I DID (not) GET MEV'D BY FLASHBOTS!!
Вставка
- Опубліковано 22 сер 2023
- We look at the Flashbots Protect product to see if it will protect us from MEV!
🤖 Flashbots: www.flashbots.net/
🌳 Scott Bigelow MEV'd: • How To Get Front-Run o...
💰 Lost (MEV'd) Transaction: etherscan.io/tx/0x46928370ca0...
🛡️ Protected Transaction: etherscan.io/tx/0xa0550a36dab...
📝 Blog: / flashbots-protect-hero...
😸😸Follow Patrick!😸😸
Cyfrin: www.cyfrin.io/
UA-cam: www.youtube.com/@PatrickAlpha...
Twitter: / patrickalphac
Medium: / patrickalphac
TikTok: / patrickalphac
Twitch Stream Uploads & Shorts: / @patrickalphac-alt
All thoughts and opinions are my own. - Наука та технологія
Patrick strikes again. Bold use of $100, respect. This man has done a public service. Thank you! Great content!
So nice content, I just came here because you've mentioned in the podcast Proof of Podcast. So cool to see in live action, thanks Patrick.
This is so good. Why aren’t we talking more about this?!
amazing patrick you are the only one who thinks for his audience for real in youtube❤❤❤love from bangadesh
The MEV in this instance is the front-running. So getting protected from front-running means no MEV and thus no MEV to share back. MEV generated through an arbitrage trade would be different, because Flashbots would auction that MEV to searchers
Yep makes sense. Felt like the marketing on this was a bit mixed. “No MEV” vs “some kinds of MEV”
Keyword click sit?
*clickbait
I have recently started learning blockchain development from your UA-cam channel and this went above my head.
Thanks for the feedback! Take the course and come back later
Great experiment
very cool video ser
We love you Patrick!
So in conclusion, should I be using flashbot protect for every single tx on eth? 😮
Great video, would love more 'experiment' videos like this 😊
Glad you liked it! And from the video, I used *editing magic* to gloss over this, but the flashbots protect transactions took much longer to go through - which makes sense, as it's a much smaller pool that executes the transaction if you don't fan it out to the public mempool.
I think the takeaway is you should use Arbitrum One or OP Mainnet as the Centralized Sequencer prevents reordering of tx and they also don’t have a mempool right now.
Quality stuff!
Frogs rule -- front runners drool!
true
Hey Patrick, what are internal transactions and how do they differ from your transaction?
They are Contract -> contract transactions.
For example,
1. I call “swap” on contract X
2. Contract X calls “send token” on contractY
#2 is an internal transaction, sometimes also called a trace
Great video! Is there any real world scenario where you would have this kind of password system? it would always be `if(msg.sender != authorized address) revert ??
This was a dummy example to show the MEV bots, but usually MEV happens in places you forget about. This was an example that, yes, we could have easily prevented and is not realistic.
I really need to learn more about this topic as it is not discussed in any of the bootcamps I learned how to code from . Can you clarify one concern I have. If I am not deploying a contract but instead am just sending funds directly from one wallet to another wallet, is it possible to get front runned? And if there is a possibility is it due to the method the wallet uses such as transferFrom or transfer? I just realized how little I know about the details of the mempool and now feel very concerned about transfering funds as I can understand how high slippage authorization for trading tokens on decentralized exchange could be front ran, but I had no idea someone could front run functions in a smart contract in which the password was privately known by the deployer ownly. Could you have place an onlyOwner function to have restricted the authorization of who can withdraw the funds from the contract you created with your password hash?
Looks like I might need to make another video ahah. Did you watch my second video on MEV? That will help clarify stuff
@@PatrickAlphaC Hi Patrick, I am not sure if I saw your second video on MEV, I will look for it. I was intrigued by your video to learn more so I followed up this video with Shea Ketsdever from Flashbots talk at EthGobal Hackathon July 21, 2023, then Then I listened to Nathan Worsley talk about being an MEV searcher posted by Flashbots from MEVday April 22, 2022 the talk titled “MEV as an inner experience”. Which gave me more insight into the world of MEV searching. Which exposed to me a more clear picture on why jr. developers need to get serious about testing the security of their smart contract and how it will work and interact with the blockchain and other protocols. Then I listened to talk by Philip Daian at Devcon about a year ago which very much inspired me to hear about the mission of Flashbots, and now I am finding that I want to spend a lot more time learning about security research and implementation..
