-- Disclaimer -- 1. These are unpaid transcriptions, performed in real-time and in-person during the actual source presentation. Due to personal time constraints they are usually not reviewed against the source material once published. Errors are possible. If the original author/speaker or anyone else finds errors of substance, please email me at kanzure@gmail.com for corrections.
- I sometimes add annotations to the transcription text. These will always be denoted by a standard editor's note in parenthesis brackets ((like this)), or in a numbered footnote. I welcome feedback and discussion of these as well. --/Disclaimer --
Flash boys 2.0
Ari Juels
Welcome to the session on topics in current research in blockchain. I am a professor at UW Seattle. We'll begin this session with our first talk by Ari Juels from Cornell Tech.
Flash Boys
In 2014, Michael Lewis published a best-selling book entitled Flash Boys. It was an expose on the Wall Street practice of high-frequency trading which is a catch-all term. There's some common characteristics of the definitions of HFT. It usually involves bots and algorithms rather than human traders. This is beneficial because bots can make use of sophisticated algorithms and they are also fast. This relates to the second common characteristics: which is that HFT involves a quest for speed. A large amount of investment in systems required to achieve low latency and be fast. The third characteristic of HFT is an exploitation of speed to gain an advantage over other traders. This is often called "latency arbitrage" but I'll call it frontrunning.
Lewis's book provoked a sensation and provoked a flury of investigations by the FBI and SEC and regulatory changes resulted. The pros and cons of HFT are still much debated. I'm not an expert on HFT so I can't present these pros and cons. The conclusion of his book is a famous declaration that the market is rigged.
Blockchain
With blockchain, everything is supposed to be different. Bitcoin was released in 2009 admist the financial meltdown or crisis caused by the very same Wall Street. Bitcoin of course is a peer-to-peer (p2p) system and a transparent one. It was supposed to create a level playing field according to Satoshi ((uncited)). In 2017 there was the book Blockchain Revolution which said "Blockchains can help build integrity into all of our institutions and create a more secure and trustworthy world" which was written by Tapscott father-son duo. If only, though. We are very far from realizing this dream.
To see this, let's consider one of the things that blockchains are used for today. They are used to solve the problem of fair exchanges. Alice has some asset, Ether, and Bob has created a new token called Bob's Bubble Token and they both like to trade. Alice would like to exchange ETH for BBT. Bob, being polite, might say to Alice, please, you go first. You send my ETH, and I happily send you some BBT. If they have never met and don't trust one another, this is a problem for Alice and similarly it would be a problem if Bob was the first mover. The first mover is always at a disadvantage because there's no guarantee that the other will reciprocate.
Centralized exchanges
One way to solve this is to appeal to a trusted third party like a centralized exchange which takes the assets of the two parties into custody and then if all goes well then the exchange will perform an atomic swap of the two assets. Alice will get her proceeds, Bob will get his proceeds. This is what happens if all goes as planned. But there are other possibilities. The exchange could of course since it holds these assets, could simply make off with them or the exchange could be hacked and the assets could be lost in some other way. This is a problem with all centralized exchanges: you have no guarantees that you will get your assets back or the assets you traded for. Unless the exchange is honest and well-run, there's always this risk. How do we solve this problem?
Decentralized exchanges
Naturally when we're talking about cryptocurrency we want to throw a blockchain at it. Let's replace the centralized exchange with a smart contract. This is the idea behind decentralized exchanges. It's an exchange in which assets are held in custody in a smart contract rather than by some trusted third-party. There are several different decentralized exchange designs. I am going to focus on the one that we have explored in our research. In this design, the smart contract will take into custody the assets of the two trading counterparties. So the smart contract will take custody of the two assets.
The exchange operator takes responsibility for maintaining an off-chain orderbook, but not custody. Alice places an order in the orderbook. Bob or anyone else interested in trading with Alice can observe the order and then take the order. He can trade against the order. The way this works is that Bob countersigns the order and sends the countersigned order to the smart contract and the smart contract that holds the assets will then swap.
Assets can't be stolen by the exchange operator. The operator of the orderbook or exchange doesn't hold any assets in custody. Additionally, this system is accessible to anyone. Anyone can send a transaction to the smart contract. The exchange operator can censor the orderbook and prevent you from accessing it, but can't prevent your trading with respect to the smart contract. The system is transparent. Every trade that takes place on this exchange is visible on-chain because trades are executed as transactions against the smart contract. In ethereum, they are ethereum transactions.
But is it fair? Well, suppose that Alice places an order on the orderbook but she makes a typographical error. She intends to pay only 1 ETH for BBT. But she accidentally places an order in which she offers 10 ETH for 1 BBT. This is obviously a juicy order, and anyone will leap to take that trade. So Bob would be inclined to take this order. Alice may quickly realize she has made a mistake, and she might endeavor to cancel her order. She can do this by sending a cancel order transaction to the decentralized exchange smart contract. At this point, if Bob attempts to take the order, then the contract refuses to process Bob's countersigned version of the order because he would not be able to take the order.
That's all well and good, but suppose that the critical b at the end of Bob was replaced with a t and instead of Bob, instead Alice is dealing with a bot and the bot is very fast. Alice might realize she realized a typo, she could submit a cancelation order but a bot can act as fast or faster than Alice and take the order anyway. The bot can observe the order but also the cancelation order. The cancelation order is placed with some gas. The bot can place a fresh order with a higher gas price. Miners in systems like ethereum or any gas-powered smart contract system, miners have an incentive to place first in blocks the orders with the highest gas price because gas is paid to miners. So miners are obviously going to take the juiciest transactions and therefore it will place the bot's order first in the block even if Alice has submitted a cancelation order to the network before the bot submitted the take order. The bot's order will come first, it will be processed first, the bot will receive the asset, and now Alice's cancelation order will be invalid because the order had already been executed. This, of course, makes Alice very sad.
The intuition here is that the bot is essentially bribing the miner. He is paying a higher gas price in order to have the privilege of front-running Alice and getting ahead of her in line in the transaction processing. Alice might be sad, but she's not alone. This has happened to countless users. I don't know how many- hundreds, certainly, possibly thousands. Many of these users have posted pleas in online forums asking bot masters to return their money. Some of these are really heart wrenching. "I'm a stay at home parent, I day trade for my family, I placed an order just seconds ago, please return the money". I made a mistake, please send it back, I have faith in you. Please please please, I'm a single parent, a lot of parents here supporting their family by daytrading apparently... This poor person was really desperate and submitted multiple pleas, please return at least some of the money. "I might need to sell my car to pay what is already diue for this semester". This was the most disturbing message we came across: some person fellow had gathered up all the rupee on his village and rolled the dice on one trade and a bot stepped in and took all the money, and how do you explain to this village that the guy lost all their money.
We use the words of Hobbes in the world of decentralized exchanges: life is nasty, brutish and short. Typos are one source of arbitrage, and bots are out there cheating humans. There are other sources of arbitrage out there.
Bots also as it turns out don't just cheat users, but they also attempt to cheat one another as follows. Suppose that Alice has placed an erroneous order that a bot is interested in taking; the bot will essentially outbid Alice in terms of gas. Alice will bid for the cancelation order, the bot will bid too. A second bot might observe this juicy order and will observe that another bot attempted to frontrun Alice, so the second bot will place an even higher gas price. The first bot might observe that the second bot did this. So they go into a race of raising the gas price higher and higher. They can go back and forth doing this for a very long time, until a block is produced and one of these transactions gets mined.
When you raise the gas price with respect to a transaction you have placed, you essentially replace the old transaction and it's forgotten by the network. We observe vicious competition between bots very frequently. Whenever a user places an order with a typo or otherwise makes a mistake and there's some juicy orders on the book, some bot is likely to find it, and most likely multiple bots find it and they bid up the gas price in exactly the manner I have described.
When the order is placed, when the transaction is placed in Ethereum and the gas price is raised by the user of the transaction, the old transactions are forgotten. These competitions between bots are not visible on-chain. Transparency has failed us in this sense. In order to observe these bidding wars among bots, we had to create our own instrumentation and we spent thousands of dollars on AWS time gathering data about bot priority gas auctions as we call them. This competition involving gas price raises. The data we have collected we have made available publcly on https://frontrun.me and it's a little out of date, but you will see some of these graphs there. This might be of interest to game theorists for reasons that I'll explain in just a moment.
Bidding strategies
These bots are engaging in an auction revolving around gas prices. What sort of strategies do they use to determine when and how much to raise gas prices by? Well these auctions are a very unusual and interesting game as it turns out. To begin with, the bots have imperfect information. There's some latency involved in placing a transaction on the ethereum network. It takes time for the transaction to propagate to miners and to other people operating on the netowrk. It's a--- it's a prioriry gas auction. If you're the losing bot, and you place a transaction that is processed second and is therefore invalid, you still have to pay the gas cost of the transaction. Bots have found ways to reduce the gas cost they pay, but they still pay something. So the loser pays something in this auction, which is somewhat unusual. Finally, these auctions are unusual in that they last for an amount of time that is determined probabilistically-- the auction ends when the block is mined and blocks are mined in probabilistic intervals. It's unlike a real world auction where the auction ends when bidding stops or at a predetermined time. In this case, the bidders or the bots have no idea when the auction is going to be, or they only know the end time only probabilistically.
We've modeled mathematically and analyzed these strange auctions and found that there's an equilibrium involving something called the "Grim trigger" strategy where one bot will punish another bot if it deviates from the equilibrium strategy. One characteristic of this equilibrium strategy is that bots raise their gas prices by the smallest possible increment permitted by the network. We found that, and this doesn't always happen, that the mathematical model matches reality. We see convergence towards equilibrium in terms of gas price raises that most bots submit. The smallest gas price increase is 12.5% and we see bots gravitating towards these low gas price raises over time. Some of them are sitting at 15% for reasons we don't completely understand. But the reality is that it matches the mathematical model which is rare and satisfying.
