Introduction
We are entering an era of L2s achieving great adoption and as the first integrator of systems like Hop, Connext and other liquidity networks for SocketLL we take it upon ourselves to bubble up the risks in the cross-L2 world and start discussions to solve upcoming problems.
As we move forward in the cross-chain world it’s my and my team at Socket’s strong belief that systems must be designed such that they minimize the bad Relayer Extractable Value(REV) as much as possible. This topic of REV has been talked about before in a theoretical manner, but it’s time to look at this much more closely.
Current challenges
We appreciate the careful approach taken by the team so far by keeping this role permissioned even while suffering liquidity constraints. But its clear for Hop to be competitive this role must be opened to public, hence this discussion.
One of such problems in Hop as we go about opening up the Bonder role to public is the risk of bad REV, below are some simple examples for such venues of value extraction
Sandwiching users
- Alice wants to do a 100ETH transfer from optimism to arbitrum
- Alice swaps 100ETH to 99.5HETH on optimism and then burns it to start the cross-chain transfer
- Assume there are 100 other users in this batch
- Bonder bob notices this and wants to provide fast withdrawal service for Alice
- Assume there is 10M in hETH/ETH liqudity pool on Arbitrum
- Every cross-chain transfer is paired with an HETH/ETH swap for which slippage tolrance is defined while initiating the cross-chain transfer
- Bob could essentially sandwich users by frontrunning till their slippage tolerance permits and then backrunning, making profit on the way up and way down
How a bonder could execute a JIT attack
- Alice wants to do a 100ETH transfer from optimism to arbitrum
- Alice swaps 100ETH to 99.5HETH on optimism and then burns it to start the cross-chain transfer
- Bonder bob notices this and wants to provide fast withdrawal service for Alice
- Assume there is 10M in hETH/ETH liqudity pool on Arbitrum
- Bob deposits a big amount of hETH and ETH and deposits into the hETH/ETH pool, note that Bob doesnt have to own this liquidity, flashloans can also be used. Bob now becomes a major LP
- In the same transaction Bob also bonds for Alice’s transaction and mints HETH which is swapped from hETH/ETH
- This incurs a fee of 0.04% to LPs of the hETH/ETH of which now Bob is the major holder
- Post the swap Bob dissolves the LP position, makes risk free money of the cross-chain transfer
This is not ideal for the protocol because of the following reasons:
- Actual LPs didn’t make any fees on the cross-chain transfer
- Bob and other bonders could keep doing this and LPs would start withdrawing capital leading to low liquidity for hETH/ETH pair which is very essential for the protocol to function
These attacks are not theoretical and have been observed to happen with uniswap as well here
Conclusion
The above examples illustrate a glimse into the world of cross-domain MEV, bonders/routers/bridge-validators are in a priviledged role just like how miners are in an L1, the difference being they are building a cross-chain block instead of a single chain block.
We urge the community to initiate discussion on this topic as we start increasing the number of bonders.