An NFT Whale Tried To Teach A Bot A Lesson But Ended Up Losing 100 ETH Instead
Ah, automated trading bots. The bane of human traders — capitalising on the mistakes that humans make:
This is not novel — the TradFi industry has used trading bots ever since they could use computers cost-effectively. You just need to pull up Michel Lewis’ “Flash Boys” for a sneak preview into how the bots get one step ahead of human traders.
One NFT whale going by the moniker “Franklin” had enough of the bots, and hatched a plan to teach them a lesson. However… He learnt the lesson instead as he lost 100 ETH to the bot.
How did that happen? Well, before we go into it, let’s recap some context about what kind of bots Franklin was targeting.
LowBall Bots — the scourge of NFT marketplaces
Lowballing is not new. Any marketplace will have lowballs, from the F2F flea markets to online marketplaces like eBay. Heck, the local equivalent (Carousell) has so many lowballers that regular users have coined the term “Carouhell” to describe the frustration in dealing with them
So why do you need a bot to lowball, and what are they after?
Well, on NFT marketplaces like Opensea, anyone can place a bid for an NFT. So, you get opportunistic flippers who hope to prey on carelessness offering low bids or bids in a different cryptocurrency for NFTs, in the hope that the owner accidentally accepts the offer and the lowballer is able to flip the NFT for a quick profit.
“How can people be so careless?” you may ask.
Well, it is not a new phenomenon. People have listed NFTs for a fraction of the price (0.75 ETH instead of 75 ETH) that were quickly sniped by such bots, as well as selling NFTs for 115 DAI instead of 115 ETH (for the uninitiated, DAI is pegged to USD so 115 DAI is US$115, whereas 115 ETH would be closer to US$172,500 at time of writing).
Of course, there are other theories that the lowball offers were actually means of tax evasion or other ways to write-off the value of the NFTs, but that doesn’t change the reality that such bots exist and continue to plague users.
In fact, Opensea launched an update to specifically target these bots, by allowing the user to change their settings to only allow a minimum bid. But, for those who do not opt into that, the lowball bots are free to make bids in hope that you accept them by mistake.
Franklin’s Grand Scheme
So, what was Franklin’s great idea to teach these bots a lesson?
Well, since these bots act on coding logic, his plan was to register a nonsense domain name (stop-doing-fake-bids-its-honestly-lame-my-guy.eth) and use another account to put a bid of 100 WETH (Wrapped ETH, basically a lower cost way to move ETH around these marketplaces) and wait for all the automated bots to announce it. Once the automated bots announce that there is a 100 WETH bid on this from a seemingly third party, the hope is that some lowball bot will put in a bid that is a fraction of 100 WETH, and Franklin can accept that bid and cancel his 100 WETH bid (since he controls both accounts).
Well, the plan worked — to an extent.
The automated twitter bots did their job:
And… He DID receive a bid of 1.9 ETH from a bot - which he promptly accepted. But, he forgot one key aspect of the plan - he forgot to cancel his own 100 WETH bid from his other wallet.
The bot ended up having the last laugh by selling the NFT for 100 WETH back to Franklin’s other wallet. Franklin, now out a 100 WETH, and out of desperation (or stupidity perhaps), sent back the 1.9 ETH he "earned" to the owner of the bot account, in hopes that the bot owner will reverse the transaction (you can imagine how that turned out):
Franklin sending the bot owner an NFT (and 1.9 ETH) to try to get his money back:
The bot owner predictably keeping everything:
There are smart contracts, but there are stupid people.
While Franklin really learnt his lesson here, this whole transaction was also quite sloppily executed, particularly by the bot. As it turns out, there were 12 minutes (and 62 blocks) between the acceptance of the 1.9 ETH offer and the sale to the 100 WETH offer (since this is on the blockchain, I have linked the actual transactions on Etherscan). If Franklin had managed to act fast enough to cancel the listing, the bot wouldn't have been able to sell it back to him. That seems like a glaring error on the bot's part.
Let's analyse both aspects of this transaction (Franklin’s and the bot’s) because both aspects contain some potential legal issues and process improvements that we can discuss.
Let’s start with Franklin’s scheme.
Analysing Franklin’s Scheme
First of all, I must make clear that I will be focusing on Singapore laws, and since I am not a lawyer, you should still seek professional legal advice for any transaction that you want to do. This would just highlight the key areas to consider.
