SoK: Transparent Dishonesty: Front-Running Attacks on Blockchain

Eskandari, Shayan; Moosavi, Seyedehmahsa; Clark, Jeremy

doi:10.1007/978-3-030-43725-1_13

Shayan Eskandari^13,14,
Seyedehmahsa Moosavi¹³ &
Jeremy Clark¹³

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11599))

Included in the following conference series:

International Conference on Financial Cryptography and Data Security

2067 Accesses
77 Citations

Abstract

We consider front-running to be a course of action where an entity benefits from prior access to privileged market information about upcoming transactions and trades. Front-running has been an issue in financial instrument markets since the 1970s. With the advent of the blockchain technology, front-running has resurfaced in new forms we explore here, instigated by blockchain’s decentralized and transparent nature. In this paper, we draw from a scattered body of knowledge and instances of front-running across the top 25 most active decentral applications (DApps) deployed on Ethereum blockchain. Additionally, we carry out a detailed analysis of Status.im initial coin offering (ICO) and show evidence of abnormal miner’s behavior indicative of front-running token purchases. Finally, we map the proposed solutions to front-running into useful categories.

Access provided by Autonomous University of Puebla. Download conference paper PDF

Applications of Blockchain in Various Domains

Rise of Blockchain-Based Non-fungible Tokens (NFTs): Overview, Trends, and Future Prospects

A Blockchain Supported Solution for Compliant Digital Security Offerings

1 Introduction

Blockchain technology enables decentralized applications (DApps) or smart contracts. Function calls (or transactions) to the DApp are processed by a decentralized network. Transactions are finalized in stages: they (generally) first relay around the network, then are selected by a miner and put into a valid block, and finally, the block is well-enough incorporated that is unlikely to be reorganized. Front-running is an attack where a malicious node observes a transaction after it is broadcast but before it is finalized, and attempts to have its own transaction confirmed before or instead of the observed transaction.

The mechanics of front-running work on all DApps but front-running is not necessarily beneficial, depending on the DApp’s internal logic and/or as any mitigations it might implement. Therefore, DApps need to be studied individually or in categories. In this paper, we draw from a scattered body of knowledge regarding front-running attacks on blockchain applications and the proposed solutions, with a series of case studies of DApps deployed on Ethereum (a popular blockchain supporting DApps). We do case studies on decentralized exchanges (e.g., Bancor), crypto-collectibles (e.g., CryptoKitties), gambling services (e.g., Fomo3D), and decentralized name services (e.g., Ethereum Name Service). We also study initial coin offerings (ICOs). Finally, we provide a categorization of techniques to eliminate or mitigate front-running including transaction sequencing, cryptographic techniques like commit/reveal, and redesigning the functioning of the DApp to provide the same utility while removing time dependencies.

2 Preliminaries and Related Work

2.1 Traditional Front-Running

Front-running is a course of action where someone benefits from early access to market information about upcoming transactions and trades, typically because of a privileged position along the transmission of this information and is applicable to both financial and non-financial systems. Historically, floor traders might have overheard a broker’s negotiation with her client over a large purchase, and literally race the broker to buy first, potentially profiting when the large purchase temporarily reduces the supply of the stock. Alternatively, a malicious broker might front-run their own client’s orders by purchasing stock for themselves between receiving the instruction to purchase from the client and actually executing the purchase (similar techniques can be used for large sell orders). Front-running is illegal in jurisdictions with established securities regulation.

Cases of front-running are sometimes difficult to distinguish from related concepts like insider trading and arbitrage. In front-running, a person sees a concrete transaction that is set to execute and reacts to it before it actually gets executed. If the person instead has access to more general privileged information that might predict future transactions but is not reacting at the actual pending trades, we would classify this activity as insider trading. If the person reacts after the trade is executed, or information is made public, and profits from being the fastest to react, this is considered arbitrage and is legal and encouraged because it helps markets integrate new information into prices quickly.

2.2 Literature on Traditional Front-Running

Front-running originates on the Chicago Board Options Exchange (CBoE) [41]. The Securities Exchange Commission (SEC) in 1977 defined it as: “The practice of effecting an options transaction based upon non-public information regarding an impending block transaction^{Footnote 1} in the underlying stock, in order to obtain a profit when the options market adjusts to the price at which the block trades. [2]” Self-regulating exchanges (e.g., CBoE) and the SEC spent the ensuing years planning how to detect and outlaw front-running practices [41]. The SEC stated: “It seems evident that such behaviour on the part of persons with knowledge of imminent transactions which will likely affect the price of the derivative security constitutes an unfair use of such knowledge.^{Footnote 2}” The CBoE tried to educate their members on existing rules, however, differences in opinion regarding the unfairness of front-running activities, insufficient exchange rules and lack of a precise definition in this area resulted in no action [2] until the SEC began the regulation. We refer the reader interested in further details on this early regulatory history to Markham [41]. The first front-running policies applied only to certain option markets. In 2002, the rule was expanded to cover all security futures [3]. In 2012, it was expanded further with the new amendment, FINRA Rule 5270, to cover trading in options, derivatives, or other financial instruments overlying a security with only a few exceptions [5, 6]. Similar issues have been seen with domain names [4, 25] as well.

2.3 Background on Blockchain Front-Running

Blockchain technology (introduced via Bitcoin in 2008 [48]) strives to disintermediate central parties that participate in a transaction. However, blockchains also introduce new participants in the process of relaying and finalizing transactions. Miners are in the best position to conduct these attacks as they hold fine-grained control over the exact set of transactions that will execute and in what order and can mix in their own (late) transactions without broadcasting them. Miners do however have to commit to what their own transactions will be before beginning the proof of work required to solve a block.

Any user monitoring network transactions (e.g., running a full node) can see unconfirmed transactions. On the Ethereum blockchain, users have to pay for the computations in a small amount of Ether called gas [1]. The price that users pay for transactions, gasPrice, can increase or decrease how quickly miners will execute them and include them within the blocks they mine. A profit-motivated miner who sees identical transactions with different transaction fees will prioritize the transaction that pays a higher gas price due to limited space in the blocks. This has been called a gas auction [32]. Therefore, any regular user who runs a full-node Ethereum client can front-run pending transactions by sending adaptive transactions with a higher gas price (see Fig. 1).

Finally, well-positioned relaying nodes on the network (or part of the broader internet backbone) can attempt to influence how transactions are propagated through the network, which can influence the order miners receive transactions, or if they receive them at all [30, 40].

2.4 Literature on Blockchain Front-Running

Given the purpose of this entire paper is systemizing the existing literature, we do not re-enumerate the literature here. However, we note two points. First, we are not aware of any other systematic study of this issue. Second, front-running is related to two well-studied concepts: double-spending and rushing adversaries [38].

Double-spending attacks in Bitcoin are related to front-running [11, 36]. In this attack, a user broadcasts a transaction and is able to obtain some off-blockchain good or service before the transaction has actually been (fully) confirmed. The user can then broadcast a competing transaction that sends the same unspent coins to herself, perhaps using higher transaction fees, arrangements with miners or artifacts of the network topology to have the second transaction confirmed instead of the first. This can be considered a form of self-front-running. In the cryptographic literature, front-running attacks are modeled by allowing a so called ‘rushing’ adversary to interact with the protocol [12]. In particular, ideal functionalities of blockchains (such as those used in simulation-based proofs) need to capture this adversarial capability, assuming the real blockchain does not address front-running. See e.g., Bitcoin backbone [29] and Hawk [38].

3 A Taxonomy of Front-Running Attacks

As we will illustrate with examples through-out the paper, front-running attacks can often be reduced to one of a few basic templates. We emphasize what the adversary is trying to accomplish (without worrying about how) and we distinguish three cases: displacement, insertion, and suppression attacks. In all three cases, Alice is trying to invoke a function on a contract that is in a particular state, and Mallory will try to invoke her own function call on the same contract in the same state before Alice.

In the first type of attack, a displacement attack, it is not important to the adversary for Alice’s function call to run after Mallory runs her function. Alice’s can be orphaned or run with no meaningful effect. Examples of displacement include: Alice trying to register a domain name and Mallory registering it first [35]; Alice trying to submit a bug to receive a bounty and Mallory stealing it and submitting it first [16]; and Alice trying to submit a bid in an auction and Mallory copying it.

In an insertion attack, after Mallory runs her function, the state of the contract is changed and she needs Alice’s original function to run on this modified state. For example, if Alice places a purchase order on a blockchain asset at a higher price than the best offer, Mallory will insert two transactions: she will purchase at the best offer price and then offer the same asset for sale at Alice’s slightly higher purchase price. If Alice’s transaction is then run after, Mallory will profit on the price difference without having to hold the asset.

In a suppression attack, after Mallory runs her function, she tries to delay Alice from running her function. After the delay, she is indifferent to whether Alice’s function runs or not. We only observe this attack pattern in one DApp and the details are quite specific to it, so we defer discussion until Sect. 4.3.

Each of these attacks have two variants, asymmetric and bulk. In some cases, Alice and Mallory are performing different operations. For example, Alice is trying to cancel an offer, and Mallory is trying to fulfill it first. We call this asymmetric displacement. In other cases, Mallory is trying to run a large set of functions: for example Alice and others are trying to buy a limited set of shares offered by a firm on a blockchain. We call this bulk displacement.

Table 1. Top 25 DApps based on recent user activity from DAppRadar.com on September 4th, 2018. The DApps that are in bold are discussed in this paper.

Full size table

4 Cases of Front-Running in DApps

To find example DApps to study, we used the top 25 DApps based on recent user activity from DAppradar.com in September 2018.^{Footnote 3} User activity is admittedly an imperfect metric for finding the ‘most significant’ DApps: significant DApps might be lower volume overall or for extended periods of time (e.g., ICOs, which we remedy by studying independently in Sect. 5). However, user activity is an objective criteria, data on it is available, and the list captures our intuition about which DApps are significant. It suffices for a first study in this area, and is preferable over an ad hoc approach. Using the dataset, we categorized the top 25 applications into 4 principal use cases. The details are given in Table 1.

4.1 Markets and Exchanges

The first category of DApp in Table 1 are financial exchanges for trading ether and Ethereum-based tokens. Exchanges such as EtherDelta^{Footnote 4}, purport to implement a decentralized exchange, however, their order books are stored on a central server they control and shown to their users with a website interface. Central exchanges can front-run orders in the traditional sense, as well as re-order or block orders on their servers. 0xProtocol [65] uses Relayers which act as the order book holders and could front-run the orders they relay.

As seen in traditional financial markets, one method to manipulate the spot price of an asset, is to flood the market with orders and cancel them when there are filling orders (“taker’s griefing” [7]). Placing an order in a partially centralized exchange is free, but to prevent taker’s griefing attacks, the user needs to send an Ethereum transaction to cancel each of his orders. Cancelling orders is most important when prices change faster than order execution. In this case, when an adversarial actor sees a pending cancellation transaction, he sends a fill order transaction with higher gasPrice to get in front of the cancellation order and take the order before it is canceled (this is known as cancellation grief). This attack follows the asymmetric displacement template and is illustrated in Fig. 2.

Designing truly decentralized exchanges, where the order book is implemented directly on a public blockchain, is being pursued by a number of projects [24]. These designs are generally vulnerable to front-running attacks following a displacement or insertion template. For example, a front-running full node or miner might gauge the demand for trades at a given price by the number of pending orders, and try to displace them at the same price assuming the demand is the result of the accurate new information about the asset. Alternatively, the front-runner might observe a large market order (i.e., it will execute at any price). The adversary can try to insert a pair of limit orders that will bid near the best offer price and offer at a higher price. If the pair executes ahead of the market order, the front-runner profits by scalping the price of the shares. Finally, if adversary has pre-existing offers likely to be reached by the market order, she could insert cancellations and new offers at a higher price.

Bancor is an exchange DApp that allows users to exchange their tokens without any counter-party risk. The protocol aims to solve the cryptocurrency liquidity issue by introducing Smart Tokens [31]. Smart tokens are ERC20-compatible that can be bought or sold through a DApp-based dealer that is always available and implements a market scoring rule to manage its prices. Bancor provides continuous liquidity for digital assets without relying on brokers to match buyers with sellers. Implemented on the Ethereum blockchain, when transactions are broadcast to the network, they sit in a pending transaction pool known as mempool waiting for the miners to mine them. Since Bancor handles all the trades and exchanges on the chain (unlike other existing decentralized exchanges), these transactions are all visible to the public for some time before being included within a block. This leaves Bancor vulnerable to the blockchain race condition attack as attackers are given enough time to front-run other transactions, in which they can gain favourable profits by buying before the order and fill the original order with slightly higher price [58]. Researchers have shown and implemented a proof of concept code to front-run Bancor as a non-miner user [13].

4.2 Crypto-Collectibles Games

The second category of DApp in Table 1 is crypto-collectables. Consider Cryptokitties [9], the most active DApp in this category and third most active overall. Each kitty is a cartoon kitten with a set of unique features to distinguish it from other cryptokitties, some features are rarer and harder to obtain. They can be bought, sold, or bred with other cryptokitties. At the Ethereum level, the kitty is a token implemented with ERC-721: Non-Fungible Token Standard [26]. Kitties are generally bought and sold on-chain through auction smart contracts. See Sects. 4.1 and 4.4 for more details on auction-based front-running attacks.

Specific to Cryptokitties protocol, they can breed and give birth. When cryptokitties breed, the smart contract sets from which future block the pregnancy of the cat can be completed. Anyone can complete the pregnancy by calling giveBirth() after the birthing block and they will receive a reward in ether^{Footnote 5}. Even though front-running these calls would not affect the protocol workflow, but this displacement attack could result in financial profit for front-runners [37, 68].

4.3 Gambling

The third category of DApp in Table 1 is gambling services. While a large category of gambling games are based on random outcomes, DApps do not have unique access to an unpredictable data stream to harvest for randomness [51]. Any candidate source of randomness (such as block headers) is accessible to all DApp functions and can also be manipulated to an extent by miners.

Fomo3D is an example of a game style (known as Exit Scam^{Footnote 6}) not based on random outcomes, and it is the most active game on Ethereum in our sample. The aim of this game is to be the last person to have purchased a ticket when a timer goes to zero in a scenario where anyone can buy a ticket and each purchase increases the timer by 30 s. Many speculated such a game would never end but on August 22, 2018, the first round of the game ended with the winner collecting 10,469 Ether^{Footnote 7} equivalent to $2.1M USD at the time. Blockchain forensics indicate a sophisticated winning strategy to displace any new ticket purchases [10, 57] that would reset the counter. The winner appears to have started by deploying many high gas consumption DApps unrelated to the game. When the timer of the game reached about 3 min, the winner bought 1 ticket and then sent multiple high gasPrice transactions to her own DApps. These transactions congested the network and bribed miners to prioritize them ahead of any new ticket purchases in Fomo3D. Recall this basic form of bribery is called a Gas Auction; See related work [14, 43] for more sophisticated bribery contracts.

We classify this in the unique category of a suppression attack in our taxonomy (see Sect. 3). At first glance, it seemed like an extreme version of an asymmetric/bulk displacement attack on any new ticket purchase transactions. However the key difference is that the front-runner does not care at all about the execution of her transactions—if miners mined empty blocks for three minutes, that would also be acceptable. Thus, bulk displacement^{Footnote 8} is simply a means-to-an-end and not the actual end goal of the adversary.

4.4 Name Services

The final category in Table 1 is name services, which are primarily aimed at disintermediating central parties involved in web domain registration (e.g., ICAAN and registrars) and resolution (e.g., DNS). For simple name services (such as some academic work like Ghazal [47]), domains purchases are transactions and front-runners can displace other users attempting to register domains. This parallels front-running attacks seen in regular (non-blockchain) domain registration [4]. Ethereum Name Service (ENS) [34] is the most active naming service on Ethereum. Instead of allowing new .eth domain names to be purchased directly, they are put up for a sealed bid auction which seals the domain name in a bid, but not the bid amount. Most implementations use the more user friendly but less confidential method for starting and bidding on a domain name: startAuctionsAndBid(). This method leaks the hash of the domain and the initial bid amount in the auction. Original names can be guessed from the hashes (e.g., rainbow tables, used in ENS Twitter bot^{Footnote 9}) or people can bid on domains even though they do not know what they are because of speculation on its value.

Users are allowed to bid for 3 days before the 2-day reveal phase begins (see 6.2), in which all bidders (winners and losers) must send a transaction to reveal their bids for a specific domain or sacrifice their bid amount. Also note that if two bidders bid the same price, the first to reveal wins it [23]. Using the leaked information, the domain squatter can win the auction with the same price of the original bidder by revealing it first. This is similar to front-running as it relies on inserting an action before the user, however we do not consider this specific action as front-running attack.

5 Cases of Front-Running in ICOs

Initial coin offerings (ICOs) have changed how blockchain firms raise capital. More than 3000 ICOs have been held on Ethereum, and the market capitalization of these tokens appears to exceed $75B USD in the first half of 2018 [67]. At the DApp level, tokens are offered in short-term sales that see high transaction activity while the sale is on-going and then the activity tapers off to occasional owner transfers. When we collected the top 25 most active DApps on DAppRadar.com, no significant ICOs were being sold. The ICO category slips through our sampling method, but we identify it as a major category of DApp and study it here.

5.1 Status.im ICO

To deal with demand, ICOs cap sales in a variety of ways to mitigate front-running attacks. In June 2017, Status.im [8] started its ICO and reached the predefined cap within 16 h, collecting close to 300,000 Ether. In order to prevent wealthy investors purchasing all the tokens and limit the amount of Ether deposited in each investment, they used a fair token distribution method called Dynamic Ceiling as an attempt to increase the opportunity for smaller investors. They implemented multiple caps (ceilings) in which, each had a maximum amount that could be deposited in. In this case, every deposit was checked by the smart contract and the exceeding amount was refunded to the sender while the accepted amount was sent to their multi-signature wallet address [50].

During the time frame the ICO was open for participation, there were reports of Ethereum network being unusable and transactions were not confirming. Further study showed that some mining pools might have been manipulating the network for their own profit. In addition, there were many transactions sent with a higher gas price to front-run other transactions, however, these transactions were failing due to the restriction in the ICO smart contract to reject transactions with higher than 50 GWei gas price (as a mitigation against front-running).

5.2 Data Collection and Analysis

According to the analysis we carried out, we discovered that the F2Pool—an Ethereum mining pool that had around 23% of the mining hash rate at the time (Fig. 3)—sent 100 Ether to 30 new Ethereum addresses before the Status.im ICO started. When the ICO opened, F2Pool constructed 31 transactions to the ICO smart contract from their addresses, without broadcasting the transactions to the network^{Footnote 10}. They used their entire mining power to mine their own transactions and some other potentially failing high gas price transactions.

Ethereum’s blockchain contains all transaction ever made on Ethereum. While the default client and online blockchain explorers offer some limited query capabilities, in order to analyze this case, we built our own database. Specifically, we used open source projects such as Go Ethereum implementation^{Footnote 11} for the full node, a python script for extracting, transforming and loading Ethereum blocks, named ethereum-etl [45] and Google BigQuery.^{Footnote 12} Using this software stack, we were able to isolate transactions within the Status.im ICO. We used data analysis tool Tableau.^{Footnote 13} A copy of this dataset and the initial findings can be found in our Github repository^{Footnote 14}.

As shown in Fig. 4, most of the top miners in the mentioned time frame, have mined almost the same number of failed and successful transactions which were directed toward Status.im token sale, however F2Pool’s transactions indicate their successful transactions were equivalent to 10% of the failed transactions, hence maximizing the mining rewards on gas, while censoring other transactions to the token sale smart contract. The terminology used here is specific to smart contract transactions on Ethereum, by “failed transaction” we mean the transactions in which the smart contract code rejected and threw an exception and by “successful transaction” we mean the transactions that went through and received tokens from the smart contract.

By tracing the transactions from these 30 addresses, we found explicit interference by F2Pool^{Footnote 15} in this scenario. As shown in Fig. 5, the funds deposited by F2Pool in these addresses were sent to Status.im ICO and mined by F2Pool themselves, where the dynamic ceiling algorithm refunded a portion of the deposited funds. A few days after these funds were sent back to F2Pool main address and the tokens were aggregated later in one single address. Although this incident does not involve transaction reordering in the blocks, it shows how miners can modify their mining software to behave in a certain way to front-run other transactions by bulk displacement to gain monetary profit.

6 Key Mitigations

As we studied front-running attacks on the blockchain, we also encountered a number of ways of preventing, detecting or mitigating front-running attacks. Instead of providing the details of exact solutions which will change over time, we extract the main principles or primitives that address the attack. A particular system may implement more than one in a layered mitigation approach.

We classify the mitigations into three main categories. In the first category, the blockchain removes the miner’s ability to arbitrarily order transactions and tries to enforce some ordering, or queue, for the transactions. In the second category, cryptographic techniques are used to limit the visibility of transactions, giving the potential front-running less information to base their strategy on. In the final category, DApps are designed from the bottom-up to remove the importance of transaction ordering or time in their operations. We also note that for DApps that are legally well-formed (e.g., with identified parties and a clear jurisdiction), front-running attacks can violate laws, which is its own deterrent.

Traditional Front-Running Prevention Methods. There are debates in traditional markets regarding the fact that front-running is considered to be a form of insider trading which deemed to be illegal. Traditional methods to prevent front-running mainly involves after the fact investigation and legal action against the front-runners [28]. As mentioned in Sect. 2.2, defining front-running and educating the employees were the first step taken to prevent such issues in traditional markets, however, front-running became less likely to happen mainly because of the high fine and lawsuits against firms who behaved in an unethical way. Other methods such as dark pools [20, 69] and sealed bids [53] were discussed and implemented in a variety of regulated trading systems. The traditional methods to prevent front-running does not apply to blockchain applications, as mainly they are based on central enforcement and limitations, also in case of blockchains the actors who are front-running could be anonymous and the fear of lawsuits would not apply.

6.1 Transaction Sequencing

Ethereum miners store pending transactions in pools and draw from them when forming blocks. As the term ‘pool’ implies, there is no intrinsic order to how transactions are drawn and miners are free to sequence them arbitrarily.^{Footnote 16} The vanilla Go-Ethereum (geth) implementation prioritizes transactions based on their gas price and nonce [27]. Because no rule is enforced, miners can sequence transactions in advantageous ways. A number of proposals attempt to thwart this attack by enforcing a rule about how to sequence transactions.

First-in-first-out (FIFO) is generally not possible on a distributed network because transactions can reach different nodes in a different order. While the network could theoretically form a consensus based on locally observed FIFO, this would increase the rate of orphaned blocks, as well as adding complexity to the protocol. A trusted third party can be used to assign sequential numbers to transactions (and sign them), but this is contrary to blockchain’s core innovation of distributed trust. Nonetheless, some exchanges do centralize time-sensitive functionalities (e.g., EtherDelta and 0xProject) in off-chain order books [64, 65].

One alternative is to sequence transactions pseudorandomly. This can be seen in proposals like Canonical Transaction Ordering Rule (CTOR) by Bitcoin Cash ABC [60] which adds transactions in lexicographical order according to their hash [61]. Note that Bitcoin does not have a front-running problem for standard transactions. While this could be used by Ethereum to make front-running statistically difficult, the protection is marginal at best and might even exacerbate attacks. A front-runner can construct multiple equivalent transactions, with slightly different values, until she finds a candidate that positions her transaction a desirable location in the resulting sequence. She broadcasts only this transaction and now miners that include her transaction will position it in front of transactions they heard about much earlier.

Finally, transactions themselves could enforce order. For example, they could specify the current state of the contract as the only state to execute on. This transaction chaining only prevents certain types of front-running; i.e., it prevents insertion attacks but not displacement attacks (recall our taxonomy in Sect. 3). As transaction chaining only allows one state-changing transaction per state, at most one of a set of concurrent transactions can be confirmed; a drawback for active DApps.

6.2 Confidentiality

Privacy-Preserving Blockchains. All transaction details in Bitcoin are made public and participant identities are only lightly protected. A number of techniques increase confidentiality [19, 42] and anonymity [46, 49, 56] for cryptocurrencies. A current research direction is extending these protections to DApps [55, 66]. It is tempting to think that a confidential DApp would not permit front-running, as the front-runner would not know the details of the transaction she is front-running. However, there are some nuances here to explore.

A DApp interaction includes the following components: (1) the code of the DApp, (2) the current state of the DApp, (3) the name of the function being invoked, (4) the parameters supplied to the function, (5) the address of the contract the function is being invoked on, and (6) the identity of the sender. Confidentiality applied to a DApp could mean different levels of protection for each of these. For front-running, function calls (3,4) are the most important, however, function calls could be inferred from state changes (2). Hawk [38] and Ekiden [21] are examples of (2, 3, 4)-confidentiality (with limitations we are glossing over).

The applicability of privacy-preserving blockchains needs to be evaluated on a case-by-case basis. For example, one method used by traditional financial exchanges in dealing with front-running from high frequency traders is a dark pool: essentially a (2, 3, 4)-confidential order book maintained by a trusted party. A DApp could disintermediate this trusted party. Users whose balances are affected by changes in the contract’s state would need to be able to learn this information. Further, if the contract addresses are known (i.e., no 5-confidentiality), front-runners can know about the traffic pattern of calls to contracts which could be sufficient grounds for attack; for example, if each asset on an exchange has its own market contract, this leaks trade volume information. As a contrasting example, consider again decentralized domain registration: hiding state changes (2-confidentiality) defeats the entire purpose of the DApp, and protecting function calls is ineffective with a public state change since the state itself reveals the domain being registered.

Commit/Reveal. While confidentiality appears insufficient for solving domain name front-running alone, a hybrid approach of sequencing and confidentiality can be effective and is, in fact, an example of an older cryptographic trick known as commit/reveal. The essence of the approach is to protect the function call (e.g., (3, 4)- or (4)-confidentiality) until the function is enqueued in a sequence of functions to be executed. Once the sequence is established, the confidentiality is lifted and the function can only be executed in the order it was enqueued (or, generally speaking, not at all).

Recall that a commitment scheme enables one to commit to a digital value (e.g., a statement, transaction, data, etc.) while keeping it a secret (hiding), and then open it (and only it: binding) at a later time of the committer’s choosing [15]. A common approach (conjectured to be hiding) is to submit the cryptographic hash of the value with a random nonce (for low entropy data) to a smart contract, and later reveal the original value and nonce which can be verified by the contract to correctly hash to the commitment (see Fig. 6).

An early application of this scheme to blockchain is Namecoin, a Bitcoin-forked DApp for name services [35]. In Namecoin, a user sends a commit transaction which registers a new hidden domain name, similar to a sealed bid. Once this first transaction is confirmed, a time delay begins. After the delay, a second transaction reveals the details of the requested domain. This prevents front-running if the reveal transaction is confirmed faster than an adversarial node or miner can redo the entire process.

Commit/reveal is a two-round protocol, and aborting after the first round (early aborts) could be an issue for this (along with most multi-round cryptographic protocols). For example, in a financial exchange where the number of other orders might be in a predictable interval, an adversary can spray the sequence (i.e., a price-time priority queue) with multiple committed transactions and no intention of executing them all. She then only reveal the ones that result in an advantageous trade.^{Footnote 17} There are other ways of aborting; if payments are required but not collateralized, the aborting party can ensure that payment is not available for transfer. One mitigation to early aborts that blockchain is uniquely positioned to make is having users post a fidelity bond of a certain amount of cryptocurrency that can be automatically dispensed if they fail to fully execute committed transactions (this is used in multi-round blockchain voting [44]). Finally, we note that any multiple round protocol will have usability challenges: users must be aware that participating in the first round is not sufficient for completing their intention.

Enhanced Commit/Reveal. Submarine Commitments [17, 18] extend the confidentiality of the commit and reveal, so that the commitment transaction is identical to a transaction to a newly generated Ethereum address. They initially hide the contract address being invoked, providing (3, 4, 5)-confidentiality during the commit phase; and they ensure that if a revealed transaction sent funds, the funds were fully collateralized at commit time and are available to the receiving smart contract. See Fig. 7.

6.3 Design Practices

The final main category of mitigation is to assume front-running is unpreventable and to thus responsively redesign the functionality of the DApp to remove any benefit from it. For example, when designing a decentralized exchange, one can use a call market design instead of a time-sensitive order book [22] to side-step and disincentivize front-running. In a call market design, the arrival time of orders does not matter as they are executed in batches^{Footnote 18}. The call market solution pivots profitable gains that front-running miners stand to gain into fees that they collect [22], removing the financial incentive to front-run.

In the finance literature, Malinova and Park discuss front-running mitigations for blockchain-based trading platforms [39]. Instead of studying DApps, they develop an economic model where transactions, asset holdings, and traders’ identities have greater transparency than in standard economic models—transparency they argue that could be accomplished by blockchain technology. However, in their model, they assume entities can interact directly over private channels to arrange trades. They define front-running in the context of private offers, where parties might adjust their position before accepting or countering a received offer. This model is quite different than the DApp-based model we study here.

Another example in the design of ERC20 standard [62] is the allowance functionality. approve() function in the specification allows a second entity to be able to spend N tokens from the sender’s balance. In order to change the allowance, sender must send a transaction to set the new allowance value. Using the insertion attack, attacker could front-run the new allowance transaction and spend the old value before the new value is set [33, 54], and then additionally spend the new amount at a later time. Solutions such as decreaseApproval()/increaseApproval() were added in updated implementations.

7 Concluding Remarks

Front-running is a pervasive issue in Ethereum DApps. DApp developers don’t necessarily have the mindset to design DApps with front-running in mind. This is an attempt to bring forward the subject and increase awareness of these type of attacks. While some DApp-level application logic could be built to mitigate these attacks, its ubiquity across different DApp categories suggests mitigations at the blockchain-level would perhaps be more effective. We highlight this as an important research area.

Notes

1.
A block in the stock market is a large number of shares, 10 000 or more, to sell which will heavily change the price.
2.
Securities Exchange Act Release No. 14156, November 19, 1977, (Letter from George A. Fitzsimmons, Secretary, Securities, and Exchange Commission to Joseph W. Sullivan, President CBoE).
3.
List of decentralized applications https://DAppradar.com/DApps.
4.
Also known as ForkDelta for the user interface: https://forkdelta.app/.
5.
As there are no automated function calls in Ethereum, this incentive model –known as Action Callback [52]– is used to encourage users to call these functions.
6.
https://exitscam.me/play.
7.
The first winner of Fomo3D, won 10,469 Ether https://etherscan.io/tx/0xe08a519c03cb0aed0e04b33104112d65fa1d3a48cd3aeab65f047b2abce9d508.
8.
Also known as Block Stuffing Attack [59].
9.
https://twitter.com/ensbot.
10.
Note that we do not have an authoritative copy of the mempool over time, however, the probability of these transactions being broadcasted to the network and exclusively get mined by the same pool as the sender is low.
11.
Official Go implementation https://github.com/ethereum/go-ethereum.
12.
https://cloud.google.com/bigquery/.
13.
https://www.tableau.com/.
14.
http://bit.ly/madibaFrontrunning.
15.
F2Pool address was identified by their mining reward deposit address https://etherscan.io/address/0x61c808d82a3ac53231750dadc13c777b59310bd9.
16.
Sometimes the pool is called a ‘queue.’ It is important to note is a misnomer as queues enforce a first-in-first-out sequence.
17.
This is analogous to behavior in traditional financial markets where high-frequency traders will make and cancel orders at many price points (flash orders or pinging). If they can cancel faster than someone can execute it—someone who has only seen the order and not the cancellation—then the victim reveals their price information.
18.
Also known as batch auctions [63].

