How 2 Brothers Allegedly Cheated a Noxious-But-Accepted Ethereum Practice for $25M

Around the end of 2022, the Peraire-Bueno brothers, young alumni from a renowned university with a newfound interest in blockchain technology, initiated a project that resulted in a substantial $25 million gain. This accomplishment marked one of the more complex crypto heists in the last ten years or so. As reported by U.S. authorities, they began by formulating a four-part strategy:

As a crypto investor, I’ve come across several key stages in my journey. The initial lure was “The Bait,” which drew me in with its promises of potential profits. Then came “Unblinding the Block,” where I gained transparency into the underlying transactions and smart contracts. After that, it was all about “The Search” as I scoured various platforms for promising projects. Finally, “The Propagation” took hold as my investments began to spread and grow within the blockchain ecosystem.

As a researcher examining the case, I discovered that the indictment stated that the defendants adhered to every step detailed in their Exploit Plan during the ensuing months.

Two brothers, Anton Peraire-Bueno (age 24) and James Peraire-Bueno (age 28), were accused by the U.S. Department of Justice on Wednesday for capitalizing on a software flaw in a widely used application that interacts with trading bots on Ethereum‘s blockchain. They reportedly made around $25 million in profits during a brief 12-second window in April 2023.

How did it all work?

Due to a discovered vulnerability in MEV-boost, a widely utilized software among approximately 90% of the blockchain’s validators, the exploit occurred, granting the brothers the ability to view transactions within blocks prior to their confirmation by validators.

MEV, or maximal extractable value, is sometimes known as an “invisible tax” that validators and builders can collect from users by reordering or inserting transactions in a block before they’re added to the blockchain.

In Ethereum’s blockchain system, there are similarities drawn with front-running in traditional stock markets. However, due to the technical complexities of eliminating it entirely, the Ethereum community has adopted a more pragmatic approach. They have primarily focused on minimizing any potential negative consequences instead.

One effective approach for minimizing potential issues is by implementing MEV-Boost, a widely-used software solution among approximately 90% of Ethereum validators. This tool aims to promote fairer distribution of Maximal Extractable Value (MEV) for all participants involved.

As an analyst, I would express it as follows: The prosecution team made it clear in their filing that such an approach is how they intend to proceed with the case.

Altering the set MEV-Boost proposals, which are widely used by most Ethereum network users, could potentially disrupt the stability and trustworthiness of the Ethereum blockchain for every participant involved, as stated in the indictment.

Bots, searchers, relays, bundles and builders

On Ethereum, users propose transactions that are queued up in a “transaction pool” or “pending queue” before they are processed by the network.

MEV-boost enables “transaction aggregators” to collect and include selected transactions from the mempool into a block, thereby maximizing their potential value.

Subsequently, MEV bots, also referred to as “searchers,” scrutinize the mempool for potential transactions that could yield profitable trades. At times, they offer incentives to block builders to manipulate the order of transactions or add new ones in a specific sequence to maximize profits. Once confirmed by Ethereum validators, these blocks are permanently added to the blockchain.

All these steps are typically executed automatically by the software in fractions of seconds.

The Peraire-Bueno brothers identified three MEV (Minimum Value Extraction) bots lacking specific safeguards and devised a strategy. They established sixteen validators with alluring features to lure these vulnerable bots.

As an analyst, I would describe this scenario by saying that when searchers group transactions together, they identify a specific transaction as the target one. This transaction is sandwiched between two other transactions, with one preceding it (signed) and another following it (also signed).

Matt Cutler, the CEO of Blocknative, explained to CoinDesk in an interview that when it comes to the rules of their blockchain game, “The bundle I provide you must be executed as a single unit, with all three transactions occurring in this specific sequence. Any deviation from this order will prevent the execution from going through.”

As an analyst, I would rephrase this sentence as follows: The brothers intended to capitalize on the absence of certain checks in bot transactions by manipulating malicious validators and disrupting those deals.

“Cutler explained that due to the profitability of honeypot transactions, without safeguards against specific circumstances, and with complete faith in the validator and MEV-boost system’s integrity, a malicious validator managed to obtain signed transactions and subsequently manipulated them, resulting in a loss of $25 million for the bots.”

‘False signatures’

As an analyst, I would rephrase it as follows: In its accusations, the government meticulously showed that the suspect’s actions, which targeted a pivotal aspect of the blockchain’s intricacies at a level complex for seasoned developers, deviated significantly from community standards and crossed into the territory of deceit.

As a crypto investor, I can explain this situation by saying that the brothers allegedly provided a fake digital signature instead of a genuine one to a significant participant in the blockchain network, referred to as a “relay.” A digital signature is crucial because it unveils the contents of a proposed group of transactions – with all their potential profits enclosed.

As a crypto investor, I can explain that during a transaction, there’s an intermediary called a relay, which functions like a traditional escrow account. This relay holds onto the data of my proposed transaction within a proposed block until a validator confirms their intention to publish this block on the blockchain. The relay won’t release these transactions until the validator has given a digital signature, ensuring they will indeed add the block, as designed by the builder, to the decentralized and public ledger.

According to the indictment, the prosecutors claimed that, based on their investigation and preparations, the brothers were aware that the misleading signature details they used were intended to, and indeed did, deceive the Relay into releasing the complete content of the proposed block to them prematurely, including confidential transaction information.

As Cutler put it, “Stealing is stealing, regardless of the terms that enable that stealing.”

As a responsible crypto investor, I would never advocate for taking unwarranted actions. Just because someone else’s wallet may appear vulnerable or accessible, it doesn’t give us the right to intrude on their privacy and security. Let’s always respect others’ digital property just as we would our own physical possessions.

As an analyst, I’ve observed that Ethereum has been subject to contentious MEV (Minimum Excellent Value) trading practices, such as front-running and sandwich attacks. However, several influential figures within the MEV community consider last year’s exploit a clear case of theft.

“Taylor Monahan, MetaMask’s lead product manager, humorously commented on X that if one manages to steal and launder $25 million, they can anticipate serving a lengthy prison sentence.”

I acknowledged the ethical gray area of the situation, suggesting that those involved were essentially breaking the rules they themselves had set up. However, it was indisputable that this action constituted an exploit and a breach of established laws.

To emphasize the government’s claim, it was revealed that Anton Peraire-Bueno conducted extensive online searches for topics such as “top crypto lawyers,” “duration of US statute of limitations for various offenses,” “wire fraud statute and its limitation period,” “fraudulent Ethereum addresses database,” and “money laundering statute of limitations” during the weeks following the exploit.

On the day following the incident, James Peraire-Bueno reached out to a bank representative via email to inquire about obtaining a spacious enough safe deposit box for a laptop.