For proper presentation here’s a copy of the content in the code snippet as well as the edit present in the way it’s meant to be:
======
Thanks for the putting together this report. I am the founder of Orangefin Ventures (DB7DNWMVQASMFxcjkwdr4w4eg3NmfjWTk2rqFMMbrPLA
) which is #1 in your list of validators “exploiting.” While I appreciate you taking the time to put this together, your data is painting a story which is just not reality. I’ll fill in the gaps.
The “exploit”
Before I get into the missing data, I want to actually talk about what the exploit was, which has recently come to light.
Marinade has a concept of an unstakePriority
. This value represents a validators rank in terms of when they would get unstaked. A lower unstakePriority
means a validator is more likely to get unstaked, and a higher unstakePriority
means a validator is less likely to be unstaked.
In a rational world, a validator who is returning less to the stake pool would get unstaked first. What has recently come to light (and I didn’t even know about until 2 weeks ago), is that the logic actually worked the opposite.
The logic for unstakePriority
actually worked in a way where the less a validator paid back to the pool, the less likely they were to be unstaked. This is the exact opposite of the way the pool was intentionally designed. This is covered elegantly by this GitHub issue.
So to summarize, the less a validator bid, the less likely they would to be unstaked. This means that the lowest possible bid of 1 lamport
was the optimal bid to keep stake.
Missing Data Points about myself and potentially other validators in the list
- Firstly, I contributed feedback to SAM’s initial design here. This is to show I was involved in SAM from the beginning, before it was even approved by the DAO as the delegation strategy and long before it was even implemented.
- I received stake in marinade’s first ever SAM auction. When I first initially received stake, it was actually profitable to bid. Bids continued to get higher, but I never lost stake. Instead of thinking about it like validators were exploiting it, it’s best to start from a place that’s more rational. Put yourself in my shoes for a second. You have stake which you bid for honestly (first bullet point proves that). Bids are continuing to rise. Naturally, you would think that you would get unstaked at a point in time. This never happened.
- I ended up keeping the stake I had for something like 6+ months. My bid was never even 1 lamport which is what the people actually knew the exploit were doing. To further back this up, this can be verified with data. I’ll just post a few samples here with round numbers:
- 670,
- 680,
- 690,
- 700,
- 710,
- 720,
- 730.
-I could go on and on however that is 60 epochs worth of data where my bid was never 1 lamport and where I was staked. If I was trying to exploit this, I would have lowered my bid to 1 lamport from the beginning. This clearly shows I was not. I didn’t know why I still had the stake and at times actually lowered my bid thinking I would get unstaked, but that never happened.
- To further the above, your post makes it seem like I didn’t pay anything for the stake, but that is just completely false. Just search for
oRAnGeU5h8h2UkvbfnE5cjXnnAa4rBoaxmS4kbFymSe
in marinade’s #psr-feed channel. You’ll see claims going back to September. Linking one here. - I haven’t even had Marinade stake for nearly 1 month.
What Actually Happened
- I received stake in Marinade’s first ever auction which I won by bidding. To think I knew about this vulnerability from Marinade’s first ever auction is just plain false.
- I kept the stake while adjusting my bid. I was also paying for it which I linked examples to. I probably paid 100-200 SOL worth to the pool in this time frame.
- I’ve shown 60 epochs worth of data (~120 days / 4 months) and could go longer where my bid was above 1 lamport. I didn’t even know about the exploit during this time. If I did, why wouldn’t I have lowered my bid to 1 lamport to keep my unstake priority as high as it possibly could be?
- The reason I am number 1 in this list is because I had stake from Marinade’s auction from the very beginning which I also proved.
- Being fully honest, it was clear to me I was underpaying. I didn’t understand why which is proven by the fact i didn’t even lower my bid to 1 lamport. However, it’s not right to make it out like I was stealing from the pool. I was actively paying for stake, paying less than others, and didn’t even know why. If you bought SOL at a discount, should you pay the seller back who sold it to you?
The bottom line
Marinade’s program functions similarly to a matching engine. On exchanges, flash crashes happen and bad matches happen. When these happen, it’s not the buyers fault, it’s the exchange’s fault which is just a bug. It’s good it was caught so it can be prevented.
I’ve shown here:
- I received stake from Marinade’s first ever auction which is why I am “#1.”
- I wasn’t even trying to actively exploit it (but did think I was underpaying) as I consistently paid for stake and never lowered my bid to 1 lamport while having the stake.
- This is a bug in Marinade’s program.
I do not think it’s right to blame myself or other validators in this. It’s a logic bug which could have happened to anyone. in this case, I am the “top exploiter” simply because I had stake from Marinade’s auction from the beginning.
I think your efforts are great, and I’m glad that this is resolved. But I also ask that you look at all sides of it as it paints a picture that is simply just not true.
EDIT: I wasn’t sure posting as a code snippet would actually work, but it did which is good. Each claim I make, I post verifiable proof on it. I encourage everyone to look at it as it clearly shows I received stake in the first ever Marinade auction, I simply never lost it, I didn’t know about it as I actually bid for the stake in Marinade’s first auction, I actually paid for stake (although less), and I’m simply #1 because I received stake in Marinade’s first auction and had the stake the longest (when I didn’t even know this existed).