bheau

over a month of HLP pnl wiped out by a few linked addresses trading $XPL today process was: - deposit ~$1.3m across 5 wallets - twap long 93m XPL (~$10.6m, ~8x leverage) - withdraw ~$3.1m total (allowed bc hyperliquid lets you withdraw uPnL as long as you stay above maintenance margin) - get liquidated (some was sold into the book, majority was backstopped around $0.13 - unclear exactly how this worked, but it *seems* this went through into resting bids rather than having HLP take it on) - still, HLP lost over $400k from bad debt as the attacker accounts went negative at the backstop price. reminiscent of the POPCAT attack from last year - attacker netted ~$1.85m in profit usually HLP takes on and holds these liquidations longer. maybe they had some logic around not doing so given they also had to eat bad debt, and the book could support the liquidation. or maybe it's just the usual system. not sure anyways, this doesn't seem repeatable, kinda specific to XPL today where there were buyers on other exchanges (hacked account?) + thin spot liq. i assume if you tried this on another coin rn you'd just get liquidated after you finish twapping (images of HLP pnl, one attacker's backstop liqs, and one attacker's txs where he withdrew some USDC to profit before letting the rest of the position get liquidated)

correct me if I'm wrong but this seems like the largest ever single-block builder profit in ethereum history, ~$33m to titan it also may be one of the largest MEV block rewards ever on eth, a 568 ETH proposer payment which falls just behind the SVB USDC depeg (had a 692 ETH payment), 2023 sushiswap whitehat hack (689 ETH), and 2023 curve whitehat hack (584 ETH) others already commented on the original issues with the order (illiquid route + insane $155k AAVE limit price), but here's where the $50m went: - $36k to the user's cowswap order (331 AAVE) - $619k cowswap solver fee - ~$9.9m to the MEV bot that backran the 17,957 ETH -> 331 AAVE swap (backrun was 128 AAVE -> 17,959 ETH) - another ~$2.6m to the same MEV bot from backrunning the $50m USDT -> $37m WETH swap over multiple txs - ~$34.3m fee to titan from the MEV bot (includes $1.2m to lido as the block proposer) - ~$3.5m in dex swap fees + residual smaller arb txs insane payday for titan, who sent their profits to coinbase, and this single MEV bot took the majority of the arbs in both the illiquid AAVE/WETH pool and the $13m slippage swap in the main USDT/WETH pool

so I guess you can't really do *historical* analysis without accepting that second precision block times are going to mess things up a bit this third chart I had actually uses external timestamps (polygon's block timestamp vs the timestamp from the polygon trade message, which does have ms precision). definitely looks different but not too bad

