The decentralised finance (DeFi) landscape offers multiple opportunities but smart-contract exploits are becoming an increasing concern, as fraudsters could take advantage of flaws in the code.
DeFi is a new space that is giving users a lot of power without many regulatory constraints, and one needs to be extra careful as it is prone to various types of attacks. One such attack is called sandwich, which may not be a very popular one but can cause problematic situations in DeFi. Ethereum’s co-founder had raised an alarm about this back in 2018.
Concept of Sandwich Attack
A sandwich attack targets the DeFi protocols and platforms, and can have significant consequences in market manipulation. In simple words, the attacker will try to sandwich a user’s transaction with two transactions, before and after, thus incurring a loss to the user.
“This type of attack is most common in decentralised exchanges (DEXs). Most DEXs work on AMM (algorithmic market maker) protocols,” said Raj Karkara, Chief Marketing Officer, ZebPay. “In these protocols, most of the time, the price of a token depends on the depth of the liquidity.”
How to identify sandwich attacks?
This kind of attack depends on the slippage tolerance set by the victim. Most of the time, the price of a token depends on the depth of the liquidity.
Gaurav Dahake, Founder & CEO, Bitbns, said: “These attacks make execution worse because blockchains are open and all these transactions can be observed and checked as to what kind of transaction have been conducted.”
For Instance: A user places an order to buy 1,000 Y tokens at 100 USDT each, and the slippage factor is set to 10 per cent. While executing the trade, DEX will allow the trade to happen as long as the price is below 110 USDT. The attacker needs to check what is the maximum amount of tokens the attacker can buy to increase the price, making sure the price change won’t be more than the slippage set by the user.
How do the attacks take place?
The first step in these attacks is bots sniffing out trade transactions. Bots look for transactions with low gas prices and also liquidity pool transactions where users can claim the rewards and convert these to the required tokens.
The majority of sandwich attacks are performed through automated market maker solutions or AMMs. Through their pricing algorithms, liquidity is always in high demand, and trades are executed continuously. “Once these transactions are identified, the bot will place a transaction with a higher fee which frontruns the normal transaction,” said Karkara of Zebpay.
How harmful are sandwich attacks?
As blockchains are open, sandwich attacks can make execution of transactions a challenge. The attacker can check the kind of transactions the victim has conducted. Sandwich attacks can actually aid culprits to manipulate asset prices.
It is perhaps too easy to perform this type of attack in reality. Despite the smaller size of profits, one can use this hacking technique repeatedly without any consequences.
Sandwich attack affects the amount of crypto the initial user will receive, said Dahake. “As a result, the culprit will succeed in filling the order at their desired price. The next trade will, therefore, be at a much higher price.”
Protection from sandwich attacks
There aren’t many ways to escape such kinds of attacks, but it is crucial to develop countermeasures to protect investors.
“While making large trades on DEX, one has to set the slippage tolerance properly to the level one can bear,” Karkara from Zebpay said. “The best strategy is to decrease the slippage when the trade amount increases.”
Protocols are also trying to incorporate new technologies like ZK-Snarks to help users mask the trade information so that bots can’t identify it. “One needs to essentially ensure that one does not open up his wallet address and is also extra mindful of adding additional privacy layers and roll ups on the transactions. These are called ZK rollups through which one can mask one’s transactions,” added Dahake of BitBns.