The scariest thing about a sandwich attack is that the attacker clearly calculates the profit amount in the first step of the attack.

Sandwich arbitrage is a controversial arbitrage method, also known as a sandwich attack. It is an attack method that uses front-running to attack the victim's transactions for arbitrage. At the technology sharing session every Wednesday on November 9, 2022, @daimajia, a coder from Zhen Fund, brought science popularization on MEV, flash loans, and sandwich arbitrage, and analyzed sandwich arbitrage based on the DODO USDT/DAI attack incident as a specific case. , a lot of content, and plenty of useful information.

1. Popular science on MEV, flash loans, and sandwich arbitrage

1. What is MEV?

MEV (Miner Extractable Value) refers to the maximum extractable value. It was also called miner extractable value before. Miners can package transactions and generate blocks in Ethereum, and within the blocks they generate, miners can include, exclude, sort transactions, etc. In addition to transaction fees and block rewards, miners can also extract more value through the above operations, and this value is MEV.

The latest definition of MEV in PoS blockchain is:

The total value a validator can extract across a block (or series of blocks) given the state of the environment and all available actions

Validators can perform operations such as reordering, reviewing, and inserting transactions. They can also incorporate more niche strategies, such as changing block timestamps, manipulating "randomness," executing additional validators, and more.

Generally speaking, a validator cannot change the state of its environment, including blockchain rules, smart contract code on the blockchain, transaction sets in its memory pool, etc.

2. Flash loan

Flash loan is an unsecured lending tool that was born due to the atomicity and rollback characteristics of blockchain transactions. Users need to complete borrowing and repayment within an atomic transaction and do not require any collateral. Let users have the ability to use huge amounts of funds at close to zero cost.

Flash loans must be repaid within the same transaction. As far as flash loans are concerned, the "transaction process" can be thought of as consisting of three parts: accepting the loan, doing things with the loan, and repaying the loan, but all of this happens in an instant.

The transaction is submitted to the network, temporarily lending you these funds, and you can do something with the funds (the second part of the transaction), and as long as the funds can be returned to the third part in time, you can do whatever you want. If the funds don’t come back in time, the blockchain network rejects the transaction, meaning the lender gets the funds back. In fact, in the blockchain concept, they always have funds.

This explains why lenders don’t require you to provide collateral, repayment of funds is enforced through contract code.

3. Sandwich Arbitrage

Sandwich arbitrage, also known as sandwich attack, is an attack method that uses front-running to attack the victim's transactions for arbitrage.

Sandwich arbitrage is initiated by arbitrage robots. When the arbitrage robot detects that a transaction may cause price slippage of digital assets, the attacker will pay higher gas fees to compete for the packaging rights of a block. When successful, the arbitrage robot immediately purchases a certain amount of digital assets, forcing the price of the asset to rise, and then sells the newly purchased digital assets after the attack transaction is completed to achieve cost-free arbitrage.

Sandwich arbitrage is not a peaceful arbitrage method - this arbitrage method must include an attack on a certain victim user and cause the victim to lose assets.

In Ethereum transactions, in order to seize the right to prioritize packaging, attackers need to pay higher gas fees. This is because ETH adopts the optimal gas fee bidding method, that is, the user who pays the highest gas fee can obtain the priority to package. . In order to get the first chance to package blocks, attackers will create vicious competition in gas fees, but since Ethereum's gas fees are paid for every transaction (regardless of success or failure). Therefore, when attackers engage in vicious competition, the interests of ordinary users must be harmed.

2. Step by Step analysis of DODO USDT/DAI attack incident

On November 3, 2022, Beijing time, the Ethereum decentralized trading platform DODO was attacked. The attacker used contract vulnerabilities to frequently change tokens and completed a sandwich attack. However, by studying the data on the chain, it will be discovered that the entire The profit-loss ratio of the process was not that exaggerated, but rather helpless. The attacker used a flash loan principal of more than 3.5 million USDT in one operation and only made a profit of 26.4 USDT. It is embarrassing. The whole process is as follows:

1. The first step of the sandwich attack: the attacker’s first transaction FrontRun

The transaction was initiated from the 0xf480 address, interacted with a contract (attacker contract 1) marked as MEVbot by Etherscan, transferred $12,840 to the contract (that is, his own account), and then transferred it to the next contract (attacker contract 1). Contract 2).

2. Step 2: Use a flash loan to exchange Tether for DAI

The attacker made a flash loan loan, borrowed 3.55 million US dollars from Balancer, and transferred the money to the address, transferring Tether to the DODO pledge token USDT pool, and then transferred it to the attacker. A sum of money is returned, which is a swap (i.e. an exchange of tokens).

In this swap, the attacker transferred USD 3.55 million in USDT and transferred USD 3.53 million in DAI, thus changing the money in the attacker's account from Tether to DAI.

3. Frequently change tokens

1) Use Psm to exchange DAI for USDC

Next, the attacker made another transfer, transferring DAI to a Public contract DssPsm. Psm is a contract that has completed redemption. Users can transfer DAI to Psm and exchange it for USDC. Psm will destroy the DAI transferred by the user. .

攻击者向Psm打了3538543个DAI,Psm合约将这些钱打到了零地址(即把这些DAI都烧掉了),然后给攻击者重新转了3538543个USDC。

2) USDC is transferred to USDT

The attacker then used the exchanged USDC to make a swap in DODO's USDT/USDC pool: the attacker contract gave 3.53 million USDC to DODO, and DODO gave 3.53 million USDT to the attacker contract.

4. Step 3: Extract commission BackRun to complete the closed loop

The attacker then transferred another $70 from DODO to a multi-signature wallet (the address of DODOteam). In this step, DODO drew a commission during the transaction. Finally, the attacker returned all USDT (3551259), and the flash loan ended.

3. Summary

In total, the attacker exchanged stablecoins twice in the two pools of DODO. The process was: 3551259 USDT - 3538543 DAI (this step produced a large slippage) - 3538543 USDC - 3,538,419 USDT.

It can be found that the USDT that was finally exchanged was not enough to repay the money lent by the flash loan. The price difference was 3551259-3538149=12840. At this time, the 12840 US dollars transferred by the attacker to himself in the first step came in handy.

At this point we will have questions, didn’t the attacker lose the $12,840 he advanced? What is this intended to achieve?

In fact, the attacker's operation (when exchanging USDT for DAI) made the DODO pool more unbalanced. He used this unbalanced pool to exchange for more USDT (arbitrage process), and used a reverse process to reverse the harvest. It cost 26.4 US dollars (after deducting commissions from Gas and DODO).

Therefore, we see that there is actually a survivor bias in such attacks. There are actually many attackers who find such opportunities on the chain and carry out such attacks. Most of us can only see cases of successful attacks, and more often they perform sandwich attacks. The attacking robots will be beaten, and many robots will be arbitraged by other robots. This is why MEV is very complicated now.