Full Report
The author of this post created a long-tail MEV strategy around the hourly Bean emissions on the Beanstalk protocol. By coordinating with several other MEV's, they were able to collectively earn money instead of running the marginal cost to zero. This is a classic prisoners dilemma problem. After the decrease of the output by 95%, only a single actor remained. The author decided to get in on the action! One of the functions sunrise() or gm() needs to be called once an hour with up to a 5 minute relay. The reward amount appears to be dependent on how fast the function was called. The initial strategy is simple: call the same function one second faster than their competitor. If they did this, their competitor would do the same. Eventually, this would hit the minimum award and nobody would be winning. To deal with this game theory issue, they decided to share the rewards. This made sure that A) they maximize the profits coming from the Beans and B) it's distributed equally. The overall gain is better in the cooperation case so this works. To do this, they created a smart contract called the Pact. Only two people can call the contract. Once the beans are received they are perfectly split and sent to each other evenly. This sounds fine and danty but there are some issues with this... sybil attacks are real. Anyone can undercut at anytime. How do you contact the person on chain? They tried sending a UTF-8 but that didn't work. They tried splitting the funds manually and that didn't work. Finally, they tried undercutting the bot but this led to the other bot doing more undercutting until it ran to zero. After 3 weeks of doing this, the author of the other bot said they would use the new one instead of their own. Once they started this up, they ran into a few issues. First, congestion of the gain would lead to higher gas prices. When this happened, the other bot would call the main contract directly and undercut them. Since this wasn't all the time, it was okay. But then another player enter the game. They thought about burning out the competition but decided to let a third person in. The other bot (second one) tried undercutting the third bot but they stayed around. Eventually, the second bot released a contract that contained a 40-40-20 split. The third bot created a new contract that had a perfectly even split. They thought of ways to fix this problem for themselves. Undercut slightly to gain a profit. Make a new contract with better proportions. Burn out the competition until they become uninterested. They tried undercutting occasionally but it didn't work; stray bots would come and then race to zero. From there, they created a new pact with the second operator and cut the third out entirely. This new contract also included an escape hatch if one of the parties wasn't co-operating. Overall, a great post into the wild world of MEV and game theory!
Analysis Summary
# Tool/Technique: The Sunrise Pact (Cooperative MEV Smart Contract)
## Overview
The "Sunrise Pact" is a specialized smart contract and automation technique designed for Maximum Extractable Value (MEV) extraction on the Beanstalk protocol. Its primary purpose is to solve the "Prisoner’s Dilemma" in competitive bot environments by enforcing a rewards-sharing mechanism between competing searchers, thereby preventing a "race to the bottom" where profits are consumed by gas wars or premature function calls.
## Technical Details
- **Type:** MEV Extraction Tool / Coordination Smart Contract
- **Platform:** Arbitrum (Ethereum Layer 2)
- **Capabilities:** Automated reward splitting, Sybil resistance via access control, emergency "escape hatch" for non-cooperation.
- **First Seen:** Post dated December 11, 2025 (Refers to a year-long operation starting circa late 2023/early 2024).
## MITRE ATT&CK Mapping
*Note: While MEV is often considered "gray hat" or market activity, its techniques overlap with malicious automated behavior.*
- **[TA0002 - Execution]**
- **[T1059.006 - Command and Scripting Interpreter: Python]**: Used for the bot logic and monitoring.
- **[TA0006 - Credential Access]**
- **[T1552.004 - Unsecured Credentials: Private Keys]**: Bots require access to private keys to sign transactions (implied).
- **[TA0040 - Impact]**
- **[T1496 - Resource Hijacking]**: Exploiting protocol rewards (Bean emissions) for financial gain.
## Functionality
### Core Capabilities
- **Automated Interaction:** Periodically triggers the `sunrise()` or `gm()` functions on the Beanstalk protocol Sun facet to claim hourly rewards.
- **Trustless Splitting:** The contract automatically divides the received Bean tokens (e.g., 50/50 or 40/40/20) and transfers them to the participants' wallets in a single transaction.
- **Whitelisting:** Limits the `caller` permissions to a specific set of addresses (Ecuries) to prevent unauthorized parties from hijacking the payout.
### Advanced Features
- **The "Sunrise Pact" Logic:** A game-theory implementation that discourages undercutting by ensuring both parties profit more through cooperation than through high-frequency competition.
- **Escape Hatch:** A programmatic fallback mechanism that allows a party to exit the pact or bypass the shared contract if one participant stops calling the function or acts maliciously.
- **Latency Monitoring:** Analyzing competitor transaction timing to optimize the "seconds-past-the-hour" call for maximum compounding rewards.
## Indicators of Compromise
- **File Names:** `bot.py`, `sunrise_pact.sol` (Generic names based on common MEV setups).
- **Network Indicators:**
- `https[:]//pinto[.]money` (Protocol domain)
- `https[:]//bean[.]money` (Protocol domain)
- `https[:]//arbitrum[.]foundation/` (Target network RPCs)
- **Behavioral Indicators:**
- Periodic hourly transactions (exactly on the hour or within 0-300 seconds after).
- Use of `0xc1c...` and other specific searcher addresses identified in the research.
- Transactions interacting with the Beanstalk Diamond proxy contract on Arbitrum.
## Associated Threat Actors
- **MEV Searchers:** Independent operators (e.g., Ashiq, 0xc1c) who utilize automation to extract value from protocol emissions.
## Detection Methods
- **Behavioral Detection:** Monitoring the blockchain for accounts that consistently call `gm()` or `sunrise()` functions exactly at the turn of the hour.
- **Contract Analysis:** Identifying smart contracts that receive protocol rewards and immediately distribute them to multiple fixed external addresses (indicative of a revenue-sharing pact).
- **Gas Profiling:** Identifying "gas wars" where two or more addresses repeatedly outbid each other with higher priority fees for the same function call.
## Mitigation Strategies
- **Protocol Hardening:** Implementing randomized reward timing or auction-based mechanisms to prevent deterministic "first-caller" advantages.
- **Slippage & Priority Fee Caps:** Limiting the maximum priority fee to prevent network congestion from MEV bot wars.
- **Sybil Resistance:** Implementing identity requirements or stake-weighted reward mechanisms to prevent a single actor from creating multiple bot identities to dilute the "Pact."
## Related Tools/Techniques
- **Flashbots:** A more widespread framework for MEV extraction and frontrunning protection.
- **Timeboost:** Arbitrum's transaction ordering policy designed to mitigate latency-based MEV racing.
- **Generalized Frontrunning:** Bots that monitor the mempool to copy and replace profitable transactions.