The US Department of Justice has charged two brothers with stealing $25 million (£20 million) by exploiting open source software used in the Ethereum blockchain world.
Anton, a 24-year-old computer scientist from Boston, and James Peper Bueno, 28, of New York, are “technically sophisticated, months in the planning,'' Deputy Attorney General Lisa Monaco said. He is accused of carrying out what he called a cutting-edge scheme. ”
“Defendants’ plans call into question the very integrity of blockchain,” added U.S. attorney Damian Williams.
“The brothers, who studied computer science and mathematics at one of the world's most prestigious universities, have used their specialized skills and education to create a protocol relied on by millions of Ethereum users around the world. They allegedly tampered with it and manipulated it. When their plan was put into action, their robbery took only 12 seconds.”
background
Cryptocurrency blockchains, including the blockchain behind Ethereum and its native coin Ether, are mostly decentralized, append-only transfer log files that use encryption to maintain the integrity of the logs. This essentially makes the blockchain a public ledger of all transactions that take place, and users can only transact with money they actually own. These transactions are grouped into chained blocks, hence the name.
And all cryptocurrencies use the Ethereum blockchain, from stablecoins like Tether that are pegged at $1 for $1, to rollercoaster meme coins like Shiba Inu and Pepe. Not just ether.
The management of the Ethereum blockchain is entrusted to validators, which are typically automated systems directed by human operators. As the name suggests, validator bots certify that blocks of proposed Ethereum transactions are valid, submit those blocks to a committee of fellow validators for approval by vote, and securely Add to chain.
Generally speaking, validators are required to stake 32 Ethers each (currently equivalent to $100,000). When randomly selected to propose a new block for the chain, a validator has approximately 12 seconds to complete that operation and provide a valid block to peers to validate and accept the chain. If a validator cheats, they stand to lose their stake. If they behave as expected, they are rewarded.
In reality it's a little more complicated. Where do these proposed blocks primarily come from? While waiting for confirmation on the blockchain, pending transactions are placed in a public staging area called a memory pool or memory pool. Bots called searchers comb through these pending transactions and use fun algorithms to assemble bundles of transactions for builder bots and package them into blocks for validators to consider on the chain. In fact, the builder bot can also use interesting algorithms to combine and optimize bundles from multiple searchers to create these suggested transaction blocks.
Builders stand to receive compensation in the form of fees and other revenue sources once their proposed blocks are posted on the chain, and validators who approve blocks receive a portion of that revenue.
It is in the interest of validators to choose the most profitable blocks, it is in the interest of builders to build blocks that look attractive to validators, and users of the blockchain have to pay a fee to obtain transactions. pay. Builders and their searchers can order transactions within blocks as they see fit. Once a block is green lit, transactions are executed in that order.
Builders provide proposed blocks to validators via relays. Relays only provide validators with enough information for bots to determine how much they would benefit from accepting a particular block, but do not provide transaction details. When a validator accepts a block for processing, it retrieves the full details from the relay to analyze and prove. 9 out of 10 validator bots use an open source program called MEV-Boost to communicate with multiple relays to select the most rewarding blocks from all kinds of builders competing for payments.
This design must be resistant to manipulation and other shenanigans, while also ensuring that all these bot operators are compensated for maintaining this decentralized system. However, according to the indictment, [PDF] Unsealed on Wednesday, the brothers exploited weaknesses in the code of the MEV-Boost project and stole millions of dollars in cryptocurrency.
MEV-Boost's MEV stands for Maximum or Maximal Extractable Value, and while it's fairly complex, it essentially means that validators, builders, and their searchers create carefully selected and ordered blocks of transactions. It is something that can be obtained by making a proposal and proving it. Memory pool buffer. And, as I mentioned earlier, there are various ways for participants to monetize this verification process.
For example, there is nothing to prevent mempool searchers from engaging in currency arbitrage. Search bots can record from mempool transactions that users are hoarding a particular cryptocurrency, which increases the market value of that token. Searchers can form a bundle of transactions that starts with the bot's operator acquiring that cryptocurrency, includes other people's pending memory pool transactions for that coin, and ends with the bot selling the coin. . If the carefully placed bundle enters the offered block and is selected by the validator and accepted onto the chain, the transaction will be executed in order and the searcher will be able to sell his coins for a higher price than he bought them. You can profit from it. Because the market value increased in the process. A searcher can offer to pay a block builder a fee for the bundle, knowing that he or she will receive a profit.
Searchers and builders set the order of transactions within a proposed block, but so do validators. Validators selected by the system to provide the next block can run alone and provide their own blocks for committee approval. As such, relays typically withhold full details of a proposed block until the verifier commits to certifying the selected block using a digital signature in accordance with the US Department of Justice. Otherwise, the validator will go through all the proposed blocks, choose the most profitable one, create its own block based on that proposed block, and pass it to the committee for approval. , could potentially screw up searchers and builders by receiving rewards.
Successfully rob “25 million dollars in 12 seconds”
Prosecutors claim the pair discovered a flaw in the MEV-Boost project's relay code that could be exploited to prematurely release full details of the proposed block. Therefore, the pair exploited relays to set up validators to hand over entire proposed blocks too quickly, rebalancing the transaction list in their favor, and pushing blocks past the commission's approval. It is said that he made a huge profit by sending them out for the purpose.
The complaint alleges that a shell company called Pine Needle was founded by the brothers in December 2022 to conduct banking and cryptocurrency exchange operations. In particular, they did not want to do business with crypto exchanges that had a “know your customer” policy and conducted online searches for “how to launder cryptocurrencies” and “CEFI exchanges without KYC,” court documents state. It is stated in. The men are also alleged to have executed a number of trades to see how a search service run by three particular traders would react.
According to the indictment, between February and March of the following year, the two brothers sent 529.5 Ether coins (worth $880,000 at the time) to the Ethereum network, 512 of which were staked to 16 validators for 32 Ether each. It is said that it was used for
According to prosecutors, they decided to carry out the exploit on April 2nd. First, the two waited for one of the validators to be randomly selected to provide the next block to the Ethereum chain. Once that happened, they allegedly placed eight orders for particularly illiquid cryptocurrencies.
Allegedly, the three traders' automated search capabilities took the bait and offered a series of trades to block the builders aimed at accomplishing the following objectives: He bought up $25 million of these illiquid cryptocurrencies using stablecoins and other liquid assets, executed the brothers' trades, and then sold the cryptocurrencies at a higher price to Pocket the difference.
The proposal reached the fraternal validators via a relay, which the validators allegedly exploited by sending dubious digital signatures and revealing the full contents of the proposed block. The validator then allegedly changed his transaction list to: It forces traders to hoard illiquid cryptocurrencies. He then sold off all of the illiquid coins that the brothers owned – the ones they had just bought as bait and the ones they had learned from the aforementioned observations.
The allegedly tampered blocks were sent for verification by a committee vote and accepted into the chain. In effect, the traders bought illiquid cryptocurrencies from the pair, who allegedly received $25 million in stablecoins and other liquid assets in exchange. Traders, on the other hand, acquired large amounts of coins that became so illiquid that they suddenly became worthless. The Fed said that the liquidity pool for cryptocurrencies has been depleted.
That $25 million reportedly left the traders' hands in just 12 seconds. This transaction was all as expected as far as the Ethereum world was concerned at the time.
I feel unlucky, Google.
The day after the alleged robbery, James Peraire-Bueno allegedly went to one of the shell companies' banks and asked for a safe deposit box large enough to fit a laptop. The next day, the Feds also claim to have asked the operators of the websites hosting the MEV-Boost source code about their policies regarding recording visitors' IP addresses.
Meanwhile, Anton Perer-Bueno searched online for “top cryptocurrency lawyers” and asked questions such as “How long will our statue stay up,” according to the complaint. [sic] There are “restrictions” on crimes such as wire fraud and money laundering.
If true, it would mean that the brothers had a plan that was far from foolproof, even though they were allegedly able to exploit a multi-million dollar exploit.
The complaint further alleges that victims of the transaction, their lawyers, and representatives of the Ethereum project tried to persuade the Perer Bueno brothers to return their profits. Moreover, rather than confess, they allege that they laundered the money through several different channels. Approximately $3 million was allegedly frozen by foreign law enforcement agencies.
Meanwhile, $20 million was ultimately funneled into another shell company, Birch Bark Trading LLC, the complaint alleges. From there, the pair had to move it to a brokerage account. The Fed said it didn't know what to do or what the consequences would be. Court documents allege their Google searches included terms such as “money laundering” and “will the U.S. extradite them?” [foreign country]” By December 8, $19.6 million had reportedly been deposited into the brokerage account.
Prosecutors announced their arrests this week. Both men are charged with wire fraud, wire fraud and money laundering conspiracy, each of which could carry up to 20 years in prison. If convicted, he will also have to repay any ill-gotten gains. ®
