According to SECBIT, after purchasing a key, the attacker would then actively stuff
subsequent blocks with a small number of abnormally high fee transactions (directed to a smart contract created
by the attacker on Aug 18th) that would ultimately fail after using up the block gas limit, to ensure no one else could purchase a key after him/her. But the attacker didn't do that indiscriminately: according to Team Just, the winner literally tricked the bots into submitting low fee transactions by controlling the weighted average gas price across the block, after figuring out the bots were trained to act based on 'fast' and 'standard' gas prices. Until the Fomo3D timer ran out. A modern day genius. Some more numbers.
By the looks of it, 66 blocks were mined between the one
that packed the winning key transaction
and the one
that packed the transaction
that ultimately drained the jackpot, spanning over approximately 16 minutes.
It's unclear how much the attacker spent on fees for stuffing blocks in the lead up to winning the jackpot. I counted just shy of 20 ETH in fees only for transactions sent to the smart contract during those 16 minutes (plus 40-50 ETH spent in the prior week in 'penetration testing' according to Team Just), but it's also possible that the attacker made multiple attempts before that with other addresses and contracts that cannot be connected to the ultimate winning one. The leaderboard shows that the winning address itself 'only' purchased 143 keys for just shy of 0.8 ETH in total.
The attacker smart contract also played an active part in the strategy, calling out to the Fomo3D contract for data like who the last buyer was and how much time was left of the clock. Considering that the contract performed close to 6k transactions, or approximately 1.25 txs/minute from when it was created until the jackpot was drained, it's mind-blowing that a manual player has been responsible for executing this complex and cleverly orchestrated operation. It would not be surprising if this was a team effort.So.
Despite it being a zero-sum, scammy ponzi-like game, we feel like we've learned a whole lot from it and the next iterations or clones of this game will no doubt include improvements and innovative game mechanics, pushing the envelope even further: if there's one overarching takeaway for those designing economic models is that if it can be gamed, it will be gamed.
Ultimately, as Nathaniel succinctly summarised
, "...gimmicks, hacks and games tend to be the petri dish where interesting innovations are born that would have previously been pre-empted by considerations of propriety or preposterousness." 👌
Interestingly, some are now suggesting
that Fomo3D-like game mechanics could be adopted as bootstrapping or retention tools in other networks (e.g. a growing pot to reward the last Augur reporter).
PS: thanks to SECBIT
Labs for the awesome analysis, and to Team Just for oiling up our brains for the past few months.
PPS: TokenAnalyst also produced a great analysis
reaching similar conclusions to SECBIT.