For Franklin’s case, it was an interesting transaction that operates in a legal grey area. For the US/Europe context, you can read “Flash Crash” by Liam Vaughan which details what exact laws are in context here, but for my purposes, there is a similar provision in the Securities and Futures Act (SFA) that prohibits making false bids to create the impression of volume if there is actually no volume for the underlying security (this can be potentially caught under so many prohibitions — SFA Sections 197 to 200, for instance).
However, because this is an ENS (Ethereum Name Service) domain and not a security, it technically does not fall into scope, but this is similar to how the ‘insider trading’ and ‘market manipulation’ laws do not technically apply to cryptocurrencies since they are regulated under a different law (the Payment Services Act and not the SFA), but the concept that Franklin was trying would definitely be illegal if he tried it with listed securities (i.e. creating fake orders which he has no intention of fulfilling).
Additionally, there is the fact that he did actually transact — he did pay 100 WETH from the wallet for the domain name. So, if I use the legal definitions, there is no criminal offence because a criminal offence requires BOTH the intention (mens rea) and the action (actus reus) to be present. In this case, the intention was very clear (Franklin kinda outed himself via his tweets) but because there was no criminal action, it would be hard for a court of law to prove that a crime has been committed.
On the other hand, if he had managed to cancel his 100 WETH offer before accepting the 1.9 ETH offer, then it would be a lot easier to pin the crime on him IF someone could tie the transaction back to any securities laws or any other broader fraud laws (for e.g., under the Penal Code) that he flouted.
To note, the US is actively trying to do that now. The AG has persecuted an Opensea employee for insider trading (but the laws they used actually relate to money laundering and wire fraud), and they are also targeting a Coinbase employee for insider trading (but as this link describes, Coinbase is making the exact same argument above, that none of the tokens they list are considered securities). Coinbase’s argument holds more merit against the backdrop of the proposed crypto law that is trying to designate BTC as a commodity, and not a security… But that is another debate for another time.
In short, what Franklin was doing is operating with a legal grey area, and since MAS is intending to issue more regulations surrounding cryptocurrencies (albeit this is an NFT and ENS), this grey area may get clarified soon.
Analysing The Bot’s Playbook
Next, we take a look at what the bot is trying to do.
Given the massive time lag from a coding perspective, it seems like the bot was just a simple “lowball offer” bot, and there was no intention to try to immediately sell the NFT if the offer was accepted. If the intention of the bot was indeed to sell it immediately to pocket an arbitrage profit, then the coding was sloppy because a 12 minute lag between the transactions is a huge risk that shouldn’t even be present.
Additionally, the question remains that if Franklin had managed to cancel his 100 WETH bid, would the bot also automatically cancel the 1.9 ETH bid? Ideally, that should happen since this is a piece of code so the coder could have programmed it in a way to constantly check the highest bid, and then tweak the bid accordingly.
Conceptually, let’s just imagine that I could code a bot to make lowball offers. The big risks to me are:
- If my offer becomes the highest offer; and
- I am unable to flip the NFT to the highest offer.
So, the way the code should work is that my offer has to be a percentage of the highest offer that is not my offer. For instance, I could set the bot to always check that my offer is x% of the highest offer. This way, if the highest offer gets removed or reduced, the bot will cancel and re-bid with a lower offer. If the highest offer is removed entirely in this case, then the highest offer which is not mine would be 0, so my offer should then be cancelled automatically.
Next, the ideal flipping strategy would be to immediately accept the highest offer once the first transaction goes through. Again, since this is a bot, it should be able to automate this to reduce the time lag. In this ideal scenario, the acceptance of the highest offer should happen immediately within the next block, and the gas fee should be significant enough for the miners to prioritise the transaction.
While there is still a risk that the person who offered the highest bid can cancel the bid after the seller accepts the bot’s lowball bid, if the code works as intended, the bot’s reaction time should still be quicker than a human manually cancelling his bid. Additionally, cancelling the bid would still need some processing time, especially if it is recorded on-chain. This explains why it would be necessary for the bot to pay a significantly higher gas fee — so that the bot’s acceptance of the high bid can outrank any other transaction in the queue, if such acceptance is recorded on-chain.
But, all this is rudimentary…
While this was an eye-popping headline and colossal fail, this type of “trading” is very rudimentary. Both the financial industry and the crypto heavyweights operate way more sophisticated bots than this, particularly to arbitrage the Automated Market Makers in DeFi and arbitrage the prices between different exchanges…
So let this be a lesson and a warning — unless you are willing to dedicate massive amounts of resources and logic to the endeavour… It is better to leave the botting to the botters and recognise that humans can’t beat bots at speed (and sometimes in logic). You have to beat the bots in another way.
Let this Twitter thread be a reminder to never be careless in the crypto space!
