research-article

Impact and User Perception of Sandwich Attacks in the DeFi Ecosystem

Authors:

Roger WattenhoferAuthors Info & Claims

CHI '22: Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems

Article No.: 591, Pages 1 - 15

https://doi.org/10.1145/3491102.3517585

Published: 29 April 2022 Publication History

Abstract

Decentralized finance (DeFi) enables crypto-asset holders to conduct complex financial transactions, while maintaining control over their assets in the blockchain ecosystem. However, the transparency of blockchain networks and the open mechanism of DeFi applications also cause new security issues. In this paper, we focus on sandwich attacks, where attackers take advantage of the transaction confirmation delay and cause financial losses for victims. We evaluate the impact and investigate users’ perceptions of sandwich attacks through a mix-method study. We find that due to users’ lack of technical background and insufficient notifications from the markets, many users were not aware of the existence and the impact of sandwich attacks. They also had a limited understanding of how to resolve the security issue. Interestingly, users showed high tolerance for the impact of sandwich attacks on individuals and the ecosystem, despite potential financial losses. We discuss general implications for users, DeFi applications, and the community.

Supplementary Material

MP4 File (3491102.3517585-talk-video.mp4)

Talk Video

Download
19.92 MB

References

[1]

2020. Akropolis Incident: Root Cause Analysis. https://blog.peckshield.com/2020/11/13/akropolis/.

[2]

2020. Origin Dollar Incident: Root Cause Analysis. https://blog.peckshield.com/2020/11/17/ousd/.

[3]

2020. Uniswap/Lendf.Me Hacks: Root Cause and Loss Analysis. https://blog.peckshield.com/2020/04/19/erc777/.

[4]

2021. 5/8/2021: Rari Capital Ethereum Pool — Post-Mortem. https://medium.com/rari-capital/5-8-2021-rari-ethereum-pool-post-mortem-60aab6a6f8f9.

[5]

2021. (5/8/21) Rari Capital Exploit Timeline & Analysis. https://nipunp.medium.com/5-8-21-rari-capital-exploit-timeline-analysis-8beda31cbc1a.

[6]

2021. Alpha Homora V2. Available at: https://alphafinancelab.gitbook.io/alpha-homora-v2/.

[7]

2021. Binance Smart Chain DeFi project BurgerSwap hacked for $7 million. https://cryptoslate.com/binance-smart-chain-defi-project-burgerswap-hacked-for-7-million/.

[8]

2021. Burgerswap attack analysis. https://hiram.wang/burgerswap-attack-analysis/.

[9]

2021. Flashbots. https://medium.com/@danrobinson/ethereum-is-a-dark-forest-ecc5f0505dfff [Accessed May 25, 2021].

[10]

2021. Flashbots Transparency Report — April 2021. https://medium.com/flashbots/flashbots-transparency-report-april-2021-9fef4d8dde07

[11]

2021. The Furucombo Incident Analysis: Cascading Trust. https://blog.peckshield.com/2021/02/27/Furucombo/.

[12]

2021. Gross Value Locked (USD). https://debank.com/ranking/locked_value.

[13]

2021. PeckShield Brief Analysis of BurgerSwap Lightning Loan Attack. https://blockcast.cc/news/peckshield-brief-analysis-of-burgerswap-lightning-loan-attack-the-logic-behind-the-defi-protocol-is-more-important-than-the-code/.

[14]

2021. Rekt - Force - REKT. https://www.rekt.news/force-rekt/.

[15]

2021. Rekt - Furucombo - REKT. https://www.rekt.news/furucombo-rekt/.

[16]

2021. SushiSwap. Available at: https://https://sushi.com/.

[17]

Svetlana Abramova, Artemij Voskobojnikov, Konstantin Beznosov, and Rainer Böhme. 2021. Bits Under the Mattress: Understanding Different Risk Perceptions and Security Behaviors of Crypto-Asset Users. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems. 1–19.

Digital Library

[18]

Hayden Adams, Noah Zinsmeister, and Dan Robinson. 2020. Uniswap v2 Core.Available at: https://uniswap. org/whitepaper.pdf.

[19]

Hayden Adams, Noah Zinsmeister, Moody Salem, River Keefer, and Dan Robinson. 2021. Uniswap v3 Core Whitepaper.

[20]

Guillermo Angeris, Alex Evans, and Tarun Chitra. 2021. A Note on Bundle Profit Maximization. (2021).

[21]

Massimo Bartoletti, James Hsin-yu Chiang, and Alberto Lluch-Lafuente. 2021. Maximizing Extractable Value from Automated Market Makers. arXiv preprint arXiv:2106.01870(2021).

[22]

George Bissias and Brian Neil Levine. 2020. Bobtail: Improved Blockchain Security with Low-Variance Mining. In NDSS.

[23]

Richard E Boyatzis. 1998. Transforming qualitative information: Thematic analysis and code development. sage.

[24]

Ryan Browne. 2021. Hacker behind $600 million crypto heist returns final slice of stolen funds. Available at: https://www.cnbc.com/2021/08/23/poly-network-hacker-returns-remaining-cryptocurrency.html.

[25]

Vitalik Buterin 2014. A next-generation smart contract and decentralized application platform. white paper 3, 37 (2014).

[26]

Weili Chen, Tuo Zhang, Zhiguang Chen, Zibin Zheng, and Yutong Lu. 2020. Traveling the token world: A graph analysis of ethereum erc20 token ecosystem. In Proceedings of The Web Conference 2020. 1411–1421.

Digital Library

[27]

Philip Daian, Steven Goldfeder, Tyler Kell, Yunqi Li, Xueyuan Zhao, Iddo Bentov, Lorenz Breidenbach, and Ari Juels. 2020. Flash boys 2.0: Frontrunning in decentralized exchanges, miner extractable value, and consensus instability. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 910–927.

[28]

Christof Ferreira Torres, Ramiro Camino, 2021. Frontrunner Jones and the Raiders of the Dark Forest: An Empirical Study of Frontrunning on the Ethereum Blockchain. In USENIX Security Symposium, Virtual 11-13 August 2021.

[29]

Michael Fröhlich, Felix Gutjahr, and Florian Alt. 2020. Don’t lose your coin! Investigating Security Practices of Cryptocurrency Users. In Proceedings of the 2020 ACM Designing Interactive Systems Conference. 1751–1763.

Digital Library

[30]

Xianyi Gao, Gradeigh D Clark, and Janne Lindqvist. 2016. Of two minds, multiple addresses, and one ledger: characterizing opinions, knowledge, and perceptions of Bitcoin across users and non-users. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems. 1656–1668.

Digital Library

[31]

Arthur Gervais, Ghassan O Karame, Karl Wüst, Vasileios Glykantzis, Hubert Ritzdorf, and Srdjan Capkun. 2016. On the security and performance of proof of work blockchains. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 3–16.

Digital Library

[32]

Larry Harris. 2003. Trading and exchanges: Market microstructure for practitioners. OUP USA.

[33]

Campbell R Harvey, Ashwin Ramachandran, and Joey Santoro. 2021. DeFi and the Future of Finance. John Wiley & Sons.

[34]

Ethan Heilman, Alison Kendler, Aviv Zohar, and Sharon Goldberg. 2015. Eclipse attacks on bitcoin’s peer-to-peer network. In 24th {USENIX} Security Symposium ({USENIX} Security 15). 129–144.

[35]

Charlie Hou, Mingxun Zhou, Yan Ