (or should) take for anything other than a toy | application. That's just the nature of writing immutable code | that potentially transfers a value. | | About Solidity in particular - I think most people would say | it's not the best. There are endeavors to develop better | languages but Solidity has become quiet deeply entrenched in | the Ethereum world. Everybody is busy with much more pressing | issues - like scalability. | finnh wrote: | I've posted this before [0], but it's still apropos regarding | the foolishness that is Ethereum. | | [Ethereum] only makes sense if all of the following obtain: | | (a) the code is 100% bug-free (b/c accidents cannot be | rewound) | | (b) all code-writers are 100% honest (their code does what | they say) | | (c) all contract participants are 100% perfect code readers | (so as to not enter into fraudulent contracts) | | (Strictly speaking, only one of (b) and (c) needs to be | true). | | None of these conditions will ever obtain. | | [0] https://news.ycombinator.com/item?id=14471465 | vvpan wrote: | And yet the marketcap of the funds locked in a subset of | contracts on Ethereum is almost 10 billion today | (https://defipulse.com/) and I have been using a popular | contract wallet for a while to hold my funds and transact | with friends. So clearly it cannot be nearly as | catastrophic as you mention, no? | sfkdjf9j3j wrote: | Is it really meaningful to talk about market cap when | there are no underlying assets? The value could be | entirely (or almost entirely) speculation. | vvpan wrote: | Sure, but it is still redeemable value for an attacker, | yet attacks are relatively scarce. Or scarce enough for | people to keep putting money into it. That's the point I | was trying to make. | | I know what you mean by "no underlying assets" but I'd | say it's arguable. Does BTC (WBTC) have value? By this | time it seems like it does. There are also billions of | dollars of "stablecoins" on the network. Are they a valid | underlying asset? So far it seems like they are... Things | have no underlying value until they all of a sudden do, I | think that's the story of Bitcoin. A story of value too. | currymj wrote: | what i recall was that there were many pitfalls even to do | something simple, and this event suggests that even experts | may find it difficult to avoid mistakes. | | part of the challenge was just the inherent weirdness of the | ethereum execution environment, where the functions you write | can be directly called by an adversary, and they can set up | their own version of the stack however they want. | | it didn't seem like the language helped to mitigate the | inherent difficulty however. | ladberg wrote: | I love that they're continuing the Dark Forest analogy! Makes me | also realize I never want to dip my toe in crypto like that. It's | like an amateur going up to an entirely unregulated wall street | and expecting to earn some quick cash. | nullc wrote: | The word you want here is "ethereum" not "crypto". Crypto is | cryptography, and even if you want to redefine it as | 'cryptocurrency' the sheer reckless yolo incompetence and | scammyness of ethereum is not especially representative. | microtherion wrote: | What IS a "representative" cryptocurrency, then, if the #2 by | market cap is not representative? | | Would it be Bitcoin, used for such time-honored business as | drug purchases and hiring contract killers? Would it be | Tether, the fiat currency for people who think that central | banks are excessively transparent? | | The one extra element that Ethereum brings to the table is | computationally much more powerful contracts, which makes it | technically intriguing, but also adds another level of | scammyness and incompetence to the enterprise. | ladberg wrote: | I think "crypto" can mean cryptography or cryptocurrency | depending on context. Every cryptocurrency I've seen has a | Dark Forest, even if it's not as bad as Ethereum. | | For example, if you create a private key using something | guessable [1], point a camera at a QR code [2], or make a | wallet using software you didn't write yourself [3], you can | expect your money to irreversibly disappear faster than you | can react. | | [1] https://www.wired.com/story/blockchain-bandit-ethereum- | weak-... | | [2] https://www.theverge.com/2013/12/23/5238764/news-anchor- | rece... | | [3] https://cryptonews.com/news/popular-private-key- | generator-co... | ClumsyPilot wrote: | There are worse coins out there than etherium | swensel wrote: | In terms of ethereum, do you mean ethereum smart contracts? | The ethereum platform, as defined by it's creators, is | actually quite technical. Anyone who spends the time to learn | the Solidity language and what it takes to deploy a smart | contract is free to, so yes there can be legitimate, | illegitimate, poorly designed or well designed smart | contracts, just like other software programs. | pron wrote: | Amateur has nothing to do with that. Ethereum, and "smart | contracts" in general, are built on such shaky foundations that | unless shakiness is what you're looking for, you have nothing | of interest to find there. | vvpan wrote: | Can you elaborate? Why do you find that "smart contracts" are | built on a shaky foundation? | drchopchop wrote: | Because there is no real formal verification process for | smart contracts, it's extremely easy to slip bugs into the | contract code, the contract itself is generally immutable | (can't fix bugs), and the effects of a breach are generally | catastrophic and irreversible. | | Need more reasons? | vvpan wrote: | You are incorrect. Contracts are immutable but you can | upgrade your application. There are different patterns, | one where you make a shell contract that has pointers to | contracts with actual business logic. | | Also, there are patterns where the user needs to confirm | that yes they want to use the new version. | | There are also systems of insurance on contracts. | BTCOG wrote: | This as well. Immutable bugs. | BTCOG wrote: | Yes. Stay away from Ethereum altogether if for investment and | simply put amounts you are willing to invest into Bitcoin. | | Ethereum DeFi currently ongoing is extremely risky and | insecure in the longterm for various reasons. The open smart | contracting is super dangerous, the Ethereum blockchain is | way too bloated, the fees are shooting up, and it was | designed to be a shared computer, an EVM for running things. | Bitcoin is an investment and sound money. They do not compare | and don't have the same end goals. | sneak wrote: | I offer that anyone who did the work that these researchers did | would have also been "rightful owners" of that money. | | This is the consequence of programmable money; there's no getting | around it, and, in my opinion, people shouldn't want to. Rescuing | people and brands who don't put the effort into security from the | consequences of their own mistakes isn't a net benefit. | | I'm all for anonymous teams, but look at the hoops this person | had to jump through just to get in touch with them to report the | bug. | | When you're anonymous, all you have is your brand, and theirs | should have burned to the ground for this entirely preventable | error. | squeezingswirls wrote: | Addendum https://zengo.com/generalized-front-running-ethereum- | arbitra... | superkuh wrote: | I guess the take away here is that if you have the right | connections then you can bypass the system. | larzang wrote: | Right? Forget bugs in the contract system, if you have pools | writing whatever history they want in private that seems to | defeat the entire point. | formerly_proven wrote: | This read like a piece by William Gibson in the Neuromancer | universe. I finally understand now why people are attracted by | cryptocurrencies. | [deleted] | BEEdwards wrote: | You and I came to different conclusions from the same idea. | | I came out thinking why anyone would fuck with this gameable | broken system, the more i learn about cypto the less I think of | it. | ordinaryradical wrote: | Yes, if you're an enthusiast, it seems like good, technical | fun. | | But I have no idea how an "investor" could read this and think | they can price the risk correctly. This isn't even the wild | west of finance--this is intergalactic space. | jquery wrote: | > But I have no idea how an "investor" could read this and | think they can price the risk correctly. This isn't even the | wild west of finance--this is intergalactic space. | | To be a successful investor, you don't necessarily have the | price the risk correctly, you just have to price it better | than others. | | I imagine someone successfully investing in crypto can read | stuff like this fluently. | pfisch wrote: | Anyone "successfully" investing in crypto got in at least 4 | years ago or when we the last big run up was and just held | in a reputable exchange or in their own wallet that they | secured well. | | They don't need to understand anything really except how to | deposit 5000+ in a reputable exchange. I think this makes | up most successful crypto investors. | bojo wrote: | I am not an advovate for crypto by any means, but this is | false. There are some Wall Street level investors out | there. | | https://www.forbes.com/sites/michaeldelcastillo/2020/08/0 | 6/v... | golergka wrote: | Many "investors" are working very far outside the law, are | used to very high levels of risk and desperately need | different ways to keep their assets out of view from | authorities. | nootropicat wrote: | It's way safer and less complex than you would expect. Most | staking contracts are a copy-paste of two basic staking | contracts (from synthetix and sushiswap), so it's enough to | do a text diff and see what was changed, which is trivial. | For more complex contracts that do something more, funds at | risk are the best bug bounty there is - in the current | environment if something had >$10M for a month and wasn't | hacked, it most likely can't be trivially hacked. Bzrx, the | single most incompetent defi platform, was hacked just two | weeks after a relaunch for $8M - most likely someone was | waiting from the start for it to get enough funds to make the | hack worthwhile. Almost no hacks happened during the entire | yield farming craze. | | Key word trivially - some contracts are custodial, so if | someone hacked the owners (or they turned out to be scammers) | funds could be stolen, which arguably has a reverse Lindy | effect in the beginning. Fortunately people are starting to | demand at least timelocks and/or multisigs. Another risk is | how well liquidations function during a price crash, for | protocols that need them. | | The current risk premium was and still is absurdly | overestimated, but that was a good thing (for me) as without | it three or even four digit APYs wouldn't last a day, but | thanks to the unwarranted risk premium they lasted about 2 | months. During the short peak three weeks ago it was possible | to make even ~8% per day (on millions of dollars - good | liquidity), completely risk free (trivial staking contracts). | The great crypto bullrun of 2020 already happened and few | outside of ethereum even noticed. | | You will see billions flow into defi on ethereum as others | realize the real level of risk too (which guarantees those | astronomical returns are never going to return - but even 10% | apy on dollars is good in the current environment). | hitekker wrote: | As an investor who is not into crypto, I don't understand | this comment, let alone use it to correctly price the risk | of crypto. | escapecharacter wrote: | agreed; this reads like someone explaining their casino | good luck charm strategy. | AgentME wrote: | Stay away from putting money into unique smart contracts | that haven't been running for a long time with a lot of | activity. Stay away from smart contracts that are | custodial (where the creator is given privilege to all | depositors' funds). | dwaltrip wrote: | Me think you are in a bit too deep and may be | underestimating how things can go wrong. | | Another possibility is that you have a high risk tolerance | as well as an uncommon knack for this sort of thing that | most people don't have. | psswrd12345 wrote: | >Another possibility is that you have a high risk | tolerance as well as an uncommon knack for this sort of | thing that most people don't have. | | Ding ding. Which is why returns won't last as the | information asymmetry curve is flattened. | vvpan wrote: | If anybody would like more intense blockchain story-telling check | out this longish write-up about Justin Sun's takeover of Steem.it | from a few weeks back. https://decrypt.co/38050/steem-steemit- | tron-justin-sun-crypt... | centimeter wrote: | It seems to me that basically no cryptocurrency outside of | Bitcoin has its shit together. | huac wrote: | interesting read - seems like the solution to the dark forest is | equivalent to a dark pool in traditional finance? | | the logical conclusion is that within a few months we'll have | dark pools run by miners who will process your transactions | without broadcasting to mempool, in exchange for an increased gas | fee. and, within a year, we'll find out that some dark pools sold | order flow to those HFT's anyways, a la UBS | https://sites.law.berkeley.edu/thenetwork/2015/01/29/ubs-dar... ___________________________________________________________________ (page generated 2020-09-24 23:00 UTC)