Taming the Front-Running Bots — why they have become a headache for any ERC-20 token holders
The popular cryptocurrency and blockchain system known as Ethereum is based on the use of tokens, which can be bought, sold, or traded. One of the most significant tokens is called ERC-20, which has emerged as the technical standard used for all smart contracts on the Ethereum blockchain for token implementation.
Why do we need the ERC-20 standard?
Before the advent of the ERC-20 standard, there were many compatibility issues between the various forms of Ethereum tokens. Each token had a single smart contract. The platform had to write completely new code for each transaction and wallet in order to add a new token to its network. Function calls (or transactions) to the DApp are processed by a decentralized network.
Maintaining a growing pool of tokens was becoming overly problematic and time-consuming. As a solution, the platform proposed a standard protocol for all of the following tokens, which is now known as ERC-20.
What are the main benefits of ERC-20?
Saving time and resources. ERC-20 tokens benefit from the existing Ethereum infrastructure instead of creating a completely new blockchain for them;
Safety. The creation of new tokens increases the demand for Ether, which makes the entire network even more secure, that is, less susceptible to a potential 51% Attack;
Compatibility. If all tokens created on the Ethereum network use the same standard, these tokens will be easily interchangeable and can easily work with other applications of the same ecosystem;
Great liquidity. ERC-20 tokens are used as a working basis for most projects.
Blockchain technology enables decentralized applications (DApps) or smart contracts. By the way, there are many front-running attacks on Decentralized Applications (DApp) and smart contracts.
Traditional Front-running Attacks
Front-running to be a course of action where an entity benefits from prior access to privileged market information about upcoming transactions and trades. Front-running has been an issue in financial instrument markets since the 1970s. With the advent of blockchain technology, front-running has resurfaced in new forms we explore here, instigated by blockchain’s decentralized and transparent nature.
Front-running is a course of action where someone benefits from early access to market information about upcoming transactions and trades, typically because of a privileged position along with the transmission of this information and is applicable to both financial and non-financial systems.
Historically, floor traders might have overheard a broker’s negotiation with her client over a large purchase and literally race the broker to buy first, potentially profiting when the large purchase temporarily reduces the supply of the stock. Alternatively, a malicious broker might front-run their own client’s orders by purchasing a stock for themselves between receiving the instruction to purchase from the client and actually executing the purchase.
Transactions are finalized in stages: they first relay around the network, then they are selected by a miner and put into a valid block, and finally, the block is well-enough incorporated that is unlikely to be reorganized. Front-running is an attack where a malicious node observes a transaction after it is broadcast but before it is finalized and attempts to have its own transaction confirmed before or instead of the observed transaction. Transactions are broadcasted to the network, then a miner selects transactions, validates them, and puts them into a valid block that is eventually added to an immutable chain of blocks.
The transaction is visible to the nodes when it is propagated to the network and before a miner processes the transaction, a malicious node can observe the transaction and find its purpose and construct its own malicious transaction based on the observed transaction.
Front-Running Attack on Ethereum
Front-running is illegal in jurisdictions with established securities regulations. Cases of front-running are sometimes difficult to distinguish from related concepts like insider trading and arbitrage.
In front-running, a person sees a concrete transaction that is set to execute and reacts to it before it actually gets executed. If the person instead has access to more general, privileged information that might predict future transactions but is not reacting to the actual pending trades, we would classify this activity as insider trading. If the person reacts after the trade is executed, or information is made public, and profits from being the fastest to react, this is considered arbitrage and is legal and encouraged because it helps markets integrate new information into prices quickly.
Any user monitoring network transactions (e.g., running a full node) can see unconfirmed transactions. On the Ethereum blockchain, users have to pay for the computations in a small amount of Ether called gas. The price that users pay for transactions, gas price, can increase or decrease how quickly miners will execute them and include them within the blocks they mine. A profit-motivated miner who sees identical transactions with different transaction fees will prioritize the transaction that pays a higher gas price due to limited space in the blocks. It has been called a gas auction. Therefore, any regular user who runs a full-node Ethereum client can front-run pending transactions by sending adaptive transactions with a higher gas price.
In the case of Ethereum, gas price is a good factor for a profit-motivated miner to prioritize orders. The higher your gas price is, the higher the chance of your transaction is selected. As a result, any Ethereum full node client can front-run pending transactions by sending its adjusted transactions with a higher gas price.
Fig. 1. Upon spotting the profitable transaction, the front-runner (1000) sends his
transaction with a higher gas price to bribe the miners to prioritize his transaction
over the initial transaction. Source: Transparent Dishonesty: Front-Running Attacks on Blockchain (Shayan Eskandari, Seyedehmahsa Moosavi, and Jeremy Clark)
The user can then broadcast a competing transaction that sends the same unspent coins to herself, perhaps using higher transaction fees, arrangements with miners, or artifacts of the network topology to have the second transaction confirmed instead of the first. It can be considered a form of self-front-running. In the cryptographic literature, front-running attacks are modeled by allowing a so-called ‘rushing’ adversary to interact with the protocol. In particular, ideal functionalities of blockchains (such as those used in simulation-based proofs) need to capture this adversarial capability, assuming the real blockchain does not address front-running.
Front-Running Attack on Markets and Exchanges
Another method to manipulate the spot price of an asset is to flood the market with orders and cancel them when there are filling orders (“taker’s griefing”). Placing an order in a partially centralized exchange is free. But to prevent the taker’s griefing attacks, the user needs to send an Ethereum transaction to cancel each of his orders. Canceling orders is most important when prices change faster than order execution. In this case, when an adversarial actor sees a pending cancellation transaction, he sends a fill order transaction with a higher gas price to get in front of the cancellation order and take the order before it is canceled (this is known as cancellation grief ). This attack follows the asymmetric displacement template and is illustrated in Fig. 2
Fig. 2. The adversarial miner monitors the Ethereum mempool for decentralized exchange transactions. Upon spotting a profitable cancellation transaction, he puts his buy order prior to the cancel transaction in the block he mines. By doing so, the miner can profit from the underlying trade and also get the gas included in the canceled transaction.
Ok, how on Earth should we prevent this?
Defi Factory Token (DEFT) has a solution since every DEFT transfer has a 10% tax fee (5% burned, 5% distributed among all token holders). For bots, the fee will be 99%. In that way, all “front-run attack” profit (49,5%) will only be distributed among all token holders, and 49,5% will be burned. Defi Factory Token (DEFT) implemented detection at core level on-chain (means on contract code side) — this works for any type of front-run bot: mining pools injecting tx, regular bots, emulating humans bots.
Take a look at the Whitepaper of DEFT
