The document discusses maximally efficient market extraction (MEV) on Ethereum. It notes that while extracted MEV is increasing, there remains a gap between what is extracted and theoretical maximum MEV. Formal verification frameworks could help quantify theoretical MEV limits, but their use has been limited and off-chain activity makes MEV harder to reason about. Bots are increasingly sophisticated at finding arbitrage opportunities but still have room for improvement in detecting vulnerabilities. The overall darkness of the forest, or how close we are to maximal MEV extraction, remains unknown given these challenges.

1. How dark is the forest?
Robert Miller
Encode x Wintermute

2. Flashbots
Treasure map
- How dark is the forest
- Evolution of arbitrage as a case study
- Anecdotes from whitehat rescues
- Clockwork Finance
- The unknown depths of the forest

3. Flashbots
How dark is the dark forest
That Ethereum is a “dark forest” is well
established now.
How dark is the forest really?
How close are we to the absolute limit of
maximally efficient MEV extraction?

4. Flashbots
How dark is the forest? MEV in 2021 estimates

5. Flashbots
Extracted MEV
Theoretical MEV
Note: Circles are not to scale.
MEV by the
numbers: ETH
L1
How dark is the forest? MEV in 2021 estimates

6. Flashbots
Extracted MEV
Theoretical MEV
How dark is the forest?
● How large is this gap?
● Where is extracted MEV reaching its
limits?
● Where is the circle of extracted MEV
expanding today?
● What frontiers should be explored?
Disclaimer: this presentation is my shower
thoughts!
MEV by the
numbers: ETH
L1
MEV by the
numbers: ETH
L1
Note: Circles are not to scale.

7. Flashbots
On arbitrage

8. Flashbots
On arbitrage: backrunning

9. Flashbots
On arbitrage: “generalized” backrunning
Swap on an
aggregator
(0x)
Subtrade to
Uniswap v2 gets
backrun
9

10. Flashbots
On arbitrage: pushing the limits

11. Flashbots
On arbitrage: non-ETH denominated

12. Flashbots
On arbitrage: summary
- If a transaction creates an arb then that arb will be captured in the next
transaction, not the next block
- Bots simulate all transactions in the mempool to look for arbs instead of only
looking for transactions which go directly to DEXes
- Over time searchers grew increasingly sophisticated in their extraction,
finding super long arbs
- Searchers are capturing non-ETH denominated arbs as well
It seems reasonable to assume that we’re approaching the limits of “theoretical”
arb extraction; the same applies for sandwiches and liquidations.

13. Flashbots
Pushing the limit of extracted: leveraged sandwiches
- Unique strategy lets a searcher lever
their $500k into ~$150m, which is
enough to sandwich Curve stablecoin
trades
- Complex strategy using 4 protocols
composed together
- Theoretically possible in a less
complicated way, but you’d need super
wealthy participants
- Novelty is the way that they access
capital, which makes converts some
MEV which is only “theoretical” to actual
extracted MEV.

14. Flashbots
Dark forest encounters from whitehat rescues
- I occasionally help with whitehat rescues of funds
- A friend tipped me off to an NFT that was mid-mint with a function like this
- I got in contact with the team, warned them their funds were at risk
- They ignored me ¯_(ツ)_/¯
- Funds got stolen after ~12 hours, which is surprising because a simple, single
transaction could have taken the funds

15. Flashbots
Dark forest encounters from whitehat rescues (2)
- A whitehat friend tipped me off to a
contract with a complex, multi-transaction
vulnerability
- The contract had ETH in it but only the
deployer had interacted with it
- I got in contact with the deployer and
disclosed the vulnerability. They
acknowledged and said they’d deal with it.
- They did not and later the funds were
stolen.

16. Flashbots
Dark forest encounters from whitehat rescues (3)
- You know the deal by now, tl;dr: vulnerable contract, but this time with USDC
at stake
- And … the funds were successfully recovered a few hours after they were at
risk!
- That seems to indicate that there are fewer or less sophisticated (or perhaps
no?) bots scanning for vulnerabilities that would get them ERC20 tokens

17. Flashbots
My takeaways from whitehat rescue encounters
- There are bots scanning for vulnerable contracts on Ethereum
- Some of these have an ability to reason about multi-transaction
vulnerabilities. It is likely that they use symbolic execution.
- Nonetheless, there is an odd gap between when money becomes at risk and
when it is taken. My guess is that exploits have to manually be actioned.
- There seems to be some limited scope. In particular, bots don’t seem to be
looking for ERC20 tokens or just aren’t good at that.

18. Flashbots
Exploits in practice
- A good amount of exploits on the left are bridge hacks, but
several are standard vulnerabilities or economic attacks
- Given the experience of the industry the gap between
theoretical and extracted MEV from these exploits seems
large? But it’s really quite hard to say.
- How can we better identify, quantify and prevent these
exploits?

19. Flashbots
Clockwork Finance
A general purpose, formal verification framework for reasoning
about the economic security of composed DeFi smart contracts
● Formal verification - study of computer programs through
mathematical models in well-defined logics. Can provably
reason mathematically about a program’s execution.
● Economic security - discover new economic attacks, rule out
classes of attack, or provide upper bounds on the exploitable
value of DeFi contracts
● Composed - can model how any smart contracts interact
together

20. Flashbots
CFF & MEV
- We can use CFF to formally reason about the maximum extractable value for
a given contract, set of contracts, as well as integrating txs in the mempool.
- “Without any explicitly programmed attack strategies CFF uncovers on
average an expected $56m of EV per month in the recent past”
- With limited coverage (Uniswap v2/MakerDAO) CFF uncovered ~$700m in annualized MEV
- Investigation needed: what is the delta between this number and my estimate before?
- CFF can also, theoretically, identify MEV from exploits like flashloan attacks!
- CFF lets us calculate the theoretical upperbound of MEV!

21. Flashbots
CFF & oracle manipulation

22. Flashbots
The unknown: cross-domain MEV
● There exists value that can be
extracted between two domains in
addition to value that only exists on
one domain
● How large is this? Hard to say.
● Counting CEX <> DEX arb then
probably larger than any MEV we
can quantify today.

23. Flashbots
The unknown: off-chain liquidity
- An increasing amount of liquidity or execution is off-chain (e.g. RFQs, 1inch
market making, just-in-time liquidity, Cowswap)
- When everything is on-chain it’s relatively straightforward to reason about
MEV but as things shift off-chain it becomes much more difficult to do so
- The same is true of cross-domain MEV as well
- As more activity shifts off-chain, even if settled on-chain, or multi-domain it is
becoming harder to reason about theoretical or extracted MEV
- In theory we could quantify the theoretical upper limit of MEV on Ethereum
using CFF given most activity is still on-chain and on 1 domain. But that might
be changing.

24. Flashbots
Summary
- Arbs, liquidations, and sandwiches likely are approaching theoretical limits
- Bots are scanning for vulnerable contracts, but are not sophisticated or
efficient (yet)
- Frameworks like Clockwork Finance are promising in that they can be used to
formally prove theoretical MEV upper bounds (inclusive of economic attacks)
but their application has been limited to date
- Cross-domain MEV & off-chain liquidity undermine Clockwork Finance
- How much cross-domain MEV there is in theory or practice is unknown
Thanks for listening :)
@bertcmiller on Twitter