If you’re reading this then you already know:
vicious bots will get your users running for the hills…
…till it’s just you + bots left 👀
So how to beat them?
All we really know is… they LOVE shortcuts
And what’s an easy one?
Bypassing your app layer by going direct on-chain…
…where all they need is freely available for them to prey on:
At any point in time, bots know what’s ABOUT to happen in your app, way before real users do
That’s because bots are watching the mempool like a hawk
What’s the mempool?
It’s the waiting room with transactions about to picked up by miners:
With data so easily available… even a 14-year old script kiddie can take advantage here
But now we know their edge, so we can start hunting
This will be a classic game of cat and mouse… 🐭
Every move you make… a bunch of bots will get eliminated, while others adapt
Let’s grab the low hanging fruit first:
We’ll simply monitor for timestamp discrepancies
Depending on the data already available in your app…
…all you may need to do is run a simple query
i.e. when an asset is transacted with on-chain, while that asset wasn’t available yet in-app… then you just identified an obvious bot:
For the lucky among you, the above could be all you ever need
But others will need to tighten the screws further…
…by deploying a real bot trap 🪤
e.g. if the timestamp gap between on-chain availability (not interaction) vs in-app availability is too small, you could add a sneaky in-app delay…
Just like bots are using the mempool waiting room to their advantage, you’d effectively build your own counter waiting room, except yours… will be private:
This trap will wipe out the bulk of bots
The remaining ones are figuring out your exact delay through trial and error…
So next we should make the delay dynamic e.g.
- you set a global delay which changes every x minutes
- or set a unique delay per asset / NFT
As you can see, once you got this dialled in to your liking, it can easily be automated to auto-ban offenders
And if you can’t run this 24/7, then simply add an on/off switch
(just make sure to never settle on a predictable schedule)
This simple approach is a good starting point for most folks
The leftover bots are now forced to start monitoring your in-app layer… which they absolutely HATE 🤬
But make no mistake…
Just because you’re forcing bots to monitor your in-app layer…
Doesn’t mean they’ll also interact with it:
They always take the easy way out…
…and will continue executing transactions direct on-chain
Even if the execution trigger requires them monitoring for an in-app event first
Because on-chain execution is way easier for them…
And allows bots to bypass whatever captcha or other hurdles you put in place
So for our next round of bot slaying…
you can further expand on our previous approach:
…by having the asset appear in-app (which will make the bots trigger their on-chain action) while adding a sneaky delay between cosmetic appearance and true availability
But won’t this impact users?
No, you only need a very short delay here…
…because bots are fighting each other as well
So they have no choice but jump on your asset…
Else they’ll be losing out to another bot…
Or god forbid… a real user
The same rules above apply i.e. you can start with a fixed delay, but better make it dynamic to beat hardcore bots
We could go on an on…
But by now you probably get the idea…
…and can start fighting back instead of watching them burn down your village
Happy hunting!
Ex-enterprise solution architect who loved implementing financial systems at banks, retail, govs but got fed up with corporate inefficiencies
After founding a mobile gaming studio I discovered the art of performance marketing and how to easily influence human behavior ❤️
Are you building global earning opportunities? Let's do it together: