Disclosure: transaction "to, from, nonce, gas, and value” fields inadvertently shared through Protect Status API

On Thursday April 27, Flashbots identified a data sharing issue in our infrastructure that impacted MEV-Share transactions. No trade data was shared and there are no known affected users. In the interest of transparency, and to recognize the community member who reported the issue, we are sharing a brief disclosure.

Issue

On Thursday April 20th, Flashbots began sharing data about MEV-Share transactions at mev-share.flashbots.net. This includes transactions that are submitted to the Flashbots Protect RPC. The MEV-Share endpoint only shares a subset of data about transactions — specifically it only shares the “hints” that are explicitly requested by the user or by a provider on their behalf. The endpoint does not share any additional data beyond those hints.

However, Flashbots also shares data about Flashbots Protect transactions via the private transaction status API at protect.flashbots.net. Specifically this API includes a transaction field in its response, which contains to, from, nonce, gas, and value. It does not include the data, which is where trade details would be available. The private transaction API is publicly accessible and it powers Flashbots’ integration with Etherscan among other partners.

Previously, only the original transactor or their provider could access the metadata of a pending transaction because they were the only party who knew its hash. But when the MEV-Share endpoint was deployed, it became possible to see the hashes of all pending transactions.

This means that from Thursday April 20 to Thursday April 27 it would have been possible to:

  1. Collect the hash for a pending transaction from mev-share.flashbots.net
  2. Look up that hash on either protect.flashbots.net or Etherscan
  3. Discover the following fields: to, from, nonce, gas, and value

It would not have been possible to view further information. Trade data was never exposed. We have no evidence that Protect users were affected by this issue.

Resolution

At 19:47 UTC on Thursday April 27th, Flashbots received a report from Martin Köppelmann that it was possible to view additional metadata on Etherscan about pending transaction hashes shared at mev-share.flashbots.net.

At 21:00 UTC, Flashbots updated the private transaction API to return empty values for entries in the “transaction” field while a transaction is pending. We confirmed that it was not possible to view additional information about pending transactions from mev-share.flashbots.net on Etherscan or via the private transaction API.

Summary

The issue was active for 1 week. It was resolved within 73 minutes of the report. No trade data was shared and there are no known affected users.

Flashbots greatly values our users’ privacy and trust. We appreciate community reports and are committed to addressing incidents in a quick and transparent way.

4 Likes