Abstract
Decentralized finance (DeFi) is a global and open financial system built on the blockchain technology, typically using Ethereum smart contracts. Decentralized exchanges (DEXs) are very important sectors in the DeFi ecosystem, with billions of USD trading volume daily. Unfortunately, the transparency of pending pools can be exploited by attackers and DEXs are vulnerable to transaction reordering attacks, allowing attackers to gain miner extracted value (MEV). Previous transaction reordering attacks aim at exploiting the vulnerability of a single victim transaction, such as sandwich attack and dagwood sandwich attack.
In this paper, we propose a novel transaction reordering attack named n-multiple-victim-transaction-layer (n-MVTL) attack to exploit the overall vulnerability among multiple victim transactions. Such advanced design can significantly expand the victim transaction search space and bring more profits to attackers. Given a set of ordered victim transactions, we propose an optimal algorithm to identify the optimal solution for n-MVTL attacks, which aims to maximize the profit of the attack strategy. This algorithm supports a trade-off between time efficiency and attack profit, making the attack algorithm more practical. Our simulations show that the n-MVTL attack can yield an average extra daily profit of 940 USD from the top 2 most popular liquidity pools in Uniswap V2 from Mar. 2021 to Apr. 2023, compared with the sandwich attack.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Topic0 of Sync events: 0x1c411e9a96e071241c2f21f7726b17ae89e3cab4c78be50e062b03
a9fffbbad1.
- 2.
Topic0 of Swap events: 0xd78ad95fa46c994b6551d0da85fc275fe613ce37657fb8d5e3d13
0840159d822.
- 3.
- 4.
References
Bartoletti, M., Chiang, J.H.y., Lluch-Lafuente, A.: Maximizing extractable value from automated market makers. In: 2022 International Conference on Financial Cryptography and Data Security (2022). https://doi.org/10.1007/978-3-031-18283-9_1
Bitinfocharts. https://bitinfocharts.com/
Daian, P., et al.: Flash boys 2.0: Frontrunning in decentralized exchanges, miner extractable value, and consensus instability. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 910–927. IEEE (2020). https://doi.org/10.1109/SP40000.2020.00040
DeFi Tracker. https://defiprime.com/dex-volume
DeFi Llama. https://defillama.com/
Eden Network. https://www.edennetwork.io/
Heimbach, L., Wattenhofer, R.: Eliminating sandwich attacks with the help of game theory. In: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security (ACM ASIACCS), pp. 153–167 (2022). https://doi.org/10.1145/3488932.3517390
Pancakeswap. https://pancakeswap.finance/
Song, R., Gao, S., Song, Y., Xiao, B.: ZKDET: a traceable and privacy-preserving data exchange scheme based on non-fungible token and zero-knowledge. In: 2022 IEEE 42nd International Conference on Distributed Computing Systems (ICDCS), pp. 224–234. IEEE (2022). https://doi.org/10.1109/ICDCS54860.2022.00030
Tornado. http://tornado.cash/
Uniswap. https://www.uniswap.org
Uniswap v1. https://docs.uniswap.org/protocol/V1/introduction
Wang, Y., Zuest, P., Yao, Y., Lu, Z., Wattenhofer, R.: Impact and user perception of sandwich attacks in the DeFi ecosystem. In: CHI Conference on Human Factors in Computing Systems, pp. 1–15 (2022). https://doi.org/10.1145/3491102.3517585
Zhou, L., Qin, K., Gervais, A.: A2mm: mitigating frontrunning, transaction reordering and consensus instability in decentralized exchanges. arXiv preprint arXiv:2106.07371 (2021). https://doi.org/10.48550/arXiv.2106.07371
Zhou, L., Qin, K., Torres, C.F., Le, D.V., Gervais, A.: High-frequency trading on decentralized on-chain exchanges. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 428–445. IEEE (2021). https://doi.org/10.1109/SP40001.2021.00027
Züst, P.: Analyzing and Preventing Sandwich Attacks in Ethereum (2021). https://pub.tik.ee.ethz.ch/students/2021-FS/BA-2021-07.pdf
Acknowledgments
This work was supported in part by HK RGC GRF under Grant PolyU 15209822 and NSFC/RGC Joint Research Scheme (2022/23), N_PolyU529/22. We would like to thank our anonymous reviewers for their insightful feedback.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proof
Proof for State Analysis. The proof of the lower bound and upper bound for \(Y_n\) comes from the following claims.
