Top Stories of the Week - 4/7

This week, we write about the US treasury department’s report on DeFi, a rocky start to arbitrum governance, and how an Ethereum validator has been successfully stealing from MEV bots. Subscribe here and receive Galaxy's Weekly Top Stories, and more, directly to your inbox.

U.S Treasury Slams DeFi in New Report

In a new report, the U.S. Treasury Department wrote that DeFi applications need to comply with U.S. anti-money laundering and sanctions laws. The 39-page report highlights the risks associated with DeFi “services” and analyzes publicly known illicit actors who used them. Brian Nelson, Under Secretary (U/S) for Terrorism and Financial Intelligence, said, “[o]ur assessment finds that illicit actors, including criminals, scammers, and North Korean cyber actors, are using DeFi services in the process of laundering illicit funds.” Treasury’s risk assessment argues that the known illicit activity present on DeFi applications poses a threat to U.S. national security. The report also includes recommendations for U.S. government actions to mitigate the illicit finance risks associated with DeFi applications including:

• Strengthening U.S. AML/CFT regulatory supervision of virtual asset activities;

• Considering additional guidance for the private sector on DeFi services’ AML/CFT obligations;

• Assessing enhancement to address any AML/CFT regulatory gaps related to DeFi services, among others.

Many countries are in the early stages of establishing AML and CFT frameworks for digital assets. Although the report exclusively puts a spotlight on bad actors using DeFi applications, U/S Nelson noted that his mission is to support responsible innovation and ensure that new financial services honor U.S. BSA/AML regulations.

Our take

The language in the Treasury’s risk assessment report on DeFi mirrors what EU regulators expressed on this subject, which we reported last week. There is no reason to believe applications that are “decentralized in name only” should be exempt from complying with laws or regulations, but policymakers must also recognize that there are applications that are truly decentralized and thus are structurally incapable of complying with current law. Most importantly, if the enforcement of rules upon DeFi applications that can comply results in the criminalization of decentralized applications that structurally cannot comply, that will be an incredibly unfortunate outcome that outlaws open-source software and handicaps American leadership in financial innovation. Crucially, criminalization of immutable smart contract applications (smart contracts with no admin keys, upgradeability or custodial features) will amount to an unenforceable prohibition. - GP/AT

ArbitrumDAO Governance in Progress

Arbitrum Foundation amends AIP-1 after community backlash.After the launch of the ARB token and new governance framework, the ArbitrumDAO community rejected the Arbitrum Foundation's first governance proposal to structure the ArbitrumDAO (AIP-1) over the 750m ARB token allocation sought by the Arbitrum Foundation for making Special Grants and covering administrative and operational costs. Before the snapshot vote of AIP-1 could be approved, 750m ARB was already sent to the Foundation Administrative Budget Wallet, which then quietly transferred 50m ARB out. This raised questions over the ratification process of AIP-1 and the lack of transparency over spending from the Foundation wallet.

The Arbitrum team addressed those concerns, noting that: (i) the intent when AIP-1 was submitted was for concurrent ratification with the announcement of the DAO, and (ii) the on-chain transfers of ARB that had occurred were for a market making loan to Wintermute and for fiat-conversion to cover operational costs. The Foundation later pledged that it would not move the remaining 700m ARB in the Administrative Budget Wallet, before then publishing a transparency report on the Foundation's initial setup and submitting a revised proposal on April 5 consisting of:

• AIP-1.1 (Lockup, Budget, Transparency) proposes an unlock schedule for the remaining 700m ARB and new guidelines that the foundation will not be able to allocate the tokens until community members approve a budget.

• AIP-1.2 (Foundation and DAO Governance) proposes amendments to the Arbitrum Constitution that governs the DAO and sets the guidelines for its operations.

Following at least a 72-hour feedback period on the governance forums, these revised proposals are expected to be posted for a Snapshot vote which will last for an additional 7 days.

Our take

While AIP-1 was a colossal PR error, the iterative process of AIP-1 and the concessions made by the Foundation are ultimately a win for DAO governance. While the allotment of tokens to a Foundation for strategic spending without requiring initial approval by the community may be standard practice for token launches, the Arbitrum Foundation mishandled its communications around the Administrative Budget Wallet. AIP-1 was presented on Snapshot, where votes are non-binding (Snapshot is intended to serve as an initial temperature check before moving towards binding governance voting through Tally). Instead, the token allocation should have been presented as part of the airdrop acceptance rather than a separate governance proposal. In addition, AIP-1 proposed the ability for the Foundation to issue Special Grants without undergoing a full on-chain AIP process, which was later amended in AIP-1.1 to ensure spending decisions are more transparent and subject to community approval.

