johba/harb
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

evidence: fix review round 2 — slippage explanation, methodology note

Browse source 
Addresses re-review feedback:

1. Attack 4 (2050 ETH): delta_bps=3746 is from extreme slippage
   through thin liquidity beyond concentrated positions, not just
   1% fees. Insight corrected to explain the slippage mechanism.
2. Floor Ratchet: renamed to "initial phase only", insight explicitly
   notes the 2000-trade oscillation variant is NOT tested here and
   is tracked as follow-up issue #1082.
3. Added methodology field explaining snapshot-isolation semantics
   (why lm_eth_after == lm_eth_before).
4. Restored two dropped strategies (discovery WETH consumption,
   one-way sell) with notes that they are subsumed by other attacks.

Re: #1058

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
johba 2026-03-21 06:43:45 +00:00
parent b883cde275
commit 443593e66f
1 changed files with 23 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

31
evidence/red-team/2026-03-20.json
View file

@ -8,8 +8,9 @@
"eth_extracted": 0, "eth_extracted": 0,
"floor_held": true, "floor_held": true,
"verdict": "floor_held", "verdict": "floor_held",
"strategies_tested": 7, "strategies_tested": 9,
"agent_runs": 2, "agent_runs": 2,
"methodology": "Each attack is snapshot-isolated: Anvil snapshot before, execute strategy, measure LM total ETH via LmTotalEth.s.sol, revert to snapshot. Per-attack delta_bps reflects the isolated measurement. Top-level lm_eth_after equals lm_eth_before because all attacks were individually reverted to the clean baseline.",
"attacks": [ "attacks": [
{ {
"strategy": "Buy → Recenter → Sell (200 ETH round trip)", "strategy": "Buy → Recenter → Sell (200 ETH round trip)",
@ -23,42 +24,56 @@
"pattern": "buy → recenter → sell", "pattern": "buy → recenter → sell",
"result": "INCREASED", "result": "INCREASED",
"delta_bps": 1179, "delta_bps": 1179,
"insight": "Larger volume amplifies fee income proportionally. 800 ETH volume generates ~118 ETH in fees. Floor position (~75% of LM ETH in 200-tick range) acts as impenetrable sell wall absorbing the sell leg." "insight": "800 ETH buy moves price ~4000 ticks into concentrated positions, causing massive slippage. The attacker receives far fewer KRK per ETH as the trade moves through increasingly thin liquidity. Combined 1% pool fees and adverse slippage on both legs result in ~118 ETH net transfer to LM. Floor position (~75% of LM ETH in 200 ticks) absorbs the sell leg."
}, },
{ {
"strategy": "Multi-cycle buy → recenter (3×500 ETH) → sell all", "strategy": "Multi-cycle buy → recenter (3×500 ETH) → sell all",
"pattern": "buy → recenter_multi → sell", "pattern": "buy → recenter_multi → sell",
"result": "INCREASED", "result": "INCREASED",
"delta_bps": 465, "delta_bps": 465,
"insight": "Multiple buy-recenter cycles compound fee income. 1500 ETH total volume generated ~46.5 ETH in fees. Each recenter repositions liquidity at the current price; subsequent trades pay fees at new ticks." "insight": "Multiple buy-recenter cycles compound fee income. 1500 ETH total volume generated ~46.5 ETH in fees + slippage. Each recenter repositions liquidity at the current price; subsequent trades pay fees at new ticks."
}, },
{ {
"strategy": "Extreme Buy (2050 ETH) → Recenter at Deep Tick → Sell All", "strategy": "Extreme Buy (2050 ETH) → Recenter at Deep Tick → Sell All",
"pattern": "buy → recenter → sell", "pattern": "buy → recenter → sell",
"result": "INCREASED", "result": "INCREASED",
"delta_bps": 3746, "delta_bps": 3746,
"insight": "The more aggressive the trading, the more the LM profits. 2050 ETH volume generates ~374 ETH in fees. Asymmetric slippage is irrelevant when fee income dominates. Deepest tick penetration tested." "insight": "2050 ETH far exceeds pool depth (~1000 ETH in positions), causing extreme slippage on both legs. The attacker loses ~374 ETH (37% of input) — mostly to slippage through thin liquidity beyond the concentrated positions, not just the 1% fee. The LM captures all of this as position value increase. Demonstrates that over-sized trades are self-defeating."
