Full Report
Different types of bot actions with frontrunning/backrunning with various markets: Sandwiching: Increase the price of the asset, let the trade happen, then trade back to make a profit. Sniping: Buy coins or assets as soon as they are listed. Backrunning: Arbitrage price inefficienies within an AMM. Usually the result of large trades. Just in time liquidity: Provide assets for a very short period of time for a single trade. Then, remove the assets after the trade to get the fees for providing liquidity. Only valuable for large trades. This talk is about creating a backrunning bot that are mathematically optimal, which was prior to flashbots. The goal is to arbitrage (go from market A to market B to make a profit from the spread of the price) the differences between various pools. The author treats this as a graph theory problem where each token is a node and each AMM is a line to a different node. Using this, we can find a list of tokens to AMMs that could make a profit. The first step is getting all of the data. These are pairs with tokens that have value (not meme coins) and the ratio (price) of these in the pool. From there, the author does an initial pass of these tokens from WETH to another token to see if the value went up or down in a breadth-first search pattern to see if the trading situation is good. If not, these tokens/pools are simply dropped. Next, a depth first search is performed to find the best cycle possible. With the removal of meme coins and bad pools, this makes the search space tenable. To find the most optimal amount to trade on Uniswap is fairly easy. With Balancer, this is a much more complicated problem with the amount of tokens at place. So, this required using Newton's Method to find the profitability of various operations. To execute this, the transaction is put on the network; but the work isn't done. Now, we need to check to see if there's any competition. If there's a collision in the tx.data, we need to see if our transaction will go through first or not. If it won't then will "fold" our previous transaction sent to minimize the loss, which is done by checking profitability at run time. We could also raise our gas price to see to try to get the transaction executed first. Folds are important because only a single person can win the arbitrage. Additionally, there is some game theory here. The goal isn't to win a single opportunity; it's to win the most over time. So, sometimes, losing money by raising is more optimal than letting your opponent win. Over time, if you have a deeper pocket, you'll knock competitors out of the market. Obfuscating the code that is running to prevent people from doing this as well. To make this more efficient, there are many things that you can do. First, caching is crucial. The paths can be cached and only updated on changes. This also goes for network requests for the pair information as well. How is slippage dealt with on these calls? I'm not 100% sure. However, I've got some thoughts. Putting a transaction in the mempool will result in one of the pools being arbitraged or changed from a simple trade. If we can use the right amount of gas to ensure we're at the beginning of a block, this doesn't matter though. Additionally, there is a time of check vs. time of use (TOCTOU) issue, since the blockchain is always being updated. From my understanding, there's a gap (since transactions happen in blocks) so this isn't as much of a problem though. At the end, the speaker gives advice on how to get into this: find a niche. JaredFromSubway will kill you if you try to start in his territory. So, finding a weird protocol on some sidechain with little competition works well for starting off. Then, you can work your way up to bigger and bigger things as you learn and build out infrastructure. Overall, a good trip into the dark forest of MEV. It's fascinating seeing the optimization that goes into all of this.
Analysis Summary
# Tool/Technique: MEV (Maximal Extractable Value) Arbitrage & Backrunning Bot
## Overview
This technical overview describes the architecture and deployment of automated Maximal Extractable Value (MEV) agents, specifically focused on "Backrunning." The primary goal of these tools is to identify price inefficiencies between Automated Market Makers (AMMs) and execute mathematically optimal trade cycles within the "Dark Forest" (Ethereum's mempool) to extract profit from decentralized finance (DeFi) ecosystems.
## Technical Details
- **Type:** Automated Trading Tool / MEV Bot
- **Platform:** Ethereum Virtual Machine (EVM) compatible blockchains (Ethereum, Sidechains, L2s)
- **Capabilities:** Graph-based pathfinding, sub-millisecond competitive analysis, Newton's Method optimization, transaction obfuscation.
- **First Seen:** Post-2020 DeFi Summer; popularized prior to the Flashbots era.
## MITRE ATT&CK Mapping
*Note: MEV activities often fall under "Financial Impact" or "Abuse of Functionality" within blockchain-specific threat models.*
- **[TA0002 - Execution]**
- **[T1204 - User Execution]** (Victim traders unintentionally triggering the bot via their own swaps).
- **[TA0007 - Discovery]**
- **[T1046 - Network Service Scanning]** (Continuous monitoring of the mempool/P2P layer for pending transactions).
- **[TA0005 - Defense Evasion]**
- **[T1027 - Obfuscated Files or Information]** (Smart contract bytecode obfuscation to prevent logic theft).
- **[Abuse of Functionality]** (Non-standard MITRE)
- Exploiting AMM mathematical models and transaction ordering.
## Functionality
### Core Capabilities
- **Graph-Theory Pathfinding:** Treats tokens as nodes and AMM liquidity pools as edges. It utilizes Breadth-First Search (BFS) to identify viable pairs and Depth-First Search (DFS) to locate profitable cycles (e.g., WETH -> Token A -> Token B -> WETH).
- **Data Acquisition:** Real-time ingestion of on-chain pool ratios and liquidity depths, excluding high-volatility "meme coins" to maintain capital safety.
- **Backrunning:** Specifically targets large trades that move the price in one pool, then instantly executes a counter-trade to rebalance the price and capture the spread.
### Advanced Features
- **Newton's Method Optimization:** Mathematical modeling used to calculate the exact optimal input amount for complex liquidity pools (like Balancer) where multi-token ratios make standard algebra insufficient.
- **Competitive Collision Detection:** Real-time monitoring of `tx.data` in the mempool. If the bot detects a competitor’s transaction with identical parameters, it triggers a "Fold" mechanism (aborting the trade at runtime) to minimize gas loss.
- **Gas War Logic/Game Theory:** Includes logic to enter "Price Wars" where the bot intentionally bids higher gas prices to knock competitors out of the market, a strategy aimed at long-term market dominance rather than short-term gain.
- **Caching & Efficiency:** Implements path caching and optimized network request cycles to reduce latency between block updates.
## Indicators of Compromise
- **File Hashes:** N/A (Tools are typically proprietary and run in private environments).
- **Network Indicators:** Frequent connections to high-performance RPC nodes (e.g., `https[:]//infura[.]io`, `https[:]//alchemy[.]com`, or private Geth nodes).
- **Behavioral Indicators:**
- Transactions consistently appearing immediately after large "whale" trades within the same block.
- Contract interactions with high "Slippage" or "Revert" rates if a fold mechanism fails.
- Frequent use of `WETH` (Wrapped Ether) as a base pair for cycles.
## Associated Threat Actors
- **MEV Searchers:** Independent developers or sophisticated quant groups (e.g., JaredFromSubway.eth).
- **Arbitrage Bots:** Specialized automated agents operating in competitive niches.
## Detection Methods
- **Mempool Analysis:** Monitoring for "Flashbots" private bundles or high-gas transactions targeting specific liquidity pool addresses.
- **Instruction Trace Mining:** Detecting "Fold" logic in smart contracts where the code checks `gasprice` or pool balances before execution to decide whether to revert.
- **Sequence Mapping:** Identifying patterns where Address X always interacts with Pool Y within 1-2 blocks of Address Z's trade.
## Mitigation Strategies
- **Private RPCs:** Using services like Flashbots Protect to bypass the public mempool, preventing bots from seeing transactions before they are confirmed.
- **Slippage Limits:** Users can set tight slippage tolerances to make backrunning or sandwiching mathematically unprofitable for the bot.
- **Batch Auctions:** Using protocols (like CoW Protocol) that aggregate trades to eliminate the MEV advantage.
## Related Tools/Techniques
- **Sandwiching:** A more aggressive technique involving both frontrunning and backrunning a victim trade.
- **Sniping:** Automated buying of tokens at the exact moment of liquidity addition.
- **Just-In-Time (JIT) Liquidity:** Providing concentrated liquidity for a single transaction and removing it immediately to capture fees.