I analyzed this a few days ago. Data in the image shows the latency distribution between offchain "fill" (and therefore websocket + UI notification to traders) and the actual onchain fill, consistently 2-5 sec latency 2-5s is obviously more than enough time for traders to beat polymarket's onchain "match orders" tx by invalidating their order onchain faster and/or with higher gas to land earlier, making the order match tx impossible and fail So in practice how is this being "exploited"? Looking at the "How much spending will DOGE cut in 2025?" market that the attacker used, which is like 98% YES for the <$50b bucket and has 6 buckets: - (a) Negrisk bots hold/try to obtain NO shares in each bucket, accumulated at less than $5 per full set (1 NO share per bucket across all 6 buckets = $5 at resolution if exactly one bucket resolves YES, so if the NO shares cost you $4.90 total then you profit $0.10) - (b) These bots constantly monitor for opportunities to accumulate more of these full sets (NO shares across buckets at <$5 total) - (c) Which means they will place deep limit buy orders below market price on NO shares in certain buckets, looking to get filled at an undervalued price. For example, they may bid $0.5 on each of $50-100b and $100-150b NO, where the market ask for NO is $0.97-0.99 - (d) *This causes cases where they may be willing to overpay for shares*. Simplified example: - Say <$50b has NO shares priced at $0.02 ask, while NO shares in the other 5 buckets trade at $0.97-0.99 ask. - Negrisk bots place NO bids on these 5 buckets at deep discounts (say, $0.2-0.6) hoping for fills. - Say a bot gets a crazy good fill on the $50-100b bucket at $0.2; it is now able to lock in profit if it can buy a NO share in each remaining bucket while keeping the total set cost <$5. - The other 4 tails are $0.97-0.99; say the bot can buy all for $3.92 total. It has now paid $4.12. - It now just needs NO <$50b at max price $0.88 to be profitable, since the total cost for all NOs would still be under $5. So, it's willing to overpay for <$50b by a lot if needed - (e) Which becomes exploitable. How? What it looks like the attacker actually did here, in one case: - Attacker fill bot's NO bids for the $50-100b bucket at a huge mispricing, like $0.2 - Bot sees this "fill" via Polymarket's offchain data. This looks like a great fill, so it decides it can now buy <$50b NO for up to $0.88, since it would lock in profit - Attacker fills the bot's elevated <$50b NO bids, getting cheap YES shares - AND attacker cancels the $0.2 order in the $50-100b bucket before it is matched onchain - Attacker ends up with cheap YES shares in the <$50b bucket, and the bot ends up with NO shares in the <$50b bucket that it overpaid for WITHOUT receiving any of the mispriced $50-100b shares it thought that it would - (In practice, this is prob a gradual process where the attacker walks up the <$50b NO price, forcing bots to buy higher and higher and giving the attacker cheaper and cheaper YES entries. Works especially well in more illiquid books populated largely by negrisk bots) - (f) Attacker, in this market, ends up with 11,460 YES <$50b acquired at an avg of $0.12, when they're actually worth $0.98 Some conclusions: - Negrisk bots / MMs should be accounting for this; relying purely on polymarket's data (without tracking onchain matches) puts you at risk. I assume many already do, but obviously some did/do not. Bc of this I'm not sure I'd truly call this an "exploit", it's just how the system works rn - Polymarket can change this whenever by waiting to mark orders filled /notify users of fills offchain until the orders match onchain

for the block/log data I just used the local clock time when I received the websocket message with the OrderFilled log so there's some noise in the data, ie latency will vary a bit based on where your code is located relative to polymarket's servers and your RPC, but for the analysis here the noise was negligible relative to how large the delay (2-5s) is

yeah I honestly was very surprised and wondered if I was missing something. I analyzed bc I had assumed there'd be edge cases where the latency would be like 0.1s or something, if they notify you as the tx is pending and then get filled very next block, but it actually looks like they mark the orders matched offchain and *then* submit the match tx. I also didn't optimize for latency at all, just ran this locally, prob possible to get even higher avg latency if there's any data out there contradicting this lmk

will add that "Works especially well in more illiquid books populated largely by negrisk bots" is interesting bc you see that 0x6E7's attempts had pretty widely varying degrees of success by market would be interesting to think about how you'd go about choosing/ranking best markets for this. generally "exploiters" want: - low-ish liquidity, so it's easier / less costly to get through the book to fill negrisk bots initially, and for them to get through the book to fill your (real) bids - largely negrisk bot populated, since you (a) need them to react well, and (b) don't want people / bots who quickly realize the price swings are due to manipulation and frontrun your (real) fill attempts

Some rambling thoughts on the latest crypto crash Yesterday, I had some non-crypto friends ask what was going on with BTC. I sent them all basically the same thing, which was a list of points I had sent to someone late last week when the Warsh fed chair pick started getting priced in and BTC retested/lost $85k: "Pretty underwhelming, short-term you have: - declining stablecoin supply and treasury company mnavs, signs of less interest / buying - trump's initial positive impact on crypto now obviously old news / arguably a weight as some approval ratings hit new lows - quantum threat fears are mostly noise imo, but they’re getting louder and having some level of impact - new fed chair pick is seen as more negative, or at *least* worse, for btc than other candidates - chart resembles last cycle's chart, if you believed in cycle theory you'd think we go lower - very bad underperformance relative to metals, hurts the "digital gold" narrative, and metals dips aren't showing any signs of rotations into BTC (which was prob a fair thesis / trade idea, but has been blatantly invalidated) - pretty doomer but is what it is, unless something notable changes base case is don't expect much near term or even expect lower" In hindsight, the combination of these things may have put us in a game of chicken where the reasons for holding BTC or blasting ETH were eroding, but nothing was as blatantly bad as the end of last cycle (ie you couldn't go point at broad equity weakness) so there was no real rush for the door yet. The last point (complete debasement trade fumble in Q4/Q1) was especially bad, and in some ways the straw that broke the camel's back (I've seen the theories about yesterday's move being triggered by some big HK-based fund blowing up, I have no idea about this but regardless I think the ideas here hold) Mid-term, the narrative issues still remain. I won't rewrite what others have already put more eloquently than I would, but tldr is BTC becoming more institutionalized, derivative-ized, partisan (obv debatable how much so, but to some extent?), and less-cypherpunk was bullish but came with a somewhat unspoken tradeoff that there would be a necessary hangover. In this light, the recent whale selling and less overall excitement make sense. Much of the original story had played out and/or become something else Moving forward, my base case (things can always change, and quickly, but current thesis) is that it is simply going to take time for BTC to figure out a new bullish identity. And this *could* entail more capitulations, boring ranges, DATs dumping alts, etc. It also may entail fixing the quantum threat, which would be a positive thing (I don’t view this as a risk, solutions are already evident, but it prob needs to be higher priority given the fear - MSTR commenting on this during earnings yesterday was a good sign) On the bright side, I am still pretty confident that BTC *will* emerge from this at some point and make new highs, and there are a few other stories in crypto that have massive growth potential and actual value capture in better ways than previous cycles. I bought more BTC yesterday and will continue trying to accumulate at prices that make sense Last thing, I respect the few people on here who publicly called this out in Q4 and largely stood by it. It wasn't a very easy idea to define imo, at least relative to previous bear market triggers, and they did a better job than at least I did at timing it

yep. think the timeline is like - sept 12 2025 MSCI announces consultation about metaplanet treatment, in here they mention NOS but do not *explicitly* mention changing the treatment for DATs, but they do decide to not implement metaplanet's share issuance (*effectively* pausing NOS increase for this event) - oct 2025 MSCI expands this review to all DATs and for the first time mentions "MSCI will continue to not implement increases to the NOS/FIF/DIF for [DATs]". the "continue to" here probably refers to the metaplanet treatment from september and expands it to all DATs - today's announcement ("remains unchanged" referring to the fact that they technically had already suspended NOS increase inclusion for DATs back in october)

I'm long $LIT but unfortunate timing here, with another $4.4m coming tomorrow, $5.4m the next day, and $11.7m a couple days after that. Another wallet in the cluster initiated a $6.3m withdrawal today, so this pattern may continue for a bit (they have $81.4m still staked, unqueued) If $HYPE remains suppressed, imo it keeps the ceiling on $LIT a bit lower. So, unfortunate timing in the sense that I think (at least atm) it's unlikely alts rally all of January, so I'd rather be seeing $HYPE move now Trying to balance this out near-term with - Potential for good $LIT news (integrations/partnerships, buybacks, listings) this week - [] blasting millions on at least a couple wallets - Nice technical flip of $2.8 Still giving the LIT long a chance, and maybe HYPE does move, just noting that the setup could've been better

I briefly looked into the initial $LIT 1 min candle that ranged from $0.0007 to $9 (tldr: no one got filled for a bunch of LIT at extremely low prices, but someone did buy $36k worth of LIT at $9) At 06:45:07.11Z, the first LIT trades happened. 21 orders were matched in this block, each with the same maker/taker, transacting ~565 LIT for ~$1.13k from $0.0007 to $3.00 at an average price of $2 Account 644247 was the maker. This entity was previously funded by the Lighter treasury and does spot market-making (so probably a market making partner who had LIT to market make with - this account is still actively MMing ETH and LIT) Account 694591 was the taker. This account is recently exchange funded and is connected to a couple addresses via a Bybit deposit it used today, but unclear who it is (not that it matters, this entity just placed orders early that got matched against the MM's) 11 second later, at 06:45:18.234Z, 2018 LIT was traded at $9, which was probably just someone market buying into a near empty book. The seller actually also sold another 2k LIT at $9 about 7 seconds later to the same buyer, so congrats to whoever sold ~$36k worth of LIT at $9 lol