On the world’s second-largest cryptocurrency blockchain, shady traders have quietly extracted at least $18.4 million — and no one noticed. No one, that is, until SnT’s Christof Ferreira Torres stumbled upon the massive operations while conducting blockchain research in cooperation with Luxembourg’s Spuerkeess. The fortune was siphoned off through legal, automated transactions over the course of the past five years by traders taking advantage of a loophole on the Ethereum blockchain system. While the trades were legal, they were clearly unethical and tantamount to what Wall Street calls “frontrunning”.
When frontrunning on the Ethereum blockchain, the trader monitors Ethereum’s pool of pending transactions (called “Mempool”) to develop an understanding of how the market will behave in the immediate future. When the trader sees a particular pattern of transactions about to occur — especially when a large transaction that will cause a change in market prices is scheduled — they employ automated bots to rapidly execute transactions that profit off of these imminent market trends. Because transactions on the Ethereum blockchain are not always executed on a first-come-first-serve basis, but rather based on the execution fee that each participant chooses to attach to their transaction as a reward for the processor, Ethereum traders have three frontrunning strategies at their disposal: displacement, insertion, and suppression. In each approach, the shady trader cuts in front of their victim’s transaction by paying more to get to the front of the line. Then they execute one or more trades that manipulate when and at what price the victim’s desired transaction can be completed. By the time the victim’s transaction is processed, they’re paying manipulated market rates and the frontrunner walks away with their furtive profits. It is a cryptocurrency hustle that borrows tactics from its more familiar fiscal cousins: insider trading and high-frequency trading. Torres published his discovery of the details of massive frontrunning operations on the Ethereum network at the 2021 USENIX Security Symposium.
“We carried out large-scale analysis of historic transactions on the Ethereum blockchain, and identified almost 200,000 frontrunning attacks,” Torres said. “This included an individual who managed to gain almost $700,000 for an outlay of just $20,000!” he continued. “We were the first to show how frontrunning is being done in practice and just how much profit is being made,” said Prof. State, head of SEDAN research group. And while frontrunning on the Ethereum blockchain is just as unethical as it is on Wall Street, on the blockchain it’s still technically legal. That’s because cryptocurrencies (unlike Wall Street) are still completely unregulated. To address this problem, Torres and his team are investigating methods to detect frontrunning so that they can build a tool to prevent it.
The tools Torres and his team build to protect users from frontrunning on the Ethereum network will be just one of the many security improvements to come out of the Spuerkeess cooperation, which aims to provide Luxembourg’s investors with improved protections on blockchain systems by offering them deeper insights to blockchain’s overarching security challenges and new tools to overcome them. “We investigate and show our findings first to Spuerkeess. We then subsequently publish the information in academic journals as well as top ranked academic conferences, and make the information available to the global business and research community,” said Torres. All of the software tools his team has developed are available with open-source licences for anyone to download and use.
The Ethereum blockchain has been of particular importance throughout this research collaboration because it is the most important blockchain for so-called “smart contracts.” Smart contracts are increasingly significant financial mechanisms — they are, in fact, the technological backbone of the NFT phenomenon that has taken the world by storm. Because smart contracts are essentially just computer programs that automatically self-execute when specified conditions are met, they’re being employed in a huge range of contexts to revolutionise industries by cutting out middlemen. But there’s an important catch: the code in smart contracts is forever. There is no possibility to change or correct it. While this has advantages — most importantly that these contracts are impossible to tamper with — it also means that bugs in the code cannot ever be corrected. That’s why Torres and his team will focus next on building a solution that automatically patches vulnerabilities in smart contracts before they’re put onto the blockchain, easing the burden on developers and making the creation of secure, effective smart contracts more user friendly.