BlockApex (Auditor) was contracted by KaliCo LLC_ (Client) for the purpose of conducting a Smart Contract Audit/Code Review of KaliDAO. This document presents the findings of our analysis which took place from 20th of December 2021
BlockApex 
November 16, 2021 Earning a living through mining blocks in the Ethereum blockchain has become increasingly common. By simply playing with the order of transactions and proposing a block, miners can earn the block reward as well as the corresponding block gas fees. The different forms of value that can be derived from transaction ordering by whoever is producing the block in the Ethereum network is termed as Miner Extractable Value (MEVs).
The competition to earn MEVs is starting to create problems in the Ethereum blockchain. In an attempt to earn as much MEV as possible, miners employ tactics such as Frontrunning and Backrunning. Though technically legal, these techniques are not appreciable in the blockchain world as they create huge congestion in the network.
In an attempt to solve these crises, a research group backed by Paradigm known as Flashbots has emerged. The motive of this organization is to provide infrastructure for others to be able to extract MEV for themselves. In this piece, we will cover their proposals in detail. Before we get into discussing these technicalities, let us get a quick view of the problems emerging from MEVs in the first place.
When Ethereum first began gaining traction, their core insight was to grant developers a new frontier of permissionless apps by using flexible smart contracts. Though this has been largely effective, the MEV crisis has emerged as a novel risk. Below are some of the current problems associated with MEVs.
The term MEV was first coined in early 2019 by Phil Daian as part of a research paper titled “Flash boys: Frontrunning, Transaction Reordering, and Consensus Instability in Decentralized Exchanges”. The paper discussed in detail two forking attacks that a high competition for MEV may bring about.
Deemed as a present threat in Ethereum, undercutting attacks have always been associated with blockchains offering block rewards.
In an undercutting attack, an attacker forks an existing chain by leaving wealthier transactions out in its new block. This is in an attempt to lure dishonest miners to join the fork. Rather than following the longest chain that emerges first, miners break ties by choosing the chain that leaves out the most fees. As miners continue to undercut one other, the system is rendered unstable, reducing predicted income for legitimate miners.
Unlike undercutting attacks, time-bandit attacks are a new type of exploit that directly uses MEV as a strategy. Similar to a 51% attack, the objective of a time-bandit attack is to rewrite Ethereum history and reverse transactions on the blockchain.
In such an attack, miners reorganize past blocks to exploit MEV. For example, if you found very lucrative MEV opportunities in the last blocks, you can put up a proposal to rewrite Ethereum’s history to make a profit from the past opportunity. A reward is then offered to the miner that executes this attack as an incentive.
There are a few strategies miners and DEXs adopt to capture as much MEV as possible. Exchanges may use arbitrage bots in this scenario. These are computer programs that compare coin prices across exchanges to make automated trades that take advantage of price discrepancies. By reordering the transactions, inserting their own transactions, or censoring other people’s transactions, miners are able to capture some profit. Oftentimes prices between different DEXs will get out of equilibrium as well. With arbitrage, you can capitalize on this opportunity. However, as the single party that can order the transactions, miners are the ones that decide who is able to capture it.
Below are some of the strategies they employ.
Also known as Priority Gas Auctions (PGAs), frontrunning is a technique in which bots can quote a price higher than another pending transaction in an attempt to get their transaction mined first. They can then insert a higher transaction fee for placing the order, while the trader who initiated the transaction is forced to pay the price that they didn’t see coming. The profit, which can stretch up to millions of dollars worth of ETH, goes into the pocket of the trader.
This can be better understood with an example:
Alice is a user that initiates a transaction to buy 1000 shares from a company, setting the gas price for this transaction as P1. Bob notices this pending transaction and decides to front-run it by creating his transaction to buy the same shares but with a higher gas price P2. As the gas price of Bob’s transaction was greater, that transaction gets executed first, causing the value of the shares to go up considerably. Alice is forced to then pay more than she intended, while Bob can make a profit.
Backrunning is a technique that does the opposite of frontrunning. Here, the objective is to have a transaction next in line right after a transaction that would benefit you. Traders quote a price slightly lower than another pending transaction in an attempt to get their transaction mined directly afterwards. An example where this may be desirable is having a liquidation transaction immediately following an oracle price update.
Below is an example that can be used to understand this better:
Alice is a user that observes a pending transaction (Transaction A) which may update the oracle price on execution. However, she wants to make sure that her transaction (Transaction B) is only accepted immediately after Transaction A is executed. To achieve this, she can set the gas price for Transaction B as slightly less than the target transaction which is Transaction A so that the chance of her transaction being approved afterward increases. She can further increase her chances by “spamming” with multiple transactions identical to Transaction B in the hopes that one of them is selected successfully.
Research organization Flashbots argues that the competition for MEVs can result in colossal damage to both users of the blockchain and Ethereum itself.
By using the techniques discussed above either individually or in combination (in the case of sandwich attacks), arbitrage bots can manipulate someone into paying much more than they intended. In the end, MEV levies an invisible tax on the user- reaching thousands of dollars in some cases.
However, this does not only affect users of a blockchain. MEVs are contributing to network congestion, chain congestion, and arbitrarily high gas fees all across Ethereum. At a protocol level, MEV creates an issue of consensus stability as well. If MEV becomes larger than the block rewards, miners gain an incentive to reorder transactions in previous blocks for profit instead of continuing with honest mining.
Moreover, the blockchain may even experience a centralization of power within particular traders and miners. This could prove disastrous for Ethereum in the long run, putting the core values of blockchain in jeopardy.
The research organization Flashbots recognizes these problems and promises to contribute by providing potentially effective solutions. Their main objective is to “propose a permissionless, transparent, and fair ecosystem for MEV extraction to preserve the ideals of Ethereum”. Let us discuss the first two phases of their plan in further detail below.
The first step in mitigating the MEV crisis is understanding the current circumstances of the blockchain. The most effective way to achieve this is by quantifying the impact of MEVs and displaying it publicly. For this purpose, Flashbots has built MEV-Inspect or MEV-I for short. MEV-Inspect scans Ethereum blocks, allowing visualization of MEV metrics over time.
In addition to this, Flashbots has built an online dashboard displaying their findings in real-time. MEV-Explore tracks the latest MEV transactions on Ethereum, depicting information categorized by protocol, type, and role.
The current trend of MEV extraction points to a situation where one day the power accumulates to a select few traders or miners. This eventual centralization is highly undesirable for not only Ethereum but any blockchain built on the foundations of decentralization and scalability.
To combat this, Flashbots has created a proof of concept titled MEV-Geth. Acting as an upgrade to the Go-Ethereum client, MEV-Geth functions as a “sealed-bid block space auction mechanism for communicating transaction order preference”. This works to eliminate the problems of chain and network congestion brought about by excessive Frontrunning and Backrunning.
The problem with the current state of our system has to do with the transparency of the network. When a user sends his transaction to a regular transaction pool, the contents of his request are visible to everyone before the transaction is included in a block. Anyone can view this pending transaction and carry out a frontrunning or sandwich attack on it- the dire effects of which have been discussed in detail previously.
The solution to this problem proposed by Flashbots is to withhold the content of a transaction from miners until is mined in a block. If you use the MEV-Geth proof of concept, your transactions get routed privately to the miners and get directly included on the chain. In this way, Flashbots hopes to disincentivize bad behavior like stealing a profitable strategy.
The unfavourable effect brought forth by MEVs continues to gain recognition globally, with many believing the MEV crisis capable of providing serious risk to Ethereum’s future. Some users have even gone so far as to say that MEV has the power to kill the Ethereum network.
So far, it seems as if the efforts of Flashbots have been fruitful. Within a few weeks of the organization going live, over 58% of the Ethereum network hashrate was mining on flashbots. Though it is still too early to say how effective their proposed solutions are, they have managed to succeed in bringing to light just how severe the MEV crisis may be in the long run.
BlockApex (Auditor) was contracted by KaliCo LLC_ (Client) for the purpose of conducting a Smart Contract Audit/Code Review of KaliDAO. This document presents the findings of our analysis which took place from 20th of December 2021
BlockApex 
January 4, 2022 The successful upgrade of the London Hard Fork is a big difference from the fork leading to Ethereum Classic that took place back in 2016. However, despite their divergence, both are milestones in the Ethereum world- guaranteed to have lasting impacts on the blockchain as we know it. Read more to find out the circumstances surrounding each hard fork and the role they may play in shaping Ethereum's future.
BlockApex
August 25, 2021 Jump Defi infrastructure built on NEAR Protocol, a reliable and scalable L1 solution. Jump Defi is a one-stop solution for all core Defi needs on NEAR. Jump ecosystem has a diverse range of revenue-generating products which makes it sustainable.
BlockApex
June 22, 2023 BlockApex (Auditor) was contracted by Voirstudio (Client) for the purpose of conducting a Smart Contract Audit/Code Review of Unipilot Farming module. This document presents the findings of our analysis which took place on _9th November 2021___ .
BlockApex
February 9, 2022 The AI and blockchain integration can help overcome some of the limitations of each technology and create a more secure, transparent, and efficient Web3 ecosystem. This article explores the differences between AI and blockchain, ways to integrate them, use cases, and challenges that need to be addressed.
BlockApex
July 11, 2023 how do we keep the blockchain application safe? Let's walk through some security frameworks for blockchain applications in this blog
BlockApex
October 15, 2022 The Dexible hack affected a total of 17 user accounts, with the majority of losses coming from a single address belonging to BlockTower Capital, a prominent investment firm.
BlockApex
August 25, 2023 the source code review of Lightlink Bridge Validator and Keeper. The purpose of the assessment was to perform the whitebox testing of the Bridge’s validator and Keeper before going into production and identify potential threats and vulnerabilities.
BlockApex
October 6, 2023 The security team at BlockApex decided to test these applications for vulnerabilities that could compromise their data. We knew that the software industry in Pakistan always keeps security out of their toolkit to reduce the cost of development.
BlockApex
June 6, 2022 
