Author: Daii Source: mirror

Last Wednesday (March 12), the news that a crypto trader lost $215,000 in one go due to a MEV attack was all over the news.

To put it simply, this user wanted to exchange USDC stablecoins worth US$220,800 for an equivalent amount of USDT in the Uniswap v3 trading pool, but ended up getting only 5,272 USDT. In just a few seconds, his assets evaporated by US$215,700, as shown in the figure below.

The above picture is a screenshot of the on-chain record of this transaction. The root cause of this tragedy is the notorious "Sandwich Attack" in the blockchain world.

The first to disclose the MEV attack was Michael (see the picture above), who explained:

An MEV bot front-ran the tx by swapping all the USDC liquidity out. After the transaction executed, they put back the liquidity. The attacker tipped a block builder (bobTheBuilder) $200k and profited $8k from this transaction.

Translation: MEV The bot front-ran the tx by swapping out all USDC liquidity. After the transaction was executed, they put back the liquidity. The attacker tipped the block builder (bobTheBuilder) $200,000 and made $8,000 in profit from the transaction.

There is a typo in the above content. The MEV attack bot swapped out a large amount of USDT, not USDC.

However, after reading his explanation and news reports, you may still be confused because there are too many new terms in it, such as Sandwich Attack, front-ran the tx, put back the liquidity, tipped a block builder, etc.

Today, we will take this MEV attack as an example, dismantle its entire process, and take you to explore the dark world of MEV.

First, we need to explain what MEV is.

1. What is MEV?

MEV was originally called Miner Extractable Value, which refers to the additional profit that miners can obtain by reordering, inserting or excluding transactions in blockchain blocks. This operation may cause ordinary users to pay higher costs or obtain more unfavorable transaction prices.

As blockchain networks such as Ethereum shift from the Proof-of-Work (PoW) consensus mechanism to the Proof-of-Stake (PoS) consensus mechanism, the power to control transaction ordering has shifted from miners to validators. Therefore, the terminology has evolved from "Miner Extractable Value" to "Maximal Extractable Value".

Although the name has changed, the core concept of extracting value by manipulating the order of transactions remains the same.

The above content is still a bit technical, you just need to remember: MEV exists because the former miners, now validators, have a right to sort the transactions in the memory pool (mempool). This sorting occurs within a block. Now Ethereum produces a block about 11 seconds, which means that this power will be exercised once every 11 seconds. Similarly, this MEV attack is also achieved through validator sorting.

Click on this link and you will see the transaction content contained in the block numbered 22029771 related to this attack, as shown below.

Please note that transactions 1, 2, and 3 in the above figure are the MEV attack mentioned at the beginning of this article. This order is arranged by the verifier (bobTheBuilder). Why is it possible?

2. The principle of MEV

To understand how MEV works, we need to first understand how blockchain records and updates information.

2.1 Blockchain state update mechanism

The blockchain can be viewed as a continuously growing ledger that records all transactions that have occurred. The state of this ledger, such as the balance of each account, the reserve of various tokens in the Uniswap trading pool, etc., is determined by previous transactions.

When a new block is added to the blockchain, all transactions contained in this block will be executed one by one in the order in which they are arranged in the block. Every time a transaction is executed, the global state of the blockchain will change accordingly.

In other words, not only the order of blocks is important, but also the order of transactions in blocks. So how is the order of transactions in blocks determined?

2.2 Validators determine transaction order

When a user initiates a transaction on a blockchain network, such as this transaction that converts USDC to USDT through Uniswap, it is first broadcast to the nodes in the network. After initial verification, the transaction enters an area called the "mempool". The mempool is like a waiting area where transactions have not yet been confirmed and added to the next block of the blockchain.

Former miners (in PoW systems), now validators (in PoS systems) have the right to select transactions from the mempool and decide the order in which these transactions are arranged in the next block.

The order of transactions in a block is crucial. Before a block is finally confirmed and added to the blockchain, the transactions in this block are executed in the order determined by the validator (such as bobTheBuilder). This means that if a block contains multiple transactions that interact with the same transaction pool, the order in which these transactions are executed will directly affect the results of each transaction.

This ability allows validators to prioritize specific transactions, delay or exclude other transactions, or even insert their own transactions to maximize profits.

The order of this transaction is equally important, and any error will make the attack impossible.

2.3 Transaction order of this MEV attack

Let’s first take a brief look at the 3 transactions related to this MEV attack:

• Transaction 1 (the attacker’s first transaction): Executed before the victim’s transaction. The purpose of this transaction is usually to push up the price of the token that the victim wants to trade.

• Transaction 2 (victim's transaction): Executed after the attacker's first transaction. Due to the attacker's previous operation, the price in the trading pool is unfavorable to the victim at this time. He needs to pay more USDC to exchange for the same amount of USDT, or can only exchange for less USDT.

• Transaction 3 (attacker's second transaction): Executed after the victim's transaction. The purpose of this transaction is usually to take advantage of the new price changes caused by the victim's transaction to make a profit.

The validator of this MEV attack is bob-The-Builder.eth, who is responsible for arranging the transactions in the order of 1, 2, and 3. Of course, bobTheBuilder did not work for nothing. He participated in this sorting and earned more than 100 ETH. On the contrary, the initiator of the MEV attack only earned $8,000. Their source of income is the victim's second transaction.

In a word, the attacker (MEV robot) conspired with the validator (bobTheBuilder) to make the victim of the second transaction lose $215,000, of which the attacker got $8,000 and the validator got $200,000 (more than 100 ETH).

The attack method they used has a vivid name - Sandwich Attack. Next, let's explain it one transaction at a time, so that you can thoroughly understand what MEV's more complicated Sandwich Attack is all about?

3. Full analysis of Sandwich Attack

It is called a Sandwich Attack because the attacker's two transactions (Transaction 1 and Transaction 3) are placed before and after the victim's transaction (Transaction 2), respectively, making the entire transaction sequence look like a sandwich structure (see the figure above).

Transaction 1 and Transaction 3 have different functions. Simply put, Transaction 1 is responsible for committing the crime, and Transaction 3 is responsible for collecting and sharing the spoils. Specifically, the whole process is as follows:

3.1 Transaction 1, responsible for raising the price of USDT

Click on the link of Transaction 1 in the above picture, and you will see the details of Transaction 1. The attacker raised the price of USDT very directly, that is, he used 18.65 million USDC to exchange all the 17.58 million USDT in it, as shown in the figure below.

At this time, what is left in the liquidity pool is a large amount of USDC and a small amount of USDT. If according to the news reports, before the attack, Uniswap's liquidity had about 19.8 million USDC and USDT respectively, then after the execution of transaction 1, there are only 2.22 million USDT left in the pool (=1980-1758), and the USDC balance increases to about 38.45 million (=1980+1865).

At this time, the exchange ratio between USDC and USDT in this pool is far from 1:1, but 1:17, which means that 17 USDC is needed to exchange for 1 USDT, but this ratio is only approximate, because this pool is V3, and the liquidity in it is not evenly distributed.

There is one more thing I want to tell you. In fact, the attacker did not use 18.65 million USDC at one time. The actual USDC used was 1.09 million, less than 6%. How did he do it? We will talk about it in detail after we finish talking about the attack.

3.2 Transaction 2, execute 220,000 USDC to exchange for USDT

Click the link of transaction 2 in the above picture to see the picture below. As shown above, the victim's transaction 2 was affected by transaction 1, and only 5272 USDT was obtained for 220,000 USDC, and 170,000 USDT was lost unknowingly. Why is it unknowingly? Because if the victim trades through Uniswap, he will see the following interface when submitting the transaction.

From the above picture, you will find that the victims should be guaranteed to get at least 220,000 USDT. The reason why the victims only got more than 5,000 USDT in the end was because of the huge slippage, reaching more than 90%. However, Uniswap has a default maximum slippage limit of 5.5%, see the figure below.

That is to say, if the victim traded through the Uniswap front end, he should have received at least 208381 USDT (= 220510 * 94.5%). You may wonder why the blockchain record above shows that the transaction was conducted in "Uniswap V3".

Because the front end and back end of blockchain transactions are separate. The "Uniswap V3" mentioned above refers to Uniswap's USDC-USDT fund pool, which is public and can be traded through the front end of any transaction.

It is precisely because of this that some people suspect that the victim is not simple, not an ordinary person, otherwise there would not be such a large slippage, and it may be using MEV attacks to launder money. We will talk about this later.

3.3 Transaction 3, Harvest + Split the Spoils

Click the link to view the details of Transaction 3, as shown above. Let's talk about transactions A, B, and C respectively.

Transaction A, restores the liquidity in the pool to normal, and exchanges 17.32 million USDT for 18.6 million USDC;

Transaction B, prepares for the division of spoils, and exchanges part of the proceeds - 204,000 USDC for 105 ETH;

Transaction C, divides the spoils, and pays 100.558 ETH to the validator bob-The-Builder.eth.

At this point, the sandwich attack ends.

Now let's answer a very important question mentioned above: How did the attacker achieve an 18 million attack with 1.09 million USDC?

4. How did the attacker achieve the 18 million USDC pool attack

The reason why the attacker was able to achieve the 18 million USDC level attack with only 1.09 million USDC is because there is a magical and special mechanism in the blockchain world - Uniswap V3's Flash Swap.

4.1 What is Flash Swap?

In short:

Flash Swap allows users to withdraw assets from the Uniswap pool in the same transaction, and then repay with another asset (or the same asset plus a fee).

Uniswap allows this "take first, pay later" behavior as long as the entire operation is completed in the same transaction. Please note that it must be completed in the same transaction. This design is to ensure the security of the Uniswap platform itself:

• Zero-risk lending: Uniswap allows users to temporarily withdraw funds from the pool without collateral (similar to lending), but must repay them immediately at the end of the transaction.

• Atomicity: The entire operation must be atomic, either completely successful (funds returned) or completely failed (transaction rollback).

The original intention of the design of Flash Swap was to conduct on-chain arbitrage more efficiently, but unfortunately it was used by MEV attackers and became a weapon for market manipulation.

4.2 How does lightning exchange assist?

Let’s look at the picture and understand step by step how the lightning exchange of this attack is achieved, see the figure below.

• F1 The attacker borrowed 1.09 million USDC from AAVE using his own 701 WETH;

• F2 The attacker initiated a flash exchange request and first withdrew 17.58 million USDT from the Uniswap pool (no payment is required at this time). The attacker's account temporarily increased by 17.58 million USDT;

• F3 The attacker quickly invested the 17.58 million USDT into Curve The attacker exchanged 17.55 million USDC into the pool, and the USDT in the attacker's account decreased by 17.58 million, and the USDC increased by 17.55 million. From the figure below, you can see that the attacker chose Curve because the liquidity here is sufficient, with more than 70.54 million USDT and 50.71 million USDC, and the slippage is relatively low.

• F4 The attacker then returned the 17.55 million USDC exchanged from Curve, plus the 1.09 million USDC he had originally prepared (from Aave lending), a total of 18.64 million USDC, to Uniswap at one time, and the flash swap was completed;

After this transaction (transaction 1), the attacker's account balance decreased by 1.09 million USDC, because the 18.64 million USDC returned to Uniswap Only 17.55 million USDC was exchanged from Curve, and the remaining 1.09 million USDC was the attacker's own funds.

You should have discovered that this transaction actually caused the attacker to lose 1.09 million. However, the subsequent transaction 3, also through the flash exchange method, not only took back 1.09 million USDC, but also earned more than 200,000.

Let's analyze it step by step based on the data of transaction 3.

• K1 attacker used flash swap to withdraw 18.6 million USDC from Uniswap;

• K2 attacker used part of the USDC just withdrawn from Uniswap, 17.3 million USDC, to exchange for 17.32 million USDT;

• K1 attacker returned the 17.32 million USDT exchanged from Curve to Uniswap. Flash swap completed. You need to note that the attacker only spent 17.3 million USDC through K2 to obtain 17.32 million USDT. Of the remaining 1.3 million (= 18.6 million - 17.3 million) USDC, 1.09 million is his own funds, and the remaining 210,000 USDC is the profit of this attack.

• K3 attacker returned the principal to AAVE, took his own 701 WETH, and exchanged 200,000 USDC for 105 ETH, and sent 100.558 ETH of it to the validator as a tip (about 200,000 US dollars), leaving himself less than 10,000 US dollars in profit.

You may be surprised why the attacker is willing to give up a profit of up to 200,000 US dollars to the validator?

4.3 Why give a "tip" of 200,000 US dollars?

In fact, this is not generosity, but a necessary condition for the success of the MEV attack such as the sandwich attack:

• The core of a successful attack is the precise control of the transaction order, and it is the verifier (bobTheBuilder) that controls the transaction order.

• The verifier not only helps the attacker to ensure that the victim's transaction is between the attack transactions, but more importantly, the verifier can ensure that other competing MEV robots cannot jump the queue or interfere with the smooth completion of the attack.

Therefore, the attacker would rather sacrifice most of the profits to ensure the success of the attack and keep a certain amount of profits for himself.

It needs to be specially explained that MEV attacks also have costs. There are costs for flash exchange on Uniswap and there are costs for trading on Curve. However, since the fee rate is relatively low, about 0.01~0.05%, it is not worth mentioning compared with the proceeds of the attack.

Finally, I would like to remind you that the defense against MEV attacks is actually very simple. You only need to: set the slippage tolerance, not more than 1%; and execute large transactions in several transactions. Therefore, you don’t have to be afraid of trading on DEX (decentralized exchanges) because of choking.

Conclusion: Warnings and revelations in the dark forest

This $215,000 MEV attack is undoubtedly another cruel display of the "dark forest" law in the blockchain world. It vividly reveals the complex game of exploiting mechanism loopholes to gain benefits in a decentralized, permissionless environment.

From a higher level, the emergence of MEV is a manifestation of the double-edged sword effect of blockchain transparency and programmability.

• On the one hand, all transaction records are publicly available, allowing attacks to be tracked and analyzed;

• On the other hand, the complex logic of smart contracts and the certainty of transaction execution also provide opportunities for savvy participants.

This is not a simple hacking behavior, but a deep understanding and utilization of the underlying mechanism of blockchain. It tests the robustness of protocol design and challenges the risk awareness of participants.

Understanding MEV and recognizing its risks can better navigate in this digital world full of opportunities but also hidden crises. Remember, in the "dark forest" of blockchain, only by respecting the rules and improving cognition can you avoid becoming the next prey to be devoured.

This is also the effect I want to achieve through this article.