References

Account types, gas, and transactions. Ethereum homestead 0.1 documentation. http://ethdocs.org/en/latest/contracts-and-transactions/account-types-gas-and-transactions.html#what-is-gas. Accessed 14 June 2018
96th Congress 1st Session, report of the special study of the options markets to the securities and exchange commission (1978)
Google Scholar
Im-2110-3. Front running policy. Financial Industry Regulatory Authority (2002)
Google Scholar
SSAC advisory on domain name front running. ICANN Advisory Committee, 10 2007. Accessed 15 Aug 2018
Google Scholar
Front running of block transactions. Financial Industry Regulatory Authority (2012)
Google Scholar
Notice of filing of proposed rule change to adopt FINRA rule 5270 (front running of block transactions) in the consolidated FINRA rulebook. Securities and Exchange Commission (2012)
Google Scholar
Security review of 0x smart contracts. ConsenSys-Diligence (2017)
Google Scholar
The status network, a strategy towards mass adoption of Ethereum. Status Team (2017). Accessed 10 June 2018
Google Scholar
Cryptokitties. Cryptokitties team (2018). Accessed 31 Aug 2018
Google Scholar
Anonymous. How the first winner of Fomo3D won the jackpot? (2018). https://winnerfomo3d.home.blog/. Accessed 9 Sept 2018
Bamert, T., Decker, C., Elsen, L., Wattenhofer, R., Welten, S.: Have a snack, pay with bitcoins. In: 2013 IEEE Thirteenth International Conference on Peer-to-Peer Computing (P2P), pp. 1–5. IEEE (2013)
Google Scholar
Beaver, D., Haber, S.: Cryptographic protocols provably secure against dynamic adversaries. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 307–323. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-47555-9_26
Chapter Google Scholar
Bogatyy, I.: Implementing Ethereum trading front-runs on the Bancor exchange in Python (2017). https://hackernoon.com/front-running-bancor-in-150-lines-of-python-with-ethereum-api-d5e2bfd0d798. Accessed 13 Aug 2018
Bonneau, J., Felten, E.W., Goldfeder, S., Kroll, J.A., Narayanan, A.: Why buy when you can rent? Bribery attacks on bitcoin consensus (2016)
Google Scholar
Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)
Article MathSciNet Google Scholar
Breidenbach, L., Daian, P., Tramer, F., Juels, A.: Enter the hydra: towards principled bug bounties and exploit-resistant smart contracts. In: 27th USENIX Security Symposium (USENIX Security 18). USENIX Association (2018)
Google Scholar
Breidenbach, L., Daian, P., Juels, A., Tramer, F.: To sink frontrunners, send in the submarines (2017). http://hackingdistributed.com/2017/08/28/submarine-sends/. Accessed 28 Aug 2018
Breidenbach, L., Kell, T., Gosselin, S., Eskandari, S.: Libsubmarine: defeat front-running on Ethereum (2018). https://libsubmarine.org/. Accessed 7 Dec 2018
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE Symposium on Security and Privacy (SP), vol. 00, pp. 319–338 (2018)
Google Scholar
Buti, S., Rindi, B., Werner, I.M.: Diving into dark pools (2011)
Google Scholar
Cheng, R., et al.: Ekiden: a platform for confidentiality-preserving, trustworthy, and performant smart contract execution. arXiv preprint arXiv:1804.05141 (2018)
Clark, J., Bonneau, J., Felten, E.W., Kroll, J.A., Miller, A., Narayanan, A.: On decentralizing prediction markets and order books. In: Workshop on the Economics of Information Security, State College, Pennsylvania (2014)
Google Scholar
E. Discussion: Handling frontrunning in the permanent registrar (2018)
Google Scholar
distribuyed: A comprehensive list of decentralized exchanges (DEX) of cryptocurrencies, tokens, derivatives and futures, and their protocols (2018). https://distribuyed.github.io/index/. Accessed 24 Sept 2018
Edelman, B.: Front-running study: testing report (2009)
Google Scholar
Entriken, W., Shirley, D., Evans, J., Sachs, N.: ERC-721 non-fungible token standard (2018). https://github.com/ethereum/EIPs/blob/master/EIPS/eip-721.md. Accessed 31 Aug 2018
Ethereum: worker.go - commitnewwork() (2018). Accessed 7 Dec 2018
Google Scholar
Financial Times: Barclays trader charged with front-running by us authorities (2018)
Google Scholar
Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_10
Chapter Google Scholar
Heilman, E., Kendler, A., Zohar, A., Goldberg, S.: Eclipse attacks on bitcoins peer-to-peer network. In: USENIX Security, pp. 129–144. USENIX Association, Washington, D.C. (2015)
Google Scholar
Hertzog, E., Benartzi, G., Benartzi, G.: Bancor protocol (2017)
Google Scholar
initc3.org: Frontrun me (2018). http://frontrun.me/
G. Issue: Method ‘decreaseapproval’ in unsafe (2017)
Google Scholar
Johnson, N.: Ethereum domain name service - specification (2016)
Google Scholar
Kalodner, H.A., Carlsten, M., Ellenbogen, P., Bonneau, J., Narayanan, A.: An empirical study of Namecoin and lessons for decentralized namespace design. In: WEIS. Citeseer (2015)
Google Scholar
Karame, G.O., Androulaki, E., Capkun, S.: Double-spending fast payments in bitcoin. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 906–917. ACM (2012)
Google Scholar
Koch, M.B.: Exploring CryptoKitties - part 2: the CryptoMidwives (2018)
Google Scholar
Kosba, A., Miller, A., Shi, E., Wen, Z., Papamanthou, C.: Hawk: the blockchain model of cryptography and privacy-preserving smart contracts. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 839–858. IEEE (2016)
Google Scholar
Malinova, K., Park, A.: Market design with blockchain technology (2017)
Google Scholar
Marcus, Y., Heilman, E., Goldberg, S.: Low-resource eclipse attacks on Ethereum’s peer-to-peer network. Cryptology ePrint Archive, Report 2018/236 (2018). https://eprint.iacr.org/2018/236
Markham, J.W.: Front-running-insider trading under the commodity exchange act. Cath. UL Rev. 38, 69 (1988)
Google Scholar
Maxwell, G.: Confidential transactions (2015). https://people.xiph.org/~greg/confidential_values.txt. Accessed 9 May 2016
McCorry, P., Hicks, A., Meiklejohn, S.: Smart contracts for bribing miners. IACR Cryptology ePrint Archive, 2018:581 (2018)
Google Scholar
McCorry, P., Shahandashti, S.F., Hao, F.: A smart contract for boardroom voting with maximum voter privacy. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 357–375. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70972-7_20
Chapter Google Scholar
Medvedev, E.: Python scripts for ETL (extract, transform and load) jobs for Ethereum blocks (2018). https://github.com/medvedev1088/ethereum-etl
Miers, I., Garman, C., Green, M., Rubin, A.D.: Zerocoin: anonymous distributed e-cash from bitcoin. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 397–411. IEEE (2013)
Google Scholar
Moosavi, S., Clark, J.: Ghazal: toward truly authoritative web certificates using ethereum. In: Zohar, A., et al. (eds.) FC 2018. LNCS, vol. 10958, pp. 352–366. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-662-58820-8_24
Chapter Google Scholar
Nakamoto, S.: Bitcoin: A Peer-to-peer Electronic Cash System (2008)
Google Scholar
Noether, S.: Ring signature confidential transactions for Monero. Cryptology ePrint Archive, Report 2015/1098 (2015). https://eprint.iacr.org/2015/1098
Petty, C.: A look at the Status.im ICO token distribution (2017). https://medium.com/the-bitcoin-podcast-blog/a-look-at-the-status-im-ico-token-distribution-f5bcf7f00907. Accessed 10 June 2018
Pierrot, C., Wesolowski, B.: Malleability of the blockchain’s entropy. Crypt. Commun. 10(1), 211–233 (2018)
Article MathSciNet Google Scholar
Piqueras, E.: Generalized Ethereum frontrunners, an implementation and a cheat (2019)
Google Scholar
Radner, R., Schotter, A.: The sealed-bid mechanism: an experimental study. J. Econ. Theor. 48(1), 179–220 (1989)
Article MathSciNet Google Scholar
Rahimian, R.: Multiple withdrawal attack (2018)
Google Scholar
Reitwiessner, C.: An update on integrating Zcash on Ethereum (ZoE) (2017). https://blog.ethereum.org/2017/01/19/update-integrating-zcash-ethereum/
Sasson, E.B., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 459–474. IEEE (2014)
Google Scholar
SECBIT: How the winner got Fomo3D prize – a detailed explanation (2018). https://medium.com/coinmonks/how-the-winner-got-fomo3d-prize-a-detailed-explanation-b30a69b7813f. Accessed 9 Dec 2018
Sirer, E.G., Daian, P.: Bancor is flawed (2017). http://hackingdistributed.com/2017/06/19/bancor-is-flawed/. Accessed 14 June 2018
Solmaz, O.: The anatomy of a block stuffing attack (2018). https://osolmaz.com/2018/10/18/anatomy-block-stuffing/
Ver, R., Wu, J.: Bitcoin cash planned network upgrade is complete (2018). Accessed 7 Dec 2018
Google Scholar
Vermorel, J., Séchet, A., Chancellor, S., van der Wansem, T.: Canonical transaction ordering for bitcoin (2018). Accessed 7 Dec 2018
Google Scholar
Vogelsteller, F., Buterin, V.: ERC-20 token standard (2015). https://github.com/ethereum/EIPs/blob/master/EIPS/eip-20.md. Accessed 31 Aug 2018
Walther, T.: Multi-token batch auctions with uniform clearing prices (2018)
Google Scholar
Warren, W.: Front-running, griefing and the perils of virtual settlement (2017). https://blog.0xproject.com/front-running-griefing-and-the-perils-of-virtual-settlement-part-1-8554ab283e97. Accessed 14 Aug 2018
Warren, W., Bandeali, A.: 0x: an open protocol for decentralized exchange on the Ethereum blockchain (2017). https://github.com/0xProject/whitepaper
Williamson, D.Z.J.: The AZTEC protocol (2018). https://github.com/AztecProtocol/AZTEC/
Zetzsche, D.A., Buckley, R.P., Arner, D.W., Föhr, L.: The ICO gold rush: it’s a scam, it’s a bubble, it’s a super challenge for regulators (2018)
Google Scholar
Zhou, Y., Kumar, D., Bakshi, S., Mason, J., Miller, A., Bailey, M.: Erays: reverse engineering Ethereums opaque smart contracts. In: USENIX Security (2018)
Google Scholar
Zhu, H.: Do dark pools harm price discovery? Rev. Financ. Stud. 27(3), 747–789 (2014)
Article Google Scholar

