Front Running Ethereum
+ John Kane
The Tale of Fomo3D
Everything on Ethereum is public information. All transactions (even before they are finalized). All data stored in smart contracts. Everything. Until recently, there was no way to generate reliable random numbers either. Considering that, there is no easy way to, say, play poker on Ethereum—it requires randomness to shuffle the deck and privacy since only you can see your cards. In fact, designing any kind of fun game without randomness and/or privacy is tough.
This is what made Fomo3D a brilliant game (even if it was ripped off from Reddit’s “The Button”). Here is how it works:
A countdown timer is set for 5 minutes
Anyone can pay money for a ticket which adds 30 seconds to the timer
All money from ticket sales goes into a pot
If the timer hits 0, the person who bought the last ticket wins the whole pot
Every time Fomo3D’s timer would get low, someone would inevitably buy a ticket, restarting the clock. It was conceivable that the game might never end. The pot grew from pocket change to millions of dollars.
This is the story of August 22, 2018, the day Fomo3D’s timer hit zero for the first time.
Before diving into the story, a quick primer on a few Ethereum quirks:
To play a game or use anything on Ethereum, you have to pay a fee.
The fee has nothing to do with how much money you are spending, it only depends on how much work the validation computers have to do to complete the action. All actions are called “transactions” regardless of whether they actually move money or not.
The validators start a “meter” and every computational step deducts a tiny amount of gas from your fee until the action is over (or you run out of gas, in which case you lose the fee and you have to rerun the action).
Ethereum bundles together transactions in batches (called blocks) and waits about ~13 seconds between each batch. To make sure everyone can keep up, Ethereum caps how much computation can be done in a block (called the block gas limit).
Fees are in ETH (money on Ethereum), while gas is not money, it is an abstract measurement of computational effort. To make gas into money, the user offers to pay a certain rate of ETH/gas. Other users offer to pay other rates. Validators run the highest paying actions first and move through the actions until they hit the block gas limit (or there are no more actions that anyone wants run).
Ethereum transactions are processed in “slow motion.” First they are broadcast to all validators. Then validators pick the best looking transactions (highest gas fees) to execute. If your transaction does not pay enough gas, validators will not include it. It will stick around, waiting for gas fees to come back down where it is competitive enough to be included. There are no guarantees about how long you might wait.
If you use Ethereum, your software client will figure all this out for you and show you an appropriate fee. You can then take it or leave it (or manually adjust it if you know what you are doing).
Now back to the story:
A player we will call Mallory writes a bunch of junky smart contracts that do nothing useful but consume a lot of computational resources to run. She puts them on the blockchain but does not run them yet.
Mallory waits until Fomo3D’s timer has about 3 minutes left and buys a ticket.
Next, she asks Ethereum to run her junky smart contracts. To make sure they are prioritized, she offers to pay a gas rate 10x what everyone else is paying. The junky contracts can only run about 5 times before the block gas limit is hit, so no one else can run anything in that block. We call this a “suppression attack.”
She keeps repeating this. See the pink region in the Figure above where the number of transactions plummets and the fees explode.
If she can monopolize the next 12 blocks, the Fomo3D timer will go to 0 and she will be a millionaire. Other people start trying to buy tickets, but Mallory keeps increasing how much she is willing to pay for her junky contract to run, eventually hitting 100x the “normal” rate.
Eventually one other Ethereum user clues into exactly what is happening and why. He desperately buys a Fomo3D ticket and also pays an obscene amount of gas to have his transaction prioritized even above Mallory’s. Unfortunately he is too late, it is included in the same block that the time hits 0 and he ends up holding the first ticket in a new round of Fomo3D.
Mallory’s junky contracts are not so junky after all. All along, before they firehosed Ethereum, they were first checking the Fomo3D game to see if Mallory had won. If she hadn’t, they would do their best to clog up Ethereum. However if they saw that she won, they would immediately back off and finish. So Mallory’s transactions kept running after she won, but they a tiny amount of gas, just enough to realize they don’t need to run any more.
Because most users do not manually set gas fees, their software clients got confused about what was going on and thought gas prices were super high (which technically they were). So everyone started paying a lot for gas for a few blocks after Mallory finished her attack. Eventually gas prices returned to normal.
This is a fun story but it also has some unusual ramifications. Suppression attacks are a kind of front-running attack and profits from front-running are called MEV (Miner Maximal Extracted Value) by the community.
One solution to front-running/MEV is to execute transactions in the order that validators receive them, ignoring gas prices (called “fair ordering”). But that actually makes this attack worse! Mallory can then just buy a ticket and call her junky contracts at the same time, and validators will be forced to let her monopolize all blocks until her transactions are finished. In fact Fomo3D does not work as a game with fair ordering, as it assumes someone can always bust to the front of the line and buy a ticket any time the counter approaches zero.
The second ramification is that Fomo3D is not the only thing running on Ethereum with a countdown timer. Another one is actually an entire platform, called an optimistic rollup. In these systems, a recap of all the transactions running on their platform is periodically published to Ethereum and people have 7 days to dispute that the recap is wrong. If no one disputes, it is considered correct. Optimistic rollups also have a kind of “pot” where a malicious (wrong) recap accepted by Ethereum could drain it. Doing a block suppression attack for 7 days is a lot longer than the 3 minutes it took to win Fomo3D. But the pots are also a lot bigger. At the time of writing, the biggest optimistic rollup (Arbitrum) is sitting on assets worth $20 billion.
John Kane
John Kane was a video poker addict who played (and lost) so much that he was able to purchase his own personal Game King machine with his loyalty points from a casino he frequented. Playing obsessively in his garage, he discovered a flaw in the game’s logic. By starting new games before wrapping up existing ones, and increasing the betting amounts in the new games, the machine would lose track of what the betting amounts were in the earlier games. The bad code was only reachable if a feature called “Double Up” was enabled on the machine. The machines were everywhere in Vegas, from 7-Elevens to casinos, some with the feature enabled and some without. However, respectable casinos would turn on the feature if you asked nicely.
Kane and an accomplice hit up machines in Vegas and the surrounding areas. Casinos would eventually kick them out for winning too much or disable the “Double Up” feature (not understanding how it was linked to their winnings, just that it was an unusual feature to use so much). No one knows for sure how much they made, but eventually the casinos compared notes with each other and involved law enforcement.
Kane was charged and had the book thrown at him (698 felony counts) before the Feds took over the case under hacking and conspiracy to commit wire fraud. Kane and his lawyers fought the charges, saying the machine allowed the actions; he did not actually hack or exploit the machine, he just played it under its own rules. Eventually, all the charges were either dismissed (adding to a significant judicial backlash against U.S. hacking laws passed by Congress) or dropped.
I call this the Kane defense and it has resurfaced (in spirit anyway) after hacks of decentralized finance (DeFi) applications running on Ethereum (and other blockchains), where defendants claim they just used the DApps as they were programmed to run. DApps are like vending machines or lottery terminals—anyone can walk up at any time of the day and they will run autonomously (while keeping logs).
Andean “Andy” Medjedovic exploited the Indexed Finance DeFi protocol for $16M (2021) and Avraham “Avi” Eisenberg exploited the Mango DeFi protocol for $115M (2022). Medjedovic claimed the Kane defense on social media before disappearing from law enforcement. Eisenberg ran a variant of it in his trial ("He did nothing more but execute a winning trade"), but the jury did not buy it and convicted him of fraud and market manipulation.