Tuesday, November 3, 2020

The Order Flow

The MacGuffin in the last two books of William Gibson's Blue Ant trilogy is Chombo, a reclusive hacker. In Spook Country he tracks a container full of US currency, and in Zero History:
"It's the order flow, isn't it?" Milgrim had had no intent to ask this at all. Hadn't been thinking off it. Yet it had emerged. His therapist had told him that ideas, in human relations, had lives of their own. Were in a sense autonomous.
"Of course"
"That's what Chombo was doing. Finding the order flow."
"He found it a week before they kidnapped him, but his work, to that point, would have been useless, Without him, I mean."
"And the market, the whole thing, it's no longer real? Because you know the future?"
"It's a very tiny slice of the future. The merest paring. Minutes."
"How many?"
Bigend had glanced around the empty lounge. "Seventeen, presently."
"Is that enough?"
"Seven would have been entirely adequate. Seven seconds, in most cases."
Entirely adequate to make Hubertus Bigend much, much richer, because knowing the order flow allows him to front-run the transactions.

Wikipedia defines front-running thus:
Front running, also known as tailgating, is the prohibited practice of entering into an equity (stock) trade, option, futures contract, derivative, or security-based swap to capitalize on advance, nonpublic knowledge of a large ("block") pending transaction that will influence the price of the underlying security. ... A front running firm either buys for its own account before filling customer buy orders that drive up the price, or sells for its own account before filling customer sell orders that drive down the price. Front running is prohibited since the front-runner profits from nonpublic information, at the expense of its own customers, the block trade, or the public market.
Follow me below the fold for a discussion of why the architecture of cryptocurrencies means that no-one needs Chombo's mysterious skills to front-run the order flow.

Neither Wikipedia nor Gibson correspond to current reality. First, in practice most front-running involves notionally public information. High-frequency traders (HFT) co-locate their servers with the exchange's servers so that they see, and can act on, public orders milliseconds not minutes ahead of less fortunate market participants. Second, the prevelance of HFTs led large traders to shun the public markets in favor of "dark pools":
In finance, a dark pool ... is a private forum ... for trading securities, derivatives, and other financial instruments. ... The bulk of dark pool trades represent large trades by financial institutions that are offered away from public exchanges like the New York Stock Exchange and the NASDAQ, so that such trades remain confidential and outside the purview of the general investing public. ... One of the main advantages for institutional investors in using dark pools is for buying or selling large blocks of securities without showing their hand to others and thus avoiding market impact as neither the size of the trade nor the identity are revealed until some time after the trade is filled.
That was the idea, but as usual the lure of profit crept in:
When conventional “lit” markets became overrun with HFT bots, investment banks offered large investors “dark pools” where they could trade with each other without the risk of being front-run by algos. But Barclays allowed HFT bots into its dark pool, where they happily front-run unsuspecting investors who thought they were safe. Eventually Barclays was caught and forced to drain its dark pool. In 2016, it was fined $70 million for fraud. It was not the only large bank that accepted money from large investors to protect them from HFT bots and money from HFT traders to allow them access to the investors it was supposed to be protecting.
How does this relate to cryptocurrencies? The fundamental reason for basing cryptocurrencies on a blockchain was to implement an immutable public ledger of transactions maintained by a large number of independent "miners". By decentralizing the system in this way, the goal was to avoid the need to trust third parties, such as the banks and brokers in the "fiat currency" and equity market systems.

In order to be truly decentralized, each miner must choose for itself which transactions to include in the next block. So there has to be a pool of pending transactions visible to all miners, and thus to the public. It is called the mempool. How do miners choose transactions to include? Each transaction in the pool contains a fee, payable to the miner who includes it. Miners are coin-operated, they choose the transactions with the highest fees. The mempool concept is essential to the goal of a decentralized, trustless cryptocurrency.

Source
Transactions can sit in the pool waiting to be included for quite a while. As I write the 7-day average count of the number of transactions in the Bitcoin mempool is around 100K. The 7-day average count of Bitcoin transactions confirmed per day is around 250K. The average transaction sits in the mempool for around 10 hours. Of course, this is the average of a highly skewed distribution. But Bitcoin's 10-minute block time gives bots ample time to front-run. Ethereum's mempool currently contains about 150K transactions. At around 1M transactions/day this is around 3.5 hours worth.

Source
The mempool is like public equity markets in the ease with which transactions can be front-run. Dan Robinson and Georgios Konstantopoulos found this out the hard way, and in Ethereum is a Dark Forest they recount the horror story:
It’s no secret that the Ethereum blockchain is a highly adversarial environment. If a smart contract can be exploited for profit, it eventually will be. The frequency of new hacks indicates that some very smart people spend a lot of time examining contracts for vulnerabilities.

But this unforgiving environment pales in comparison to the mempool (the set of pending, unconfirmed transactions). If the chain itself is a battleground, the mempool is something worse: a dark forest.
Their post is a must-read. So is Escaping the Dark Forest, Samczsun's account of how:
On September 15, 2020, a small group of people worked through the night to rescue over 9.6MM USD from a vulnerable smart contract.
The key point of Samczsun's story is that, after the group spotted the vulnerability and built a transaction to rescue the funds, they could not put the rescue transaction in the mempool because it would have been front-run by a bot. They had to find a miner who would put the transaction in a block without it appearing in the mempool. In other words, their transaction needed a dark pool. And they had to trust the cooperative miner not to front-run it.