Download references

Acknowledgements

The authors thank the Autorité des Marchés Financiers (AMF) for sponsoring this research through the Education and Good Governance Fund (EGGF), as well as NSERC through a Discovery Grant.

Author information

Authors and Affiliations

Gina Cody School of Engineering and Computer Science, Concordia University, Montreal, Canada
Shayan Eskandari, Seyedehmahsa Moosavi & Jeremy Clark
ConsenSys Diligence, Montreal, Canada
Shayan Eskandari

Authors

Shayan Eskandari
View author publications
You can also search for this author in PubMed Google Scholar
Seyedehmahsa Moosavi
View author publications
You can also search for this author in PubMed Google Scholar
Jeremy Clark
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Shayan Eskandari or Jeremy Clark .

Editor information

Editors and Affiliations

Stirling University, Stirling, UK
Andrea Bracciali
Concordia University, Montréal, QC, Canada
Jeremy Clark
University of Oxford, Oxford, UK
Federico Pintore
University of Luxembourg, Esch-sur-Alzette, Luxembourg
Peter B. Rønne
University of Trento, Trento, Italy
Massimiliano Sala

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Eskandari, S., Moosavi, S., Clark, J. (2020). SoK: Transparent Dishonesty: Front-Running Attacks on Blockchain. In: Bracciali, A., Clark, J., Pintore, F., Rønne, P., Sala, M. (eds) Financial Cryptography and Data Security. FC 2019. Lecture Notes in Computer Science(), vol 11599. Springer, Cham. https://doi.org/10.1007/978-3-030-43725-1_13

Download citation

DOI: https://doi.org/10.1007/978-3-030-43725-1_13
Published: 13 March 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-43724-4
Online ISBN: 978-3-030-43725-1
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics