Introducing Mamori - the ML-enabled Automated Value Extraction System for Exploits, MEV searching and Intent solving

By Andy M. LeeJuly 3, 2024
Mamori.xyz_Blog.jpg
Share Article

Mamori's Thesis

The problems we see in the current space are:

  1. Security is the roadblock of Crypto Mass Adoption. Current Web3 space is like a Lego block and projects built on top of the project. In the event of a single broken foundation, we will see a systematic collapse.
  2. Current security auditing techniques are insufficient. Most of them learn from the past and protect the future. Thus, existing techniques audit the innovations with past experience.
  3. We have not sufficiently leveraged knowledge outside our space

The solutions of Mamori:

  1. Interdisciplinary knowledge is applicable to Web3. We are applying Web2 methodology into Web3 such as optimization algorithms and current Web2 fuzzing logic. This is similar to Zero-Knowledge Proof existed back in the 1980s but people widely use it on Web3 now.
  2. We can see value extraction as a tractable optimization problem and we have designed a whole architecture for execution.

What is the pathfinding process happening from behind?

For an automated smart contract auditing tool:

  1. Upload smart contract(s) in the system
  2. Algorithmic parser extracts ‘state-changing’ functions.
  3. Given these functions, we solve a discrete optimization problem for sequence invocation.
  4. Given each sequence, we solve a continuous optimization problem for finding parameters. This is an iterative process that parameters at each iteration learn from each other and from the past iteration to exhaust the space more effectively.
  5. The system exports the sequence with corresponding parameters that provide value extraction.

How are you sure your solution works?

We proved several things leveraging Swarm intelligence.

  1. The combination of parameters for exploitation is not a single solution. Our algorithm effectively finds new combinations of parameters to extract value.
  2. Each algorithm needs to pre-define initial bounds at the beginning. Our algorithm can search beyond initial bounds.
  3. Exploits are highly convoluted and some are repeated for loop actions. We prove that discrete search space is reducible as in a process of dimensional reduction.
  4. Some exploits involve multi-block transactions and manipulation of the state. We prove that multi-block exploits can be reduced to a single block since it’s about the smart contract state as an exploit pre-requisite.

Does this one algorithm win over all other alternatives in all sense?

No. We believe there is no one single perfect solution especially for the convoluted nature of exploits. Some could be more efficient in some case. For instance, exploits like saddle finance with 2 steps in the exploitable sequence. Gradient descent with re-initialization techniques could potentially be more efficient than particle swarm optimization (both are effective). The coming research process will fine-grained our algorithmic libraries with even more in-depth details from the web2 literature to build a more comprehensive system.

What does it mean by Bug Oracle?

We are not referring to the Price Oracle in this background. In the security literature, bug oracle means invariant. i.e. Condition to be broken.

Would it be time intensive to try all possibilities in the smart contract?

That is the main reason why we are doing discrete optimization instead of brute forcing. For example, we can look at the relationship between each function by looking at their read-write storage slot. Details refer to the whitepaper. For continuous search space, apparently it is not possible to brute-force because of the huge search space and we use a learning-based approach for continuous optimization.

Also, apart from chasing time efficiently from the algorithmic perspective, we are open to the possibility of building a decentralized computation network if it's more cost efficient. Decentralized computing in terms of action sequence, since the functional form of each sequence should be different and thus every sequence is independent from each other.

Are you running the optimization on-chain?

No. Running on EVM doesn’t mean running on-chain execution. Our first step starts from a cold cache. Once it’s cached the blockchain information (initial state), Our off-chain simulation is executed on our cloud architecture. We access the on-chain data and use techniques such as caching to enhance simulation speed.

Do you only cover EVM smart contracts?

We simply start from EVM as it is the most adopted smart contract platform. According to Defillama, as of July 2024, 89.42% of the TVL in DeFi is on EVM-compatible chains. While we currently specialize in EVM, we have the capability to extend our simulations to other VMs with further integration.

Do we need to do constant on-chain scanning to make a smart contract secure?

No. The core difference between the present block and the future block is the state. And the state in smart contracts is changed by functions and parametersTherefore, the method we are doing is to exhaust the state by functions and parameters. That’s how we can protect the ‘unknown unknown’ vulnerabilities and innovations..

Any plan for decentralizing the technology?

Yes. We will build a decentralized Algorithmic-Agent Network catering for a more generic kind of value extraction. Agent is seen as action behaviors with certain attributes and algorithms define the search behavior in the iterative process. We can incentivise decentralized developers on agent contribution with a more competitive and collaborative architecture. Apart from algorithmic contribution, we are currently compatible with EVM. For longer term development, we can incentivize decentralized builders to integrate Mamori to different vm and language.

The fundamental principle of the Algorithmic-Agent Network is to divide and conquer tasks in value extractions, e.g. Exploits, MEV and Intent. I will definitely write more about this!