n-MVTL Attack: Optimal Transaction Reordering Attack on DeFi

Abstract

Decentralized finance (DeFi) is a global and open financial system built on the blockchain technology, typically using Ethereum smart contracts. Decentralized exchanges (DEXs) are very important sectors in the DeFi ecosystem, with billions of USD trading volume daily. Unfortunately, the transparency of pending pools can be exploited by attackers and DEXs are vulnerable to transaction reordering attacks, allowing attackers to gain miner extracted value (MEV). Previous transaction reordering attacks aim at exploiting the vulnerability of a single victim transaction, such as sandwich attack and dagwood sandwich attack.

In this paper, we propose a novel transaction reordering attack named n-multiple-victim-transaction-layer (n-MVTL) attack to exploit the overall vulnerability among multiple victim transactions. Such advanced design can significantly expand the victim transaction search space and bring more profits to attackers. Given a set of ordered victim transactions, we propose an optimal algorithm to identify the optimal solution for n-MVTL attacks, which aims to maximize the profit of the attack strategy. This algorithm supports a trade-off between time efficiency and attack profit, making the attack algorithm more practical. Our simulations show that the n-MVTL attack can yield an average extra daily profit of 940 USD from the top 2 most popular liquidity pools in Uniswap V2 from Mar. 2021 to Apr. 2023, compared with the sandwich attack.

Appendices

A Proof

Proof for State Analysis. The proof of the lower bound and upper bound for \(Y_n\) comes from the following claims.

Claim

Given two transactions \(TX_1(x_1), TX_2(x_2)\) and a transaction \(TX(x_1+x_2)\) , the reserve of \(\tau _y\) in the LP after running transaction TX is lesser than running transactions \(TX_1\) and \(TX_2\).

Proof

Assume the state of the LP is \((X_0, Y_0)\). Let \((X_0, Y_0) \xrightarrow {TX} (X_1, Y_1)\), and \((X_0, Y_0) \xrightarrow {TX_1, TX_2} (X_2, Y_2)\). Then, we have: \(\frac{Y_1}{Y_2} = \frac{(X_0 + (1-f)x_1)(X_0+x_1+(1-f)x_2)}{(X_0+x_1)(X_0 + (1-f)(x_1 + x_2))}.\) Notice that \((X_0+x_1) + (X_0 + (1-f)(x_1 + x_2)) = (X_0 + (1-f)x_1) + (X_0+x_1+(1-f)x_2)\) and \((X_0 + (1-f)x_1) < (X_0+x_1)\), \((X_0 + (1-f)(x_1 + x_2)) < (X_0+x_1+(1-f)x_2)\). With average inequality, we have \(\frac{Y_1}{Y_2} < 1\), thus \(Y_1 < Y_2\).

With this claim, we can get the lower bound by merging all the victim transactions into one transaction TX, in which \(V_x = \sum _{i=1}^n x_i\). Thus we have:

$$\begin{aligned} Y_n > X_0 Y_0 / (X_0+(1-f)V_x). \end{aligned}$$

Claim

Given the start state (\(X_0, Y_0\)), two transactions \(TX_1\) and \(TX_2\) such that the trading amount satisfied \(x_1 + x_2 = T\). Then when \(x_1 = \sqrt{X_0 T} - X_0\), the LP has a maximum reserve of \(\tau _y\) after executing two transactions.

Proof

Assume the number of \(\tau _y\) after executing is Y, we have:

$$\begin{aligned} Y &= \frac{(X_0+x_1)(X_0+T)X_0 Y_0}{(X_0 + (1-f)x_1)(X_0 + x_1 + (1-f)(T-x_1))}, \\ \frac{d Y}{d x_1} &= \frac{f(1-f)X_0 Y_0 (X_0+T)(X_0 T - 2 X_0 x_1 - x_1^2)}{(X_0+(1-f)x_1)^2(X_0+x_1+(1-f)(T-x))^2}. \end{aligned}$$

Notice that \(\frac{d Y}{d x_1} > 0 \) when \(x_1 < \sqrt{X_0 T} - X_0\), and \(\frac{d Y}{d x_1} < 0 \) when \(x_1 > \sqrt{X_0 T} - X_0\). Thus Y is maximum when \(x_1 = \sqrt{X_0 T} - X_0\).

With this claim, we know that the maximum \(Y_n\) when \(V_n\) is given is when \(X_i^2 = X_{i-1} \cdot X_{i+1}\) for each \(i \in [n-1]\). Thus the maximum \(Y_n\) is:

$$\begin{aligned} Y_n &\le \frac{X_0 Y_0}{X_n} \prod _{i=1}^n \frac{X_i}{f X_{i-1} + (1-f) X_i} = \frac{X_0 Y_0}{X_n} \prod _{i=1}^n \frac{(X_0 + V_x)^{\frac{1}{n}} }{ \left( f X_0^{\frac{1}{n}} + (1-f)(X_0+V_x)^{\frac{1}{n}}\right) } \\ &= \frac{X_0 Y_0}{X_n} \frac{(1-f)^{-n}}{(1+\frac{f X_0^{1/n}}{(1-f)(X_0+V_x)^{1/n}})^{n}} \le \frac{X_0 Y_0}{(1-f)^{n-1}(f X_0 + (1-f) (X_0 + V_x))}, \\ &= \frac{X_0 Y_0}{X_0+(1-f)V_x} \cdot (1-f)^{1-n}. \end{aligned}$$

Proof for Profit. Due to the page limit, we only give a proof of sketch. Firstly, if the output of the Front-running and Backward algorithms is the optimal solution, we prove that our algorithm can get the maximum attack profit.

Proof

Assuming there is an optimal strategy consisting of \(\{FT_i\),\( G_i\}_{i=1}^k\). According to Lemma 1, the last transaction of \(G_i\), \(1 \le i \le k-1\) must reach its slope point (Otherwise, removing a part of FT in the front can get more revenue). This is exactly what our Backward algorithm is working for. Also, for the last FT \(FT_k\), it should consider BT to maximize its profit, which is exactly the result of our Front-running algorithm. Thus, our algorithm can get the maximum profit.

However, our Front-running and Backward algorithms have a little loss in the output, which can be bounded according to Corollary 1. We now calculate the total loss in the attack. Assume there are k front-running transactions \(\{FT_i\}_{i=1}^k\) in our attack. By Sect. 3, we know that the first \(k-1\) FT is calculated by Backward algorithm. Assume the trading amount of the transaction \(FT_i\) is \(\varDelta x_i\), and \(V_{FT} = \sum _{i=1}^{k-1} \varDelta x_i\), by Corollary 1 we have the inequality 11. As the price of \(\tau _y\) is monotone increasing, the profit of Backward algorithm \(P_{BW}\) satisfied the inequality 12.

$$\begin{aligned} (V_{FT}^{opt} - V_{FT})/V_{FT}^{opt} \le ((1-f)^{1-n} - 1)/2^d. \end{aligned}$$

(11)

$$\begin{aligned} P_{BW} \ge (1-((1-f)^{1-n}-1)/2^d)P_{BW}^{opt}. \end{aligned}$$

(12)

Then, we calculate the loss of \(FT_k\). Because of backward algorithm loss, the input state \(Y_n\) is bigger than the exactly \(Y_n^{max}\) and satisfied the inequality 13. And according to Corollary 1, the gap between the output \(\varDelta x\) of the algorithm and the optimal output \(\varDelta x_{max}\) in \(FT_k\) also satisfied the inequality 14. So the profit of Front-running algorithm \(P_{FR}\) satisfied the inequality 15. As there are only two types of loss in the algorithm, we finish the proof of Theorem 2.

$$\begin{aligned} Y_n/Y_n^{opt} \le V_{FT}^{opt}/V_{FT} \le 1/(1-((1-f)^{1-n}-1)/2^d) \end{aligned}$$

(13)

$$\begin{aligned} (\varDelta x_{opt} - \varDelta x)/ \varDelta x_{opt} \le ((1-f)^{1-n} - 1)/2^d \end{aligned}$$

(14)

$$\begin{aligned} P_{FR} \ge (1-((1-f)^{1-n}-1)/2^d)^2 P_{FR}^{opt}. \end{aligned}$$

(15)

B Examples

Example 1 (A Typical 1-MVTL Attack)

As shown in Fig. 4, we assume that a user \(\mathcal {U}\) wants to swap 120,000 of \(\tau _x\) for at least 800 of \(\tau _y\). If \(\mathcal {U}\) initiates a transaction with 120,000 token X, this transaction is prone to sandwich attack (cf. (1) of Fig. 4). Suppose \(\mathcal {U}\) uses the limiting volume defense strategy [16] that splits her transaction into four small transactions to defend against sandwich attack (cf. (2a) of Fig. 4). Then, each small transaction only has a small trading volume (30,000 of \(\tau _x\)) so that none of the split transactions can be attacked by the sandwich attack (cf. (2b) of Fig. 4). In contrast, the n-MVTL attack can identify the overall vulnerability among the victim transactions. In this case, the large state change provided by these split transactions is one form of overall vulnerability, which is prone to n-MVTL attack. As shown in (3) of Fig. 4, the attack profit of the n-MVTL attack is 27,621 of \(\tau _x\).

Fig. 4.

Example 1. A 1-MVTL attack strategy.

Example 2

(An n-MVTL Attack with Optimization). When the real price of a cryptocurrency increases or decreases dramatically, there might be a large number of arbitrage transactions in the pending pool with the same swap direction. We assume that the current state of an LP is (10,000,000, 1,000,000), and the real price of this token pair is 11.0. The pending pool has 11 arbitrage transactions, as illustrated in Fig. 5. To attack these victim transactions, we use Transaction Selecting (cf. Section 4.1) to find the largest set of victim transactions \(\{TX_i\}_{i=2}^{11}\) that can be attacked together, and these transactions can be grouped into five MVTLs. In each MVTL, there exists one FT and one or more victim transactions. Then, we optimize the attack strategy by Optimal Attack. The algorithm’s results indicate that we can maximize the attack profit when we only attack against \(\{TX_i\}_{i=5}^{11}\). The strategy optimization increases the attack profit from 4,621 of \(\tau _x\) to 7,042 of \(\tau _x\).

We observe that \(TX_1\) and \(TX_2\) have the ability to defend against sandwich attacks since they are set with small slippages (only 1%). However, they still face the risk of n-MVTL attack. In the optimal n-MVTL attack strategy, \(TX_1\) and \(TX_2\) are not executed intentionally by \(\mathcal {A}\). We can regard that \(TX_1\) and \(TX_2\) suffer a fatal front-running attack that makes the users fail to swap their tokens.

Fig. 5.

Example 2. An optimal n-MVTL attack strategy.

C Potential Defense

The premise for launching transaction reordering attacks is that attackers can analyze transaction parameters (e.g., trading amounts) based on the input data of transactions. One potential defense mechanism involves strengthening the protection of transaction information through cryptographic protocols. Currently, in other areas of DeFi, there have been efforts to enhance privacy-preserving using zero-knowledge technology (i.e., mixers [10] and data exchanges [9]).