Ether miners 11/2/20
Ethereum is, fortunately, very far from decentralized, being centralized around a small number of large pools. Thus, the group needed a trusted pool not an individual miner. The three largest pools mine more than half the blocks between them, so only three calls would be needed to have a very good chance that the transaction would appear in one of the next few blocks.

The lesson here should be obvious. Just as economics forces theoretically decentralized blockchain-based systems in practice to be centralized, economics forces theoretically trustless blockchain-based systems in practice to require trusting third parties. As in the case of Barclays, some of the time the trusted third party will succumb to their economic incentive to rip off their clients.

The problem isn't new. David Gerard points out that front-running was among the dangers outlined in 2017's The Cost of Decentralization in 0x and EtherDelta by Iddo Bentov et al of Cornell:
Vulnerability to miner frontrunning: Order cancellations are a common feature of decentralized exchanges (after all, an exchange with no cancellation ability may not be useful in a volatile market), and their on-chain nature renders these cancellations particularly vulnerable to miner frontrunning; the miner of the next block will always have the option to execute cancelled orders with themselves as the counterparty, potentially profiting from such an order. To add injury to insult, the miner even collects gas costs from a user’s failed cancellation."
Frances Coppola's Ethereum, Dark Forests and the Limits of Transparency provides an elegant description of the problem using the analogy of baby iguanas running the gauntlet of hungry snakes on their way to the safety of rocks:
Crypto’s transparency was supposed to eliminate the need for trusted third parties like Barclays. But if transactions can’t clear the mempool without being front-run, copied or stolen, people will inevitably try to find ways of escaping from the mempool. And those ways are likely to involve trusted third parties – though perhaps not investment banks.

In “Ethereum Is a Dark Forest,” DeFi investors Dan Robinson and Georgios Konstantopoulos describe how they tried to outrun the snakes in the mempool. Sadly, they succeeded only in drawing attention to the money they were trying to claim, which of course had not been claimed by anyone else because everyone knew the snakes would get there first.

Robinson and Konstantopoulos came up with some useful advice for wannabe iguanas, notably “snakes are real” (though they call them “monsters”) and “stick to the plan.” But it was this paragraph that caught my eye:

“Better yet, if you happen to know a miner (we didn’t), you could have them include the transaction directly in a block, skipping the mempool – and the monsters – entirely.”
...
There’s clearly a profit opportunity here for miners. Some are no doubt already exploiting it. But those who would rely on the helping hands offered by apparently friendly miners might want to remember what happened to the investors who trusted Barclays.

After all, it’s survival of the fittest, in the crypto world. And no-one is going to prosecute a miner for fraud if you pay them to pick your trade up early but they delay just long enough for it to be front-run. In the crypto world, even more than in conventional markets, there is no such thing as a “trusted third party.” If you trust someone, you are probably going to be ripped off.

The crypto world eschewed trust in favor of transparency. But transparency doesn’t solve the problem of untrustworthiness in financial markets. There may be no trusted third parties in fully lit markets, but there is no protection from predators either. Now, the crypto world seems to be swinging back towards trust.
But the whole point of Satoshi Nakamoto's invention was to eliminate the need for trust. In his 2017 book Attack of the 50 Foot Blockchain, David Gerard quotes Satoshi Nakamoto's release note for Bitcoin 0.1:
The root problem with conventional currency is all the trust that's required to make it work. The central bank must be trusted not to debase the currency, but the history of fiat currencies is full of breaches of that trust. Banks must be trusted to hold our money and transfer it electronically, but they lend it out in waves of credit bubbles with barely a fraction in reserve. We have to trust them with our privacy, trust them not to let identity thieves drain our accounts. Their massive overhead costs make micropayments impossible.
And points out that (my emphasis):
Bitcoin failed at every one of Nakamoto's aspirations here. The price is ridiculously volatile and has had multiple bubbles; the unregulated exchanges (with no central bank backing) front-run their customers, paint the tape to manipulate the price, and are hacked or just steal their user's funds; and transaction fees and the unreliability of transactions make micropayments completely unfeasible.
We keep finding out additional ways in which cryptocurrencies failed to meet Nakamoto's goals.

1 comment:

David. said...

Catalin Cimpanu reports that Hacker steals $2 million from cryptocurrency service Akropolis:

"Cryptocurrency borrowing and lending service Akropolis says a hacker used a "flash loan" attack against its platform and stole roughly $2 million worth of Dai cryptocurrency.
...
Akropolis says that while it hired two firms to investigate the incident, neither company was able to pinpoint the attack vectors used in the exploit.

Nonetheless, the intrusion was identified as a "flash loan" attack.

Flash loan attacks have become common against cryptocurrency services running DeFi (decentralized finance) platforms that allow users to borrow or loan using cryptocurrency, speculate on price variations, and earn interest on cryptocurrency savings-like accounts.

Flash loan attacks take place when hackers loan funds from a DeFi platform (like Akropolis) but then use exploits in the platform code to escape the loan mechanism and get away with the funds."

David Gerard notes:

"this was a loss of users’ funds, not Akropolis’ own — as with all cryptocurrency exchange hacks, it’s functionally impossible to tell the difference between being hacked and being “hacked.”"