If you’re reading this then you already know:

vicious bots will get your users running for the hills…

…till it’s just you + bots left

So how to beat them?

All we really know is… they LOVE shortcuts

And what’s an easy one?

➡️ Bypassing your app layer by going direct on-chain…

…where all they need is freely available for them to prey on:

At any point in time, bots know what’s ABOUT to happen in your app, way before real users do

That’s because bots are watching the mempool like a hawk

What’s the mempool?

It’s the waiting room with transactions about to picked up by miners:

With data so easily available… even a 14-year old script kiddie can take advantage here

But now we know their edge, so we can start hunting

This will be a classic game of cat and mouse…

Every move you make… a bunch of bots will get eliminated, while others adapt

Let’s grab the low hanging fruit first:

We’ll simply monitor for timestamp discrepancies

Depending on the data already available in your app…

…all you may need to do is run a simple query

i.e. when an asset is transacted with on-chain, while that asset wasn’t available yet in-app… then you just identified an obvious bot:

For the lucky among you, the above could be all you ever need

But others will need to tighten the screws further…

…by deploying a real bot trap

e.g. if the timestamp gap between on-chain availability (not interaction) vs in-app availability is too small, you could add a sneaky in-app delay

Just like bots are using the mempool waiting room to their advantage, you’d effectively build your own counter waiting room, except yours… will be private:

This trap will wipe out the bulk of bots

The remaining ones are figuring out your exact delay through trial and error…

So next we should make the delay dynamic e.g.

• you set a global delay which changes every x minutes
• or set a unique delay per asset / NFT

As you can see, once you got this dialled in to your liking, it can easily be automated to auto-ban offenders

And if you can’t run this 24/7, then simply add an on/off switch

(just make sure to never settle on a predictable schedule)

This simple approach is a good starting point for most folks

The leftover bots are now forced to start monitoring your in-app layer… which they absolutely HATE 🤬

But make no mistake…

Just because you’re forcing bots to monitor your in-app layer, doesn’t mean they’ll also interact with it…

They always take the easy way out…

…and will continue executing transactions direct on-chain… even if the execution trigger requires them monitoring for an in-app event first

Because on-chain execution is way easier for them…

And allows bots to bypass whatever captcha or other hurdles you put in place

So for our next round of bot slaying…

…you can further expand on our previous approach:

by having the asset appear in-app (which will make the bots trigger their on-chain action) while adding a sneaky delay between cosmetic appearance and true availability

But won’t this impact users?

No, you only need a very short delay here…

…because bots are fighting each other as well

So they have no choice but jump on your asset…

Else they’ll be losing out to another bot…

Or god forbid… a real user

The same rules above apply i.e. you can start with a fixed delay, but better make it dynamic to beat hardcore bots

We could go on an on…

But by now you probably get the idea…

…and can start fighting back instead of watching them burn down your village

I had to avoid specific examples here to keep this applicable to a wider audience… so hopefully it still made sense

Now where’s part 2?

Most likely I won’t be publishing the more advanced methods because bot builders are reading this as well…

But if you tried the above and would like to venture into your app-specific territory then feel free to reach out

In case I like your project (and you’re not an obvious bot builder in disguise) I’d be glad to help

Happy hunting!

-Sven

link to original tweet: