Trickster @TricksterLabs Mempool Wars & Drainers I. INTRO While lurking around the @BitcoinFrogs discord there was a distress call from @gamergamer123g: " [2:50 AM]i do not have the time to explain rn [2:50 AM]I NEED HELP [2:51 AM]PLEASEEEEEEE [2:51 AM]HOW TO FRONTRUN " So we offered our assistance and see what can be salvaged. II. GATHERING DATA First we needed to determine the following: - Drained wallet address / derivation / mnemonic - Most important assets (and the current utxo location of them) - UTXO to be used for fees - Safe wallet address Since this is very time-sensitive and the double spend transactions need to be written manually we only focused on the important (in no particular order): - c1b4742c03ffa0aec4c423eae72f2d90e42df1361e3e714c613589471e735b6bi0 (Bitcoin Boos) - 8c89917a80bb3fe9f77191373b643c8c9b761a1fb0b3f45de63ea9c2844a0f29i0 (Bitcoin Boos) - 1e101bd2075e7bc62c81f27ea72ce94218c09488d20dc3424bbc257343fec0fdi0 (Bitcoin Frogs) - 6c795a38551123b443fe1c0d7dc418b9eeef7ec72ce6cbb9caa9c7c1267b82aai0 (Bitmap Grail) III. CONSTRUCTING THE DOUBLE SPEND Using our custom script we added the required data: - Mnemonic - Inputs (utxo fee last) - Outputs (making sure the padding is respected) - Some other misc data IV. MEMPOOL BATTLE - First TX was broadcasted: https://mempool.space/tx/cddf35d83de5041bcd7b2f923e06def81fa61c12f136fcfef63ce19207ea72c5 After waiting for a couple of blocks this was pretty unlucky to get rejected from our experience. This is seen as a double spend because it's a RBF on a non-RBF transaction with a higher timestamp. Nodes that have the RBF flag enabled won't broadcast this further and the nodes in front of the miners that won the puzzle didn't get to see it. No important assets were lost here. - Second TX was broadcasted: bf04dd87d90bf1d2415ac62b3eed4bbc15d379e3ca14a227cb7c52023b691f1f This contained the same 4 assets and a spending utxo for the fees. After some waiting, the BITGRAIL asset was lost due to the same "issue". - Third TX was broadcasted: https://mempool.space/tx/3ff307655c82c1a0572584a760b17346087a3521e68bfa8ae228dffcc4226459 Victory!!! The third TX went through and we recovered the 3 assets that were left. V. DO MORE We saw the drainer is listing everything at floor prices and he did not know the value of what he is selling. Our bot wasn't ready as we were actively modifying some stuff on it, once he listed and a buyer was found we attempted to intercept/front-run the mempool transaction: https://mempool.space/tx/8cd792db48bfaee92838e9983fbf1f261d840c82338c1d4006cdb97b96ce7f55 Unfortunately it didn't go through. VI. SAFETY The victim which was unexperienced was trying to separate some pipe assets from ordinal ones (or something similar) and he found a malicious software that does it requiring the keys. This is an attack vector and many more will follow as the space gets bigger and incentives are higher. Ordinals is a pretty though space for newcomers right now and stuff are different than on other chains, while this is exciting it is also dangerous and it is all our duty to educate each other. P.S.: How awesome is this RBF history in the image? If you ever need emergency help please tag @Aervue on our discord. Special thanks to @gm7t2 & @const_quary who chimmed in and all the communities that hopped in immediately to provide assistance in any way they can. 9:11 PM ยท Nov 30, 2023 https://twitter.com/TricksterLabs/status/1730454506045866328