Wall-Street-like latency wars
As you will also appreciate, these behaviors are very Wall Street like. Where there is money to be made, sophisticated strategies will develop. This quest for speed highlighted by Flash Boys is also present in these bots. Lewis highlighted a company that spent 100s of millions of dollars to create a fiber optic network to connect servers between Chicago and New Jersey just to shave a few milliseconds off the latency for Chicago to New York transactions. By the time Flash Boys was published, this expensive fiber optic cable was obsolete. They installed a microwave link which used light traveling in straight lines, which shaved off another 4 milliseconds. They were originally able to cut latency from 16 ms to 13 ms and then even more with the microwave link.
The speed helps in the gas auction game. Bots are increasing in speed.
Tip of the iceberg: centralized exchanges too
This phenomenon of DEX arbitrage is the tip of the iceberg. Our best estimate, and it's a conservative lower bound, suggests that the amount of DEX arbitrage taking place in Ethereum is $6 million cumulatively through the middle of 2019. But DEX volume is only 0.1% of the total trading volume in cryptocurrency ecosystems. Centralized exchanges account for the vast majority of the trades. An iceberg sits 10% on the waterline. So it's really the tip of the tip of the iceberg.
Centralized exchanges have about $50 billion in volume per day. These trades have no presence on-chain. They are regulated in a patchwork way, sometimes playing jurisdictional arbitrage. They are known to lose money; every other month there's a report in the popular press about some exchange getting hacked. We don't really know what is happening here, because all of this is happening in the shadows under the water line if you will. We don't really know what malfeasance is happening in centralized exchanges, but if DEXes are any indication, it's probably not good.
Time-bandit attack
There's another story that arose in our investigation of priority gas auctions. One observation that surfaced is that there's a risk, and a substantial risk, of a new type of attack arising in Ethereum and similar blockchains. This attack we refer to as a time-bandit attack. A miner mounts this attack by observing recent arbitrage opportunities perhaps taken by bots. These are opportunities already recorded on-chain. Some miners observe that there were these recent juicy transactions. The miner rewinds the blockchain and then forks it in a 51% attack. 51% attacks are not new; they have been observed in the real world. Ethereum Classic was subjected to one fairly recently. What's new here is that the miner has observed these arbitrage opportunities taken by bots, and because it's acting as a miner, when it forks the chain it gets to dictate what transactions get placed in the blocks that are produced. It can retroactively take the opportunities that were taken by the bots on the main chain. It can take those for itself on this forked chain. It can steal the arbitrage opportunities from the bots, and use the money obtained from these arbitrage opportunities, to subsidize the attacks. 51% attacks are usually performed just to harvest the block rewards, but in this case there's a lot more you can harness-- there's value in the consensus layer. Miners can take this money and use it to mount the attack.
This kind of attack destabilizes the whole blockchain and potentially puts the whole Ethereum system at risk. This type of attack is not theoretical. There are very large arbitrage opportunities present in Ethereum today, particularly during periods of high volume trading. In July 2018, there was about $1.5 billion in DEX volume. To mount a one-month 51% attack, according to crypto51.app which is an interesting website, that attack would have cost $56 million which is just 4% of the DEX volume at that time. We don't know the full breadth of arbitrage opportunities during that month; 4% is a small fraction, surely there were more opportunities than that. We have observed large arbitrage opportunities, some of them approaching $20,000 in today's value.
Another thing that a time-bandit attacker can do is that they can go back in time and execute trades with knowledge of future prices. You can trade on knowledge of future prices, by rewinding the blockchain. You can observe the current price of some asset, roll back the blockchain, execute some DEX trades, with knowledge of the future price, and then make a fortune.
Lots more in the paper
There's a lot more in the paper. We have described a mathematical model of "priority gas auctions". We report on a lot more data than I have had a chance to review in this presentation. We our ourselves have unintentionally created the bot community; we posted a blog post warning people of the risk of this type of arbitrage happening. This is a graph of arbitrage opportunities over time, and that red line is the point at which we published our blog post... so sadly the warning we meant to issue to the community became a self-fulfilling prophecy and we learned a lesson about intervention in science. We also accidentally made the bot community more efficient by creating a token called gas token which lowers the price required to pay for gas, which is very popular for arbitrage bots. So apparently it's impactful research.
If you want to learn more, I encourage you to have a look at the paper: https://arxiv.org/abs/1904.05234 and my lead author deserves the lion share of credit for this work. This is just one of the many projects under the IC3 project at https://www.initc3.org/ and a few of us are present here today.
Q&A
Q: Can an altruistic individual run a bot to bid all the value to the miners?