Claim
Given two transactions \(TX_1(x_1), TX_2(x_2)\) and a transaction \(TX(x_1+x_2)\) , the reserve of \(\tau _y\) in the LP after running transaction TX is lesser than running transactions \(TX_1\) and \(TX_2\).
Proof
Assume the state of the LP is \((X_0, Y_0)\). Let \((X_0, Y_0) \xrightarrow {TX} (X_1, Y_1)\), and \((X_0, Y_0) \xrightarrow {TX_1, TX_2} (X_2, Y_2)\). Then, we have: \(\frac{Y_1}{Y_2} = \frac{(X_0 + (1-f)x_1)(X_0+x_1+(1-f)x_2)}{(X_0+x_1)(X_0 + (1-f)(x_1 + x_2))}.\) Notice that \((X_0+x_1) + (X_0 + (1-f)(x_1 + x_2)) = (X_0 + (1-f)x_1) + (X_0+x_1+(1-f)x_2)\) and \((X_0 + (1-f)x_1) < (X_0+x_1)\), \((X_0 + (1-f)(x_1 + x_2)) < (X_0+x_1+(1-f)x_2)\). With average inequality, we have \(\frac{Y_1}{Y_2} < 1\), thus \(Y_1 < Y_2\).
With this claim, we can get the lower bound by merging all the victim transactions into one transaction TX, in which \(V_x = \sum _{i=1}^n x_i\). Thus we have:
Claim
Given the start state (\(X_0, Y_0\)), two transactions \(TX_1\) and \(TX_2\) such that the trading amount satisfied \(x_1 + x_2 = T\). Then when \(x_1 = \sqrt{X_0 T} - X_0\), the LP has a maximum reserve of \(\tau _y\) after executing two transactions.
Proof
Assume the number of \(\tau _y\) after executing is Y, we have:
Notice that \(\frac{d Y}{d x_1} > 0 \) when \(x_1 < \sqrt{X_0 T} - X_0\), and \(\frac{d Y}{d x_1} < 0 \) when \(x_1 > \sqrt{X_0 T} - X_0\). Thus Y is maximum when \(x_1 = \sqrt{X_0 T} - X_0\).
With this claim, we know that the maximum \(Y_n\) when \(V_n\) is given is when \(X_i^2 = X_{i-1} \cdot X_{i+1}\) for each \(i \in [n-1]\). Thus the maximum \(Y_n\) is:
Proof for Profit. Due to the page limit, we only give a proof of sketch. Firstly, if the output of the Front-running and Backward algorithms is the optimal solution, we prove that our algorithm can get the maximum attack profit.
Proof
Assuming there is an optimal strategy consisting of \(\{FT_i\),\( G_i\}_{i=1}^k\). According to Lemma 1, the last transaction of \(G_i\), \(1 \le i \le k-1\) must reach its slope point (Otherwise, removing a part of FT in the front can get more revenue). This is exactly what our Backward algorithm is working for. Also, for the last FT \(FT_k\), it should consider BT to maximize its profit, which is exactly the result of our Front-running algorithm. Thus, our algorithm can get the maximum profit.
However, our Front-running and Backward algorithms have a little loss in the output, which can be bounded according to Corollary 1. We now calculate the total loss in the attack. Assume there are k front-running transactions \(\{FT_i\}_{i=1}^k\) in our attack. By Sect. 3, we know that the first \(k-1\) FT is calculated by Backward algorithm. Assume the trading amount of the transaction \(FT_i\) is \(\varDelta x_i\), and \(V_{FT} = \sum _{i=1}^{k-1} \varDelta x_i\), by Corollary 1 we have the inequality 11. As the price of \(\tau _y\) is monotone increasing, the profit of Backward algorithm \(P_{BW}\) satisfied the inequality 12.