Patrick, do frontrun might happen in case direct sending eth via metamask UI?
Sure. But that would be pretty hard to extract value from
@@PatrickAlphaC like in case u showed? where bot spend more money to overrun your tx than it actually contain?
Thanks
So does Optimism and starkWare protect you from front running ?
L2s have the sequencer be the "ultimate MEVer" since on L2s the sequencer picks the transaction order
Considering this dummy contract doesn't have public interest (basically unknown address) the only way to know it was withdraw transaction is by looking for the function selector?
Not even, they just look to see how much money flowed out, and copied the data sent in my transaction
That MEV bot from the first try is pretty cool, but I wonder how they check the tx so fast. I mean, the case of someone submitting a withdraw with a password/hash should not happen at all, no?
If you have a fast internet connect and some badass rust, you can essentially have a bot that scrapes the mempool just constantly asking “if TX makes money -> copy and front run”
Hi everyone I'm not sure If I understand correctly, front-run attack is only possible when contract is poorly designed right? If we have withdraw function, which can be called only by owner front-attack is not possible right? Bots are basically copying transaction that can pay them and paying more gas to outspeed original tx right? So bots are calling same function as we do and all its requirements persists right?
"Designed poorly" isn't exactly correct. Sometimes you can design away from it, but other times you can't.
For example, if I put in a buy of 1,000,000 UNI tokens, other bots can see this, and front run my transaction to buy UNI tokens to sell to me at an inflated price. There are things you can do to mitigate these in your transaction, but not 100% remove.
@@PatrickAlphaC So bots are doing anything possible to get paid by outplaying you. If function in your video would have any address restriction (for example only depositor can call it and it will withdraw that caller balance) then bots would not be able to front-run you right?
@@Niferu a really good bot could deploy an exploit contract too. But maybe we should test that too :)
@@PatrickAlphaC That would be awesome! I'm now sooo curious how would such exploit bot look like (codelike) Keep up amazing content and thanks for responses Cheers!
I have a question, would you still get frontrun if there was an access control, like (msg.sender != Patrick's_address) then revert() ?
No you cannot front-run those functions because smart contract would revert if the msg.sender was wrong. The problem is functions with access control have very limited usage.
@@Antaquelas ty for clearing that up, been thinking about that for 2 days tbh
Yes… but this doesn’t tell the whole story. Some MEV bots are smart enough to deploy their own attack contracts too. So they copy your bytecode, deploy their own, and do it
The monsters are real
After they deploy a copied contract from our contract’s byte code! How do they “relay or delegate” transaction in the meme pool to their contract?
@@Ibrahim-oc5ql we should test it
i just noticed your withdraw function is not restricted to who can call it, will restricting it to onlyOwner prevent that frontrunning by mev bots from happening or not?
also is using private rpc like alchemy's rpc prevent it from happening too?
Yes? Making it only owner would save it. But the point is that a lot of functions you use can’t be only owner, otherwise you couldn’t call them!
Alchemy actually uses flashbots under the hood! The alchemy private RPC is flashbots
@@PatrickAlphaC ohh that's a new info for the alchemy one. thanks
still good to know that access control can prevent it.
I find these videos so interesting :) Wondering if You will ever go deeper into WASM/RUST/Polkadot world. It will be really cool to have an techie opinion 😄
If I find time ahah
Life saver!!!!!
Awesome content Patrick !, it sad nothing actually saves one from being frontrunned. so i thought about this ... what about this idea... trying to perform an arbritrage transactions ... and requires an hash message that includes (address, the parameters need to trade, and a nonce).. but actually signing the transactions while performing the function.. this way it cantbe copeid cause the only person to decrypt would need the sender signature
But… it could be front ran :)
You could have them sign the msg.sender and that would work tho
So when is the Ethereum mainnet expected to get MEV protection upgrade?
idk - but its on the todo list
But how would the MEV Bot target your transaction ?
Its a newly deployed contract and not verified.
How can it decode your signed transaction to get your password without access to your code or abi ?
It doesn’t matter. It just simulates if my TX will make money, then it can simulate if they do the same byte code will they make money.
There are some pretty sophisticated bots out there - and keep in mind, even if it’s not verified, a lot of bots have no trouble reading byte code. Even I as a human can read bytecode pretty easy.
@@PatrickAlphaC Yeah makes sense. But its pretty interesting that a random, simple contract was even vetted by the bot system.
Wow, Patrick I had no idea someone else could front run a contract withdrawal from a contract that only you had the password to get into. Can you explain more on how a bot was able to extract your password ? I thought that would be something they could not due as they do not have the password.
Basically, when you hit “send” your blockchain node you sent the tx to sent your transaction data to all the other blockchain nodes. When they see you data, they can see exactly all the contracts and function you call. So they just copy what you do
@@PatrickAlphaC I do need to spend time learning how mempool works, and how to run my own node or use flashbots protect. I also will make sure any contract I create that has payable functions has require statements and onlyOwner modifiers or other access control implementations that limit function calls to only approved addresses. Thanks Patrick for letting me know I have so much more to learn if I want to get hired as a developer or security researcher.
@@kcstorytime4898what's your journey been like now?
Is it possible that the MEV is possible but maybe they will need to pay more eth on gas than what is worth, so they chose not to do it?
@@b-baller yes
🎉🎉🎉
Hi all, quick question. Is blockchain and cryptocurrency still a great thing to get into? Everyone keeps saying it's a scam. I beelive there are great uses for it, but thanks to the media, all I see is scam, so diving into blockchain, is there a practical use for this?
It's an amazing thing. Just don't deploy a stupid token.
The practical use is censorship resistant finance.
🎉🎉❤
Can you help me recover token
What is ME-V to be precise Patrick?!
Maximal extractable value.
If you leave the mev bot with the mev tester network a 4 hours will gains some profit
man I wish I had seen this video earlier. MEV sucks really makes me doubt the whole point of Ethereum as a technology at this point. Getting rugged/MEVed sucks. Other ecosystems without this issue such as Polkadot and Bitcoin seems to be the way.
Or just use a private pool like flashbots!
@@PatrickAlphaC beats the point of a decentralized network when all transaction traffic comes through a single RPC.
This is why light nodes in Polkadot like smaldot are incredibly interesting in parallel.
@@CriptoPoeta good point! Or just don’t fan your TX out to the mempool at all
@@PatrickAlphaC by running ones own node?
yes@@itissatno
Mev sammies
💛🎯💛
Hi Patrick, the rate at which I follow u up, some might say u've got yourself a stalker. Anyways, I would love to work with your team as an intern, I don't mind not getting paid, I just want a real world experience.
PS. Thank you sir
Thanks for reaching out! We are probably going to have a pseudo-internship on our education platform for people to help others learn.
Additionally, judges and auditors on CodeHawks are always helpful, and you learn a ton too!
@@PatrickAlphaCoh wow, can't wait. Thank you.
Let's get froggy 🐸
I want to participate in this as well! please do give more info @@PatrickAlphaC
imagn tinking public ETH is the future XD
Mevblocker
Can find my address in sweeper bot ?
9:08
I love you
Feelsgood
Please I need someone to create an MEV bot for me?😪
That’s lame dont do that
First like and comment.
87
Have hacked wallet. Have staked tokens on website. I need help. I am super new. Everyone that seems to want to help is scammer
Such cases should be directed to *Kudushack* Cybersecurity Team.
On Telegram
All crypto stuff is a scam.
How so
great educational content as usual Patrick! 🫡
Thank you!
Patrick just got paid $1 mill from Flashbots for making this vid!
I wish
This is so good. Why aren’t we talking more about this?!