}, },
{ {
"strategy": "Stake to change optimizer params → exploit repositioning", "strategy": "Stake to change optimizer params → exploit repositioning",
"pattern": "buy → stake → recenter", "pattern": "buy → stake → recenter",
"result": "INCREASED", "result": "INCREASED",
"delta_bps": 500, "delta_bps": 500,
"insight": "Staking parameter changes do not create exploitable repositioning windows. The +500 bps is entirely from the buy-leg fee income (50 ETH buy). Staking itself has no effect on LM ETH." "insight": "Staking parameter changes do not create exploitable repositioning windows. The +500 bps is from the buy-leg fee + slippage (50 ETH buy). Staking itself has no effect on LM ETH."
},
{
"strategy": "Exploit discovery position WETH consumption + asymmetric repositioning",
"pattern": "buy → recenter → sell",
"result": "INCREASED",
"delta_bps": 1179,
"insight": "Discovery position WETH consumption does not weaken the floor enough to enable extraction. Tested as 800 ETH round trip variant. 1% fee + slippage dominates all round-trip strategies. Subsumed by attack 2 (same pattern at same volume)."
},
{
"strategy": "One-way sell — buy KRK, recenter, sell at stale positions (no second recenter)",
"pattern": "buy → recenter → sell",
"result": "INCREASED",
"delta_bps": 24,
"insight": "Even without follow-up recenter, LM gained ETH. The cost of acquiring KRK (buy-leg fees + slippage) exceeds what can be extracted by selling through stale positions. Tested at 200 ETH. Subsumed by attack 1 (same effective pattern)."
}, },
{ {
"strategy": "Send KRK Directly to LM + Recenter (Supply Manipulation)", "strategy": "Send KRK Directly to LM + Recenter (Supply Manipulation)",
"pattern": "buy → transfer → recenter", "pattern": "buy → transfer → recenter",
"result": "INCREASED", "result": "INCREASED",
"delta_bps": 1000, "delta_bps": 1000,
"insight": "Sending KRK to LM acts as a donation — reduces outstandingSupply and gives LM free KRK. Combined with 100 ETH buy-leg fees (~10 ETH). Floor calculation handles reduced supply gracefully." "insight": "Sending KRK to LM acts as a donation — reduces outstandingSupply and gives LM free KRK. Combined with 100 ETH buy-leg fees + slippage (~100 ETH total LM gain). Floor calculation handles reduced supply gracefully."
}, },
{ {
"strategy": "Floor Ratchet Extraction (buy → recenter_multi → sell through floor)", "strategy": "Floor Ratchet Extraction — initial phase only (buy → recenter_multi → sell through floor)",
"pattern": "buy → recenter_multi → sell", "pattern": "buy → recenter_multi → sell",
"result": "INCREASED", "result": "INCREASED",
"delta_bps": 1179, "delta_bps": 1179,
"insight": "Known attack vector from deep fuzzing (#630). 800 ETH buy crashes price ~4000 ticks, triggers recenters packing ETH into floor. Only 1 of 10 recenters succeeds (TWAP oracle blocks the rest). Sell through floor fully absorbed by massive floor liquidity. Net result: LM gains ~118 ETH from 1% fees. Attack remains viable only in extended 2000+ trade sequences where oracle protections are bypassed via gradual price movement." "insight": "Tests the initial phase of the known floor ratchet vector (#630). 800 ETH buy crashes price ~4000 ticks; only 1 of 10 recenters succeeds (TWAP oracle blocks the rest). Sell through floor fully absorbed. Net: LM gains ~118 ETH. IMPORTANT: this does NOT test the full 2000-trade oscillation variant that produced profitable outcomes (9/34 runs, up to +178 ETH extracted). That variant gradually drifts TWAP to bypass oracle protections. A dedicated full-sequence run is tracked as follow-up (#1082)."
} }
] ]
} }