It's promising to see the ArbitrumDAO establishing more safeguards and increasing transparency as the Arbitrum team continues to reiterate and demonstrate its commitment towards decentralizing. As Ethereum's premiere scaling solution, rollups are held to high decentralization standards. Across all rollups today, sequencers are still operated solely by central teams, but Arbitrum has made meaningful advancements towards decentralizing relative to other rollup teams including expanding its validator set in November 2022 and setting up a 9/12 Security Council multisig for upgrades (compares to zkSync Era's instant upgradability and Polygon zkEVM's 4/7 Security Council multisig for upgrades as noted in our last week's report on the recent zkEVM mainnet launches).

Arbitrum will continue to be closely scrutinized as Ethereum's most popular L2 by usage and value (it already appears that Optimism is applying learnings from the miscommunications around AIP-1 in its recent public disclosure over the creation of a new treasury wallet for distributing grants). However, the controversy around AIP-1 should not have any lasting impact on the credibility of the ArbitrumDAO. As we have seen with other established DAOs, trust can be restored through transparency, speedy communication, and owning responsibility to the community. -CY

Rogue Ethereum Validator Steals $25mn of MEV From Searchers

On Sunday, April 2, five MEV bots lost roughly $25mn worth of crypto assets after their transactions were exploited by a rogue Ethereum validator. The validator first baited MEV bots by initiating multiple token swaps with infinite slippage on Uniswap pools with deep liquidity. Seeing the opportunity to extract MEV from those swaps, the bots attempted to sandwich the validator’s trades. (As background, MEV stands for maximal extractable value. It is value created from re-ordering the execution transactions in a block. MEV bots are engineered and operated by searchers, who are specialized actors on Ethereum that identify opportunities to create MEV by monitoring on-chain activity. Normally, searchers exploit user transactions. However, in this case, a sophisticated validator took advantage of searchers by unbundling their transactions and reconstructing them to drain searcher funds. Sandwich attacks frontrun and backrun user trades. Bots make a loss in the first transaction to raise the price of the asset the user is trying to buy. Then sandwich bots make the money back in the second transaction when they sell the asset at a higher price than the initial buy price.)

The sandwich bots that took advantage of the rogue validator’s trades submitted their bundles to a block builder that then packaged searcher bundles along with high priority-fee user transactions to create the contents of a full block. The block was then auctioned off on the ultrasound relay. (Relays are off-chain marketplaces where blocks containing MEV are auctioned off to validators.) Usually, the contents of a block are not revealed to the validator, also called the block proposer, before the block is proposed on-chain. However, the rogue validator was able to unbundle searcher transactions by submitting an invalid block to the relay. Instead of verifying the block, the ultrasound relay accepted the invalid block from the rogue validator and broadcasted the contents of the block revealing searcher transaction bundles. The rogue validator then quickly reconstructed their block, inserting their own transactions to exploit sandwich attacks, in the correct way such that the newly constructed block would be accepted and proposed in place of the initial failed block. The validator was able to steal MEV by replacing backrunning transactions with their own.

Several hours after the exploit, the Flashbots team released a patch to prevent relays from prematurely broadcasting the contents of blocks before validation. As MEV relay operators upgraded their software, the ultrasound relay and Flashbots teams discovered another potential attack vector that could result in a malicious block proposer stealing MEV by requesting for a block intentionally late in their slot. A slot is a period of 12 seconds during which a block can be proposed. To prevent this type of behavior, Flashbots released a second patch introducing a cutoff point so that relays do not return blocks to the block proposer after 2 seconds. 12 hours after the second patch was released, relay operators began noticing an increase in the number of missed slots, that is missed block proposals. Chris Hager from the Flashbots team noted on an Ethereum developer call on Thursday, April 6 that the number of orphaned blocks has increased from roughly 10 a day to 4 an hour. The cutoff period has since been increased to 4 seconds to address ongoing issues around missed slots.

In addition, a day following the exploit, there was a coordinated effort to report the rogue validator for misbehavior and have the validator slashed, meaning penalized, for proposing two blocks during a single slot. According to the rules of Ethereum’s Consensus Layer (CL), this type of misbehavior only results in the loss of roughly 1 ETH. Once reported, the principal staked ETH balance of Validator 552061 dropped from 32 ETH to 31 ETH and they were forcefully exited from the network. To be clear, the slashing event that occurred on Monday was not a social slashing event, which occurs when social rules and norms are enforced through a minority consensus of validators. When existing consensus rules are broken, validators that report malicious behavior are rewarded by the network. As one commentator on Twitter notes, the information needed to report Validator 552061 had to have been intentionally leaked by the relay operator. Further analysis on the activity history of Validator 552061 revealed that the validator node operator may have spun up 16 other validators in a well-planned and premeditated attempt to bait sandwich bots starting as early as March 8.

Also on the topic of MEV-related news this week, on Wednesday, April 5, a consortium of well-known MEV actors including but not limited to decentralized exchange CowSwap, MEV builder Beaver Build, and MEV relay Agnostic, announced the launch of a new MEV middleware to route user transactions through a network of searchers that do not frontrun or sandwich. Called MEV Blocker, participating searchers bid to backrun user transactions. 90% of profits collected by MEV Blocker is returned to users, with 10% being doled out to validators. End-users can opt-in to MEV Blocker by changing the RPC endpoint of their Ethereum wallet.

Our take

The MEV landscape on Ethereum has been changing in major ways since the Merge, Ethereum’s transition to proof-of-stake (PoS), and the advent of MEV-Boost. Sunday’s events highlight how dynamics between searchers, builders, and relays continue to evolve and reveal new edge cases where the incentives put in place to encourage honest behavior between these actors can break down. Despite slashing penalties to keep validators honest and relay designs to protect the privacy of searcher bundles, a rogue validator was able to identify a lucrative MEV opportunity that exploited a loophole in relay design and was still profitable even after a slashing event. Ethereum core developers like Geth developer Marius van der Wijden have insisted that the issues are not indicative of critical design flaws in the protocol of Ethereum, but rather indicative of mistakes by “service providers” like MEV relay operators and the Flashbots team.

While MEV-Boost builder, relay, and proposer software are indeed all optional add-ons to the core protocol of Ethereum, they are the easiest way for validators to earn additional rewards from MEV and are run by over 75% of validators. It is also the only legitimized way to earn MEV as a validator given that the marketplace for third-party block auctions was designed by the Flashbots team in partnership with Ethereum client teams. For these reasons, while MEV-Boost software may not be core to Ethereum, it is a core piece of technology to the security providers of Ethereum (validators) and, therefore, it is important that it is maintained and designed without bugs or loopholes. A failure in MEV-Boost software that causes validators to fall back on local block production for an extended period of time may motivate the creation of alternative forked versions of Ethereum clients and MEV-Boost that allow validators to earn MEV rewards albeit in a non-standardized and perhaps more privatized way. So, brushing off bugs in MEV-Boost like they’re not Ethereum’s problem is misguided in this author’s opinion.

Sunday’s events have reinvigorated conversations around enshrined proposer-builder separation (PBS). MEV-Boost software was an intermediary technology developed by Flashbots and the Ethereum Foundation as temporary measure to discourage validators from becoming specialized and highly skilled in extracting MEV. For a detailed breakdown of MEV-Boost and the ways in which the software has impacted the MEV supply chain on Ethereum, read this Galaxy Research report. MEV-Boost relies on trusted intermediaries to broker block auctions between builders and proposers. These intermediaries are relays and enshrined PBS would replace relays such that the Ethereum protocol itself can trustlessly facilitate third-party block auctions in a private and secure manner. Enshrined PBS sounds great but the practical realities of how to implement the technology and what privacy tools are need to make it possible remain unclear and require intensive research. In Flashbot’s post-mortem of this week’s events, they stress more contributions from security researchers, developers, and other members of the Ethereum community are greatly needed to move the ball forward on enshrined PBS and improvements to MEV-Boost in the meantime. One key benefit to the implementation of MEV-Boost before enshrined PBS that should not be overlooked is the fact that MEV-Boost acts as a testing ground for early iterations of PBS before it does become core to the protocol of Ethereum. -CK

Other News

• OpenSea plans to launch a new ‘pro’ platform

• Euler hacker returns $31 million, marking end to ‘recoverable funds’ in DeFi exploit

• Bitcoin miners report best monthly revenues in 10 months

• Citi: Tokenized securities market could reach $4 trillion by 2030

• Magic Eden rolls out Bitcoin Ordinals NFT creator launchpad

• Lido stakers can expect ETH withdrawals 'No sooner than early May'

• BNB Chain prepares for Planck hard fork to enhance cross-chain security

• Avalanche launches Evergreen Subnets for institutional blockchain deployments