【ChainNews Selection】What is Front Running? Researchers on the move: Hunting front-running bots in the Ethereum Dark Forest
How do front-running bots intercept funds? How to avoid the doom of being front-run?
(This article is authorized to be reprinted from ChainNews, original article here)
Source: Alex Manuskin, Crypto Wallet ZenGo Blockchain Researcher
Advertisement - Please scroll down for more
Compiled by: Perry Wang
The monsters in the Ethereum Dark Forest are no joke. These front-running bots can analyze smart contract instructions and functions never used before in smart contracts to extract potential profits.
To better understand these bots, this article takes you on a journey through the Ethereum Dark Forest. Let's delve deeper into how rampant they are.
We managed to "set traps" and captured some common types of front-running bots, analyzing their behavior.
On this journey, we studied the efficiency of these front-run bots, researched the likelihood of various transactions being hunted by them. Of course, we also tested different ways to evade them.
Below, enjoy.
Table of Contents
What is Front-Running?
Generally speaking, front-running refers to the practice of placing a trade ahead of a known future trade in the execution queue.
A simple example of front-running is in the context of exchange bids. For instance, if someone is about to buy a large amount of ETH on Uniswap, enough to drive the price of ETH up, one way to benefit from this scenario is to front-run by buying ETH just before this large buy order, while the price is still lower. Then, after the ETH price surges, immediately sell to lock in profits.
Aside from this arbitrage trading example, there are many ways to exploit front-running to capture value, including liquidations, buying rare NFTs, or simply manipulating user errors (the extractable value from transaction or execution order sequencing is known as "Miner Extractable Value" or MEV).
Front-running in Ethereum can be achieved by paying slightly higher gas prices than normal levels, which can incentivize miners to prioritize their transactions when constructing blocks. The higher the transaction fee paid, the higher up in the order it will be executed. Therefore, if two transactions both stand to profit from the same smart contract call within the same block, only the one executed first will ultimately profit.
Animal Behavior
Dan Robinson and Georgios Konstantopoulos described in their jointly written blog post "Ethereum is a Dark Forest" an incident where they attempted to rescue tokens worth $12,000 in value from a smart contract on Ethereum but were intercepted by arbitrage bots. These super predators are highly advanced, capable of tracking any valuable transactions in the Ethereum transaction pool and front-running them through various means.
ChainNews Note: The Chinese version of "Ethereum is a Dark Forest" can be found here:
https://www.chainnews.com/articles/124072923888.htm
The story of the Dark Forest is "hair-raising," to the point of being unbelievable when first read. In reality, there are reasons to question the existence of such super predator bots. How can someone siphon funds off the Uniswap protocol, a platform that is constantly monitored by numerous bots? Could these bots be nothing more than ordinary "arbitrageurs"?
Earlier this year, we published an analysis confirming that they are not just ordinary "arbitrage bots." As far as we know, they are able to call functions of smart contracts that have never been called before. Even if the transactions are obfuscated through proxy smart contracts, these bots can still siphon off funds through such operations.
To say the least, this is shocking. The ability to monitor any transaction in the transaction pool is a powerful weapon. What is unsettling is that some service providers are starting to openly offer "dark pool" trading layers.
"Dark pool" trading layers do not require the use of services like Infura or even private nodes, directly sending transactions to miners who promise not to broadcast them to the rest of the network, ensuring that transactions evade the radar of predators.
Famed white hat samczun, along with several partners, used a similar method to rescue $9.6 million from a vulnerable smart contract. It's easy to imagine that miners may start manipulating front-running bots, while providing secure channels only to traders willing to pay extra fees.
ChainNews Note: The Chinese version of the story can be found here:
https://www.chainnews.com/articles/551492636558.htm
These bots differ from other elements in Ethereum in that they can only operate on the Ethereum mainnet, while smart contracts can be tested in the development environment or testnet. Apart from conducting some preliminary experiments, testing these bots' front-running in the testnet does not make financial sense. Furthermore, due to the hidden logic, the operating rules of these bots may vary.
We are not clear on the conditions under which these front-running predators decide to launch attacks. Therefore, in some aspects, tracking these predators is akin to chasing rare animals.
We are not targeting all front-running bots, but only specific ones, namely this broad type of bot.
To ensure that the front-running bots we catch are "true" broad front-runners, a unique "trap" is needed. The trap is a newly created smart contract initiated with a secret string hashed with SHA256, and it comes with some funds. Only by providing the secret contract can one withdraw the locked funds. The funds will be directly sent to the sender of the withdrawal transaction.
The idea behind this trap is to send a "bait" transaction by providing the correct secret contract to see if anyone tries to copy and provide their own secret contract to intercept the funds. If someone intercepts the funds before the bait transaction, it means that someone was able to analyze the transaction pool, copy its contents, and provide their secret contract.
Interestingly, bots can intercept funds by providing a secret contract in a previously uninvoked smart contract—truly broad front-running bots.
Mechanism of Broad Front-Running Bots
Understanding the mechanism of broad front-running bots is an essential part of this experiment. However, if someone creates a money-making machine, they are unlikely to share it on GitHub. Therefore, we can only observe and reverse-engineer the behavior of these predatory bots.
Building broad front-running bots typically requires two components:
- The first component is an Ethereum account, with or without a smart wallet proxy, where the tampered transactions will be sent.
- The second is the "backend," the brain of the operation, which usually occurs off-chain.
The operators of these bots use some technology to scan every transaction in the transaction pool, parse them, replace their parameters (e.g., the transaction caller), and determine if front-running is profitable.
Rational bots will not initiate front-running attacks if the transaction fee exceeds the potential profit from the trade. The total transaction fees can be high, especially when gas prices are high, so to entice front-running bots to attack our bait transaction, a certain minimum profit is required.
Furthermore, time is crucial because bots need to analyze every transaction in the transaction pool (of which there are many). Ethereum averages a 12-second block time. If the gas price of a transaction is high enough, it must be analyzed and replaced before the next block is produced, which poses a probability-based process where a block may be immediately mined after a transaction is broadcast, giving the bot no time to successfully analyze and broadcast a front-run transaction.
Considering these factors and ideas, we tested the conditions for front-running bots to attempt to intercept the bait.
Set a Trap
Our smart contract Giver was initially set up with a balance of 0.035 ETH, valued at approximately $20 at the time. Anyone who provides the correct secret contract hashed in the contract can take this fund. The transaction that takes the fund triggers the front-running action of the predator, with another account, the taker, trying to provide the correct secret contract to withdraw the fund.
Round 1: Direct Contract Call
To ensure the baseline trap was functioning properly, we first used the recipient account to call the contract. In the first attempt, the gas price was relatively high (determined by the Ethereum framework), and we were able to successfully retrieve the fund.
Our success could be due to the low profit from intercepting this transaction, which was not attractive to the predator, or because the transaction was quickly included in a block, giving the bot no time to act. Obviously, this was not the outcome we expected as our goal was to lure the predator into our trap.
Round 2: Giving Predators Time to Think
In this round, we addressed the issues encountered previously. We increased the potential profit and lowered the gas price so the transaction would not be quickly included in a block, giving the bot time to find it. The balance of the contract was increased to 0.04 ETH (an increase of 0.005 ETH from before).
This time we were attacked. The transaction lingered for about 3 minutes before being included in a block and ultimately failed to withdraw the value from the trap smart contract. We reviewed the internal transactions of the contract and found that the fund was intercepted by someone else.
ChainNews Note: The transaction address is
https://etherscan.io/tx/0x5bfd9294747686cddf8a0be649605ac700bd45363204bbb53dc091f193e0085c
The front-running transaction spent 25.000001111 Gwei, slightly higher than the Gwei we used. It was included in the same block as our transaction, clearly an interception.
ChainNews Note: The front-running transaction address is
https://etherscan.io/tx/0x5b8221dea090c630e056e7160f065a590138eea8680c634c9134b2c37c7c394a
Implanting a Tracker
Since our trap successfully captured a bot (albeit at a cost), we can derive some interesting insights.
First, the transaction did not directly execute a call to the smart contract. The bot did not blindly send a copied transaction from its account but passed it through a proxy smart contract, acting as a smart wallet to execute these transactions.
We can now track both past and future transactions, closely examining how this bot operates and the extent of its capabilities.
Decompiling this contract reveals two main functions:
"Withdraw" primarily sends all the funds in the contract to the operator of the bot. Another function accepts some parameters: the contract to call, a list of parameters, and a value parameter to pass.
With this function, the proxy contract acts as a smart wallet for the bot operator. Besides being able to execute external function calls, it can also ensure that the balance at the start of the transaction is at least equal to the end balance to avoid potential fund losses when calling unknown contracts (excluding gas, of course).
Using the Dune Analytics tool, we can see that this bot has been quite profitable since it began operating in May 2018.
Assuming this bot has been using the same smart proxy and receiving address to initiate front-running, we estimate it has earned approximately 17 ETH.
Round 3: How Smart Are These Bots?
Now that we are certain this bot program actively targeted us, we wanted to test if we could confuse our call to the contract by using a second contract (a proxy contract) to extract the bait funds successfully. The proxy would call a function to withdraw the bait funds from the bait contract (giver). The contract also has a "receive" function to refund the funds to us.
We deployed the ProxyTaker contract, called the appropriate function, and attempted to withdraw the funds. Since the cost of actions through the proxy was slightly higher than before, the balance of the giver contract was increased to 0.055 ETH. The result was that our transaction was immediately front-run by another bot.
ChainNews Note:
The ProxyTaker contract address is
https://etherscan.io/address/0x68b1b608034e9f4d34e777e1529bc157e17f60c8
The call address is
https://etherscan.io/tx/0xf4b8b57a6e61e97b954da6f9c6b66494aa764bdf0b3a4643e3beb8b276fd7b07
The front-running transaction address is
https://etherscan.io/tx/0x8b358f45f28d27eb4910bd3a244527399c627c6066c70efc1c3fcb6ffc8517da
This time, the bot's tactics were even more impressive. The bot not only detected our withdrawal transaction but also identified it from an internal call in a completely different smart contract! Moreover, all of this was done within a record short period, with our withdrawal transaction being included in a new block seconds later, along with the predator's front-running transaction.
The identity of this bot is also intriguing. The bot's smart contract is primarily operated by this account. This account published a comment on Etherscan, where the main post discussed rescuing funds from a vulnerable Bancor smart contract in a white hat operation.
Considering the same behavioral characteristics of this bot (calling the proxy through account A, transferring funds to account B), along with proximity to the above transaction, there is reason to suspect that this bot may have also front-run the white hat's fund rescue operation in a broad sense.
This bot is much smarter than the one we encountered before. It targets not only ETH transactions but also various arbitrage trades.
By looking at the account balance alone, its earnings are much higher. The account currently holds around 300 ETH, valued at $180,000. We can also estimate its profits from all inflows and outflows of funds from the contract address, totaling around 900 ETH.
This is just a rough estimate, as the account may have conducted transactions unrelated to its front-running activities.