Hacking

$280 million stolen per month from crypto transactions

CyberNews researchers found that front-runners are abusing decentralized cryptocurrency exchanges by draining hundreds of millions in crypto from trader transactions on the Ethereum network.

Unsuspecting traders can lose as much as $280 million to front-runners each month.

Original post on CyberNews: https://cybernews.com/crypto/flash-boys-2-0-front-runners-draining-280-million-per-month-from-crypto-transactions/

As the price of bitcoin and Ether reached unprecedented highs in the past few months, the decentralized cryptocurrency market saw a massive influx of new traders and an incredible increase in value. As of May 2021, the total value of cryptocurrency traded across decentralized exchanges (DEXes) has reached more than $58 billion.

As opposed to centralized exchanges like Coinbase or Binance, where the vast majority of cryptocurrency trading takes place, DEXes are fully decentralized. This means that they are not controlled or operated by a single entity, and traders are always in control of their own funds and transactions. 

Or are they?

With unscrupulous stock traders migrating to crypto over the years, underhanded market manipulation tactics were carried over into the world of cryptocurrency. 

Just like insider trading and scalping, front-running is one of many such techniques. It is an unethical and illegal market manipulation method that originated in traditional financial markets, where front-running has been prohibited since the time when stock trading was conducted via actual paper notes.

What is front-running?

Because decentralized exchanges are not governed by a single entity, all cryptocurrency transactions – both pending and completed – are publicly visible to everyone on sets called mempools. Having access to mempools allows front-runners to use various techniques to exploit the data of pending transactions in order to jump in with their own trade before they are confirmed on the blockchain, make unsuspecting traders pay more for their transactions, and pocket the profit.

Unfortunately, the very nature of decentralized exchanges and blockchain technology makes front-running possible. Since most DEXes are based on public blockchain tech such as Ethereum, front-runners can see each incoming transaction that has been locked into a smart contract. 

As soon as they see an opening, bots deployed by front-runners jump the queue and insert a higher transaction fee for placing the order, while the trader who initiated the transaction is forced to pay the price that they didn’t see coming. 

This can result in hefty losses for traders’ transactions. In the following example, a front-runner has extracted a whopping 0.34519701 ETH from a single transaction, which cost the trader $983: 

(Image source: dextools.io)

As a result, the victim of front-running received a lot fewer Ether tokens than expected. In some cases, traders can lose tens of thousands of dollars in crypto to front-runners this way.

With recent research showing that front-running is now relatively widespread on decentralized exchanges that are built on the Ethereum blockchain, we at CyberNews decided to investigate the exact extent of the losses this market manipulation tactic is incurring on cryptocurrency traders. 

The results of our investigation were eye-opening: hundreds of millions of dollars in crypto are being drained by front-runners every day, causing cryptocurrency traders massive unexpected losses. To make matters worse, all major decentralized exchange protocols can be abused this way.

$280 million drained by front-runners each month

To find out the extent of the losses caused by front-runners across major decentralized exchanges, we utilized the MEV Explore and MEV Inspect tools provided by Flashbots, a research and development organization dedicated to mitigating the negative externalities of the current value extraction techniques and avoiding the existential risks front-running can cause to state-rich blockchains like Ethereum.

We looked at the overall value extracted in 30 days, from April 24 to May 24, as well as how much value front-runners drained from trades in the last 24 hours of this monthly interval.

Our investigation found that front-runners extract more than $12 million from transactions every day, with monthly losses suffered by traders reaching nearly $280 million in cryptocurrency, which can amount to billions of dollars in yearly losses.

While there are multiple ways for miners to extract value from transactions, arbitrage and front-running appear to be involved in draining a gigantic 96% of the overall miner extractable value (MEV) across all major decentralized exchanges: 

According to CyberNews researcher Martynas Vareikis, countless front-running attacks against unsuspecting traders are conducted every day.

“The numbers are staggering, and unless something is done to curtail them, this is only going to get worse. And since these exploitation opportunities are inherent to the current iteration of blockchain technology, the solutions to the front-running problem will require structural, rather than individual changes,” says Vareikis.

Front-runners extract the most value on these decentralized exchanges

Our findings show that 43% of all MEV is drained on Uniswap (V2), which is the second-largest decentralized finance platform by market share.

SushiSwap, the fifth-largest DEX in crypto, comes second with 23%, while Balancer takes third place with 11% of the overall value being extracted by front-runners on the trading platform.

Curve and dYdX close the top five, with 8.8% and 7.7% of total MEV drained, respectively.

Front-running: an unaddressed threat to decentralized finance

Despite front-running being a relatively widespread phenomenon on decentralized cryptocurrency exchanges, there’s still a noticeable lack of tools or mechanisms in place that could help curtail the tactic. 

This apparent lack of security processes adversely affects the entire decentralized finance ecosystem, causing developers to enact draconian measures, including placing transaction limits on all miners, in order to stay ahead of the front-runners.

Vygandas Masilionis, CEO of Lossless, a protocol that freezes and returns stolen funds back to the owners’ accounts, reckons that user education about measures such as slippage tolerance and smaller but more frequent trades is the most effective solution against front-running tactics to date.

“Lossless however, aims to bring unprecedented flexibility against various vectors of attack, including, if desired, frontrunning. As long as token creators define front-running as the type of transactions that shouldn’t occur – Lossless transaction freezing functionality can block frontrunning bots by default,” says Masilionis.

“It’s high time for organizations involved in decentralized finance to adopt a proactive security mindset, which includes tighter oversight of the mempools and transaction backlogs, as well as widespread implementation of front-running attack detection systems,” adds Vareikis.

Before that happens, however, we highly recommend traders to refrain from placing high-value trades on decentralized exchanges.

About the Author: Edvardas Mikalauskas

Original post on CyberNews: https://cybernews.com/crypto/flash-boys-2-0-front-runners-draining-280-million-per-month-from-crypto-transactions/

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, crypto transactions)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

13 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

19 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.