johba/harb
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
harb/evidence/red-team/2026-03-20.json
johba fd80aec3be evidence: fix nits — strategies count, percentage calculation 
- strategies_tested=7 (independent measurements only), strategies_total=9
- Fix attack 4 percentage: 374/2050 ≈ 18%, not 37%

Re: #1058

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-21 06:45:40 +00:00

80 lines
5 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"date": "2026-03-20",
"candidate": "Optimizer",
"optimizer_profile": "default",
"candidate_commit": "a1efa5942dd7ca863d069929ff0ca9b1909a1237",
"lm_eth_before": "999999999999999999998",
"lm_eth_after": "999999999999999999998",
"eth_extracted": 0,
"floor_held": true,
"verdict": "floor_held",
"strategies_tested": 7,
"strategies_total": 9,
"agent_runs": 2,
"methodology": "Each attack is snapshot-isolated: Anvil snapshot before, execute strategy, measure LM total ETH via LmTotalEth.s.sol, revert to snapshot. Per-attack delta_bps reflects the isolated measurement. Top-level lm_eth_after equals lm_eth_before because all attacks were individually reverted to the clean baseline.",
"attacks": [
{
"strategy": "Buy → Recenter → Sell (200 ETH round trip)",
"pattern": "buy → recenter → sell",
"result": "INCREASED",
"delta_bps": 24,
"insight": "The 1% Uniswap V3 pool fee is the primary defense. 200 ETH round trip generates ~2.4 ETH in fees for the LM. Fee income far exceeds any IL from repositioning."
},
{
"strategy": "Buy → Recenter → Sell (800 ETH round trip)",
"pattern": "buy → recenter → sell",
"result": "INCREASED",
"delta_bps": 1179,
"insight": "800 ETH buy moves price ~4000 ticks into concentrated positions, causing massive slippage. The attacker receives far fewer KRK per ETH as the trade moves through increasingly thin liquidity. Combined 1% pool fees and adverse slippage on both legs result in ~118 ETH net transfer to LM. Floor position (~75% of LM ETH in 200 ticks) absorbs the sell leg."
},
{
"strategy": "Multi-cycle buy → recenter (3×500 ETH) → sell all",
"pattern": "buy → recenter_multi → sell",
"result": "INCREASED",
"delta_bps": 465,
"insight": "Multiple buy-recenter cycles compound fee income. 1500 ETH total volume generated ~46.5 ETH in fees + slippage. Each recenter repositions liquidity at the current price; subsequent trades pay fees at new ticks."
},
{
"strategy": "Extreme Buy (2050 ETH) → Recenter at Deep Tick → Sell All",
"pattern": "buy → recenter → sell",
"result": "INCREASED",
"delta_bps": 3746,
"insight": "2050 ETH far exceeds pool depth (~1000 ETH in positions), causing extreme slippage on both legs. The attacker loses ~374 ETH (~18% of input) — mostly to slippage through thin liquidity beyond the concentrated positions, not just the 1% fee. The LM captures all of this as position value increase. Demonstrates that over-sized trades are self-defeating."
},
{
"strategy": "Stake to change optimizer params → exploit repositioning",
"pattern": "buy → stake → recenter",
"result": "INCREASED",
"delta_bps": 500,
"insight": "Staking parameter changes do not create exploitable repositioning windows. The +500 bps is from the buy-leg fee + slippage (50 ETH buy). Staking itself has no effect on LM ETH."
},
{
"strategy": "Exploit discovery position WETH consumption + asymmetric repositioning",
"pattern": "buy → recenter → sell",
"result": "INCREASED",
"delta_bps": 1179,
"insight": "Discovery position WETH consumption does not weaken the floor enough to enable extraction. Tested as 800 ETH round trip variant. 1% fee + slippage dominates all round-trip strategies. Subsumed by attack 2 (same pattern at same volume)."
},
{
"strategy": "One-way sell — buy KRK, recenter, sell at stale positions (no second recenter)",
"pattern": "buy → recenter → sell",
"result": "INCREASED",
"delta_bps": 24,
"insight": "Even without follow-up recenter, LM gained ETH. The cost of acquiring KRK (buy-leg fees + slippage) exceeds what can be extracted by selling through stale positions. Tested at 200 ETH. Subsumed by attack 1 (same effective pattern)."
},
{
"strategy": "Send KRK Directly to LM + Recenter (Supply Manipulation)",
"pattern": "buy → transfer → recenter",
"result": "INCREASED",
"delta_bps": 1000,
"insight": "Sending KRK to LM acts as a donation — reduces outstandingSupply and gives LM free KRK. Combined with 100 ETH buy-leg fees + slippage (~100 ETH total LM gain). Floor calculation handles reduced supply gracefully."
},
{
"strategy": "Floor Ratchet Extraction — initial phase only (buy → recenter_multi → sell through floor)",
"pattern": "buy → recenter_multi → sell",
"result": "INCREASED",
"delta_bps": 1179,
"insight": "Tests the initial phase of the known floor ratchet vector (#630). 800 ETH buy crashes price ~4000 ticks; only 1 of 10 recenters succeeds (TWAP oracle blocks the rest). Sell through floor fully absorbed. Net: LM gains ~118 ETH. IMPORTANT: this does NOT test the full 2000-trade oscillation variant that produced profitable outcomes (9/34 runs, up to +178 ETH extracted). That variant gradually drifts TWAP to bypass oracle protections. A dedicated full-sequence run is tracked as follow-up (#1082)."
}
]
}
Reference in a new issue View git blame Copy permalink