Let's Talk

What Is a Front-Running Attack?

Rob Behnke

Front-running attacks take advantage of the process by which transactions are added to the blockchain’s distributed ledger.  A user that takes advantage of how the system works can make a near-guaranteed profit trading DeFi.

How Transactions Are Added to the Blockchain

Transactions are not added immediately to the blockchain’s distributed ledger.  They are collected into blocks and only added to the ledger as a part of these blocks.

The nodes in the blockchain network need to know about a transaction before it can be added to a block.  Since the block creation process is decentralized, this means that the entire blockchain network needs to know about these transactions.

Once a blockchain user has created a transaction, they broadcast that transaction to the entire blockchain network.  When nodes receive a copy of a transaction, they add it to a pool of unused transactions.

When a new block is being built, the block creator draws from the current pool of unused transactions.  The order in which transactions are added to blocks is typically determined based upon the transaction fees.  

While blockchains often have a minimum fee, blockchain users can set their own fees.  This means that a user can pay for priority, putting a higher fee on a particular transaction.  

The block creator – who receives these fees and is trying to maximize their profits – will add transactions to blocks based on fees, not the order in which they are received.

Taking Advantage of the Process

Front-running attacks take advantage of this process of adding transactions to blocks based on transaction fees.  An attacker has the ability to ensure that their transaction is processed before any other transaction by including a higher transaction fee with it.  This is called a front-running attack.

As decentralized finance (DeFi) becomes more common, this ability can make a user a significant profit.  On cryptocurrency exchanges, the prices of buys and sells are dependent on supply and demand.  

By front-running a buy that they see about to happen (because all transactions are publicly broadcast), a user can:

  1. Purchase a token at a certain rate. This raises the value of that token relative to the token used for the purchase.
  2. Have the original buy transaction happen (further increasing the value of the token).
  3. Sell the token at a higher rate, netting a profit.

By front-running actions on an exchange (either buys or sells of a token), it is possible to make a profit.  This is why bots are performing front-running attacks on DEXs.  These bots net a near-guaranteed profit on transactions with minimal risk.

Front-running can also allow an attacker to cheat in contests where the first correct answer wins.  The DODO DEX hack is an ironic example of this.  In this case, front-running bots actually decreased the impact of the hack because they frontrunned some of the attacker’s attempts to exploit the vulnerabilities.  After the hack was discovered, the owners of the bots returned the tokens that the bots drained from the DEX.

Protecting Against Front-Running Attacks

Front-running is a “feature” of how the blockchain is designed.  Transaction fees are an intentional part of the blockchain environment, so the ability to pay for priority (and frontrun transactions) is not a design or implementation error.

The simplest way to escape front-running is to always pay transaction fees high enough that front-running is no longer profitable.  However, this is an expensive and unsustainable way to beat front-running.

The other way is to cheat.  This is how samczsun and a team managed to protect a major smart contract vulnerability from exploitation.  Instead of publicly broadcasting a transaction, they secretly sent it to a mining pool that added it to a block without revealing it.  This way, the transaction was only publicly visible once it was a part of the digital ledger.

LET’S CONNECT

We’re looking for passionate, blockchain-loving, offensive security engineers and white hat hackers to join the team.

For secure communications, use [email protected]

Contact Us

crossmenuchevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram