Cryptocurrencies have skyrocketed in popularity in recent years, with the sector currently worth a little over $1.2 trillion. Unfortunately, network security has lagged behind the expanding industry, leading to an increase in malicious network attacks.
Recently, the crypto community was left shocked after an Ethereum validator stole crypto worth millions from a Maximal Extractable Value (MEV) bot — a software designed to churn profits by rearranging blocks. Furthermore, the culprit is yet to be apprehended and currently holds $20 million worth of stolen tokens.
But before addressing this issue, let’s discuss what sandwich attacks are and how they are carried out.
How are sandwich attacks carried out?
Sandwich attacks are a form of malicious blockchain attack that takes advantage of smart contract vulnerabilities. A sandwich attack, simply put, traps a user’s transaction between two transactions, which is then further manipulated to gain profits. Such assaults are frequently carried out with the assistance of MEV (maximum extractable value) bots operating in a network.
Before we take a look at an example, it’s important to understand how MEV bots function since they are a crucial component of sandwich attacks. MEV bots are automated software designed to exploit a network by detecting profitable transactional opportunities. They can initiate “sandwich trades” by spotting traders attempting to purchase tokens and slipping in between to make a profit. Such a method is often used by validators.
For example, if a trader places a transaction to buy $5,000 worth of ETH, the MEV bot detects it and places a transaction to buy ETH just before the trader can execute the transaction. These back-to-back buy transactions can inflate the price of ETH. The MEV bot then places a sell transaction after the trader’s buy transaction to make a profit from the price jump.
Certain inefficiencies with how blockchains function make it possible for such attacks to occur. For instance, on the blockchain, transactions with the highest gas fees are picked up first to be added to the block. Thus, MEV places the first transaction with higher gas fees than the victim and places the second transaction with lower gas fees to make sure the first malicious transaction is picked before the victim’s, followed by the second malicious transaction.
How a rogue Ethereum validator pulled a $25 million theft?
In a recent sandwich attack, a bad player pretended to be an Ethereum validator by depositing 32 ETH just 18 days before the planned theft. The rogue validator then caused an MEV bot to launch a sandwich assault, replacing several automated trades and stealing $25 million.
It was later reported that eight addresses from the KuCoin exchange were involved in executing the said sandwich attacks on Uniswap liquidity pools. According to blockchain security firm PeckShieldAlert, the stolen amount is stored in three different addresses out of eight involved in the theft.
At the time of writing this article, the hacker has about $13.4 million worth of wrapped Ethereum (WETH), $1.8 million worth of Wrapped Bitcoin (WBTC), $3 million in USDT, $5 million in USDC and $1.6 million worth of DAI stablecoin.
Conclusion
While rug pulls and Sybil attacks are frequently discussed in the crypto space, sandwich attacks have often been overlooked. Data security firm, CertiK, told CoinTelegraph that about $27 million worth of exploits have occurred via MEV bots (bots that execute sandwich attacks) since September 2022, with the latest attack accounting for a great majority.
The theft highlights the existing loopholes in the DeFi ecosystem and calls for better security infrastructure. While Uniswap was one of the victims in this particular incident, other DeFi protocols such as PancakeSwap, Polygon, and SushiSwap have also been on the radar for sandwich attacks. The massive heist has only made the situation more severe and highlights the need for major corrections in DeFi protocols.
