MEV Theft Reporting
What is the nature of the proposed bounty?
There is very little visibility into if MEV theft is happening, how frequently, how damaging, etc.
We may not be able to get exact answers, but we should get close.
Detail level
- For each MEV-boost block, check if an acceptable fee recipient was used
- For each vanilla block, calculate how much was lost by not using MEV-boost
High level
- Losses due to wrong fee recipient
- Total ETH
- ETH per period
- Effect on APR
- Losses due to not using MEV-boost
- Total ETH
- ETH per period
- Effect on APR
- Distribution of MEV-boost bids for
- All block
- All RP blocks
All RP blocks that use MEV-boost w/correct fee recipient- All RP blocks that use MEV-boost w/wrong fee recipient
- All vanilla RP blocks
The starred items are the real meat of this work.
If those distributions look mostly the same, then we can be confident there’s negligible theft ongoing.
Required:
- Use bid information from flashbots
- Provide data and code in a way that can be easily run by a technical person
- Provide a report that can be read by anyone
Stretch:
- Use bid information from more relays (up to all of the supported ones)
- Make a dashboard enabling non-technical users to browse the data
Must the results of this project be entirely open source (MIT, GPL, Apache, CC BY license or similar)? If not, which parts will not be, why, and under what license will they be published?
Yes - it’s important that others can audit and build upon this work.
Benefits - enter N/A where appropriate
If the bounty is successfully completed, how does this help people looking to stake ETH for rETH?
They can feel more confidence in rETH (or be better informed about the issues).
If the bounty is successfully completed, how does this help rETH holders?
They can feel more confidence in rETH (or be better informed about the issues).
If the bounty is successfully completed, how does this help people looking to run a Rocket Pool node for the first time?
N/A
If the bounty is successfully completed, how does this help people already running a Rocket Pool node?
N/A
If the bounty is successfully completed, how does this help the Rocket Pool community?
They can feel more confidence in rETH (or be better informed about the issues). It also helps the pDAO understand how urgently (or not) this needs to be addressed.
If the bounty is successfully completed, how does this help RPL holders?
What’s good for rETH is, long term, good for RPL.
What other non-RPL protocols, DAOs, projects, or individuals, would stand to benefit from the bounty being successfully completed?
None directly; but the code is open source, so similar projects could leverage it.
Will the results of the completed bounty be open source?
Yes
Work and Verification
What steps would be entailed in completing the bounty? Do successful examples of such work exist elsewhere?
- Share a git repository with relevant code
- Include relevant data and/or where the data can be sourced
- Share a report that can be easily shared
- Stretch: share an online dashboard to help non-technical users explore this data
How long is the proposed bounty available for? Is it awarded to the first team to successfully claim it, or is it in some way divided among all such successful claims in the proposed availability period?
First successful submitter gets credit. If they did not complete the stretch goals, someone else may still claim those portions of the bounty.
Who will test any products submitted for claiming the bounty?
The GMC should work with a highly technical community member that can sanity check the code and conclusions.
What is the acceptance criteria for awarding of the bounty?
The GMC have gained confidence that the data and analysis meet the goals.
Payment
How much RPL is the applicant requesting for successful completion of the bounty?
$15,000-20,000 for the core deliverable
I know this is quite a bit. To me this work is currently critical.
We are not actively penalizing fee recipient issues or the use of vanilla blocks.
This only makes sense if we have evidence that the system is working well.
Right now we don’t have that evidence.
Stretch goals:
- Up to $2000 for additional relays
- Up to $5000 for a non-technical dashboard (the full price would be for a highly informative dashboard with a strong UX)
Note: @jcrtp has a significantly manual method to answer the “wrong fee recipient” portion. If this is made into a generally usable tool, then it would slightly reduce the scope of the work - maybe $2-3k less?
Conflict of Interest
Does the person or persons proposing the bounty have any conflicts of interest to disclose? (Please disclose here if you are a member of the GMC or if any member of the GMC would benefit directly financially from the successful completion of the bounty).
There’s some chance I will compete for this bounty or work on a team competing for it.
Will the applicant, or any protocol or project in which the applicant has a vested interest (other than Rocket Pool), benefit financially if the bounty is successfully completed?
Only if I end up doing the bounty or part of it.