Read on Twitter
1/17
A thread about testing in production: Contract Dark Forests?
The topic of testing in prod has been given new meaning with #Ethereum and #DeFi recently which brings up a couple of threads I would like to explore, this being the first asking:
When are we not testing in prod?
A thread about testing in production: Contract Dark Forests?
The topic of testing in prod has been given new meaning with #Ethereum and #DeFi recently which brings up a couple of threads I would like to explore, this being the first asking:
When are we not testing in prod?
2/17 The past 3 months saw a wave of #DeFi hype explode and now gradually (sometimes swiftly) decline. The rules of these games rapidly pointed to "aping" into contracts early to stake and take advantage of large yields to sell once others started buying to do the same thing.
3/17 This subsequently pumped the price of the underlying and you can see this over and over again in the charts on projects that had yield pools where the project token paired with something else in a $UNI Liquidity Pool.
4/17 The returns and hype clearly had an impact on farmers risk tolerance, seemingly mindlessly investing into a project regardless if it had been audited.
This happened and is still happening many times over.
This happened and is still happening many times over.
5/17 This type of behavior disproportionately benefits "bad actors" and inhibits "good actors" who are looking to deploy only contracts tested on a testnet and vetted by auditors (If you aren't cheating then you aren't trying).
6/17 Additionally another line of "attack" was opened up that I don't believe we have seen before. The most visible being how the $CRV (@CurveProtocol) contracts were deployed: https://twitter.com/0xc4ad/status/1293977012550467584
7/17 This was such an odd string of events that the @CurveProtocol team accepted these contracts as the official ones. All while the deployer of the contract (using a large amount of $ETH to deploy) basked in the rewards of early yields of $CRV cashing in on built up hype.
8/17 These contracts were available on Curve Finances Github page and someone capitalized on an open opportunity by deploying the code themselves to capture high yields.
9/17 A more recent example is the king of testing in prod @AndreCronje working on an NFT game using an address previously used to deploy contracts for @iearnfinance; unsurprisingly the #DeFi and CT community jumped on the potential to get in early on a new project from their King
10/17 What is known is the contract is vulnerable to flash loan attacks based on the bonding curve and all $EMN was drained for $16m; of which $8m was given back to AC and #halfrekt was born. The details beyond this are hazy to this author and aren't important for this thread.
11/17 The above two examples have set some precedent around how farmers, communities, and different actors interact with smart contracts but I believe it introduces another issue, the rise of a contract #DarkForest.
12/17 If we assume everyone is testing on Ropsten or some other public testnet. A well intentioned developer would deploy their new contract(s) for testing and then build features around it, whether that be another smart contract or a UI or something else.
13/17 A different developer has written a bot that looks for new smart contracts and checks for unique attributes about each contract:
(1) previous contract deployer addresses
(2) calls of other smart contracts to chain them together and build a tree
(1) previous contract deployer addresses
(2) calls of other smart contracts to chain them together and build a tree
14/17
(3) score code for likelihood of being a specific developer or project
(4) specific utility type
With this code deployed on a public testnet, this bot could copy the smart contract, deploy it on mainnet, and take advantage of situations similar to $CRV and $EMN.
(3) score code for likelihood of being a specific developer or project
(4) specific utility type
With this code deployed on a public testnet, this bot could copy the smart contract, deploy it on mainnet, and take advantage of situations similar to $CRV and $EMN.
15/17 This is effectively front running smart contract deployments knowing others are just looking to get in early.
16/17 This leads me to the question of this thread, if this type of dark forest ( #DarkForest) is possible, are developers ever able to test in dev or will they have to handle everything like its a production deployment?
17/17 This can be mitigated on a private testnet or testing locally but these are generally not an effective way of mimic'ing what will happen on mainnet and is the topic of another thread.