Then, we calculate the loss of \(FT_k\). Because of backward algorithm loss, the input state \(Y_n\) is bigger than the exactly \(Y_n^{max}\) and satisfied the inequality 13. And according to Corollary 1, the gap between the output \(\varDelta x\) of the algorithm and the optimal output \(\varDelta x_{max}\) in \(FT_k\) also satisfied the inequality 14. So the profit of Front-running algorithm \(P_{FR}\) satisfied the inequality 15. As there are only two types of loss in the algorithm, we finish the proof of Theorem 2.
B Examples
Example 1 (A Typical 1-MVTL Attack)
As shown in Fig. 4, we assume that a user \(\mathcal {U}\) wants to swap 120,000 of \(\tau _x\) for at least 800 of \(\tau _y\). If \(\mathcal {U}\) initiates a transaction with 120,000 token X, this transaction is prone to sandwich attack (cf. (1) of Fig. 4). Suppose \(\mathcal {U}\) uses the limiting volume defense strategy [16] that splits her transaction into four small transactions to defend against sandwich attack (cf. (2a) of Fig. 4). Then, each small transaction only has a small trading volume (30,000 of \(\tau _x\)) so that none of the split transactions can be attacked by the sandwich attack (cf. (2b) of Fig. 4). In contrast, the n-MVTL attack can identify the overall vulnerability among the victim transactions. In this case, the large state change provided by these split transactions is one form of overall vulnerability, which is prone to n-MVTL attack. As shown in (3) of Fig. 4, the attack profit of the n-MVTL attack is 27,621 of \(\tau _x\).
Example 2
(An n-MVTL Attack with Optimization). When the real price of a cryptocurrency increases or decreases dramatically, there might be a large number of arbitrage transactions in the pending pool with the same swap direction. We assume that the current state of an LP is (10,000,000, 1,000,000), and the real price of this token pair is 11.0. The pending pool has 11 arbitrage transactions, as illustrated in Fig. 5. To attack these victim transactions, we use Transaction Selecting (cf. Section 4.1) to find the largest set of victim transactions \(\{TX_i\}_{i=2}^{11}\) that can be attacked together, and these transactions can be grouped into five MVTLs. In each MVTL, there exists one FT and one or more victim transactions. Then, we optimize the attack strategy by Optimal Attack. The algorithm’s results indicate that we can maximize the attack profit when we only attack against \(\{TX_i\}_{i=5}^{11}\). The strategy optimization increases the attack profit from 4,621 of \(\tau _x\) to 7,042 of \(\tau _x\).
We observe that \(TX_1\) and \(TX_2\) have the ability to defend against sandwich attacks since they are set with small slippages (only 1%). However, they still face the risk of n-MVTL attack. In the optimal n-MVTL attack strategy, \(TX_1\) and \(TX_2\) are not executed intentionally by \(\mathcal {A}\). We can regard that \(TX_1\) and \(TX_2\) suffer a fatal front-running attack that makes the users fail to swap their tokens.
C Potential Defense
The premise for launching transaction reordering attacks is that attackers can analyze transaction parameters (e.g., trading amounts) based on the input data of transactions. One potential defense mechanism involves strengthening the protection of transaction information through cryptographic protocols. Currently, in other areas of DeFi, there have been efforts to enhance privacy-preserving using zero-knowledge technology (i.e., mixers [10] and data exchanges [9]).
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Wang, J., Li, J., Li, Z., Deng, X., Xiao, B. (2024). n-MVTL Attack: Optimal Transaction Reordering Attack on DeFi. In: Tsudik, G., Conti, M., Liang, K., Smaragdakis, G. (eds) Computer Security – ESORICS 2023. ESORICS 2023. Lecture Notes in Computer Science, vol 14346. Springer, Cham. https://doi.org/10.1007/978-3-031-51479-1_19
Download citation
DOI: https://doi.org/10.1007/978-3-031-51479-1_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-51478-4
Online ISBN: 978-3-031-51479-1
eBook Packages: Computer ScienceComputer Science (R0)