A front runner who took $1B from an Australian DeFi platform, got salty after they put in place protections that zeroed out his balance.
Front running bots exploit an oracle service to read the next update and insert a transaction before it goes through, enabling them to create risk free profits.
Micky reported in June, a bot owner had uncovering a bug in the platform that he exploited to amass $1 billion of Synthetic Ether. (A ‘synthetic’ token is one that is tied to the price of a different currency but doesn’t convey any ownership.)
The user Onyx, who claims he actually netted $11.5B, struck a deal with Synthetix to return the tokens in exchange for a $40,000 bug bounty.
But after Synthetix put in place defences against his attacks, the bot owner has taken to Reddit to complain of unfair treatment and to attack the project as being “too centralised”.
Synthetix is Australia’s most successful ICO (formerly Havven) and its Synthetix Network Token (SNX) has increased by more than 800% since April.
It is currently third on the DeFi pulse leaderboard with $42.9m locked up, just behind Maker and Compound.
Onyx claims he was stabbed in the back
Onyx said Synthetix founder Kain Warwick – the Australian Blockchain innovator of the year – had agreed at the time he could keep running the bot to enable Synthetix to harden the platform to the attacks.
He claims Warwick had told him Synthetix wouldn’t “modify the balances”.
“Turns out he just wanted to backstab me once I hit $100k synths balance by increasing the fee to 99% [of the value of the total trade] when one of my transactions was in the mempool …
“Taken aback by the breaking of our agreement, I made a defense to his fee attack and started attacking just for the sake of attacking with intent to damage the system as revenge. I got up to $100k again.
“Kayne and the team decided they didn’t want to pretend they had a decentralized system any more and deleted my balance. They reduced the price of the synth I was currently holding and forced me to trade my synth for sUSD. They can do this to anyone.”
Highlights the ‘centralised’ nature of Synthetix
While it might seem understandable that a platform would defend itself against a user who is “attacking for the sake of attacking” Onyx said the fact the platform can just zero out balances highlighted the fact the project is way too centralised.
“I’m not a white knight, but I’m also not the bad guy. A bad guy would have dumped the $11.5B on markets once Kayne agreed to re-enable trades on the platform after we came to our deal. My point is in exposing them because synth team is trying to bribe their way in to being on Compound.
“Don’t let centralized systems infect DeFi.”
Impossible to actually liquidate $11.5B (or $1B)
It would have been impossible to “dump the $11.5 billion on markets” as the profits were theoretical and not actually backed by SNX collateral.
Onyx conceded the most he could have made was $100,000 to $200,000 by “dumping on exchanges and Uniswap”.
However the incident does reinforce criticisms of the platform that it is too centralised and the devs are able to free or confiscate balances.
Founder responds to ‘script kiddie’
Warwick said Onyx had been spreading FUD in the Synthetix Discord for month, and dismissed him as a “script kiddie who has repeatedly stated he is trying to destroy the project as revenge for being prevented from stealing from SNX holders through front running.”
Warwick said they were unable to stop him from using his bot to attack the system, so they put in progressive upgrades in to thwart his attacks – and its partly these very protections Onyx is now complaining about.
“All of the (frontrunning protections) used a combination of the oracle and existing functionality to allow for a synth to be purged to defeat his bots and reduce the balance to zero. But to think that somehow his stolen funds should not have been at risk is frankly laughable.”
“We have openly stated many times that we have the ability to upgrade the system, including the ability to redeploy contracts with modified balances.”
Warwick said that if the penalty for attacking hadn’t included a loss of funds then Onyx would right now be trying to write a more effective bot rather than complaining about it on Reddit.
“You can decide who is the victim in this situation, SNX holders or some random attacker who was paid a generous bug bounty,” he said.
Statement detailing Synthetix’s actions
In a statement this morning Warwick detailed the chronology of the attacks and Synthetix’s response to them.
He pointed out that Synthetix didn’t technically delete Onyx’s balance, rather they implemented a “slashing condition into the oracle” which was supported by the community.
“It didn’t target one wallet, it targeted any wallet that met the slashing conditions,” he said.
“We needed some kind of slashing condition, otherwise the optimal strategy would always be to attack. So we implemented a slashing condition and his bot was caught by it and slashed.”
Centralised criticism strikes a chord
Onyx’s criticisms of Synthetix as being too centralised struck a chord with some Reddit users including idiotsecant who wrote:
“This episode has exposed a simple and central flaw with Synthetix: Your money is not your money. Your money is property of Synthetix, who lets you use it as long as you aren’t using it in a way they disapprove of.”
Nebuchadezar agreed: “f— synthetix then, regardless of what they accomplish in the future, we should never use their crap anymore.”
But other users jumped in to defend Synthetix.
“The team has never claimed that they are 100% decentralized. This is an early project and there is a trade-off between full decentralization and speed,” zakholdsworth wrote.
“If the team had not moved like lighting to address this front running issue the entire protect could have been wiped out.
“They are slowly stepping towards removing themselves from the mix.”
*The author holds SNX tokens.
We've had front running bots on the sETH pool in @UniswapExchange for a while. Several community members noticed the bots were flawed. Bot griefing attack ensues, $400k in volume generated in a day paying about $10k to sETH LP's. @synthetix_io community is brutally efficient. pic.twitter.com/vDJ3ia0uhF
— kainwarwick.eth (@kaiynne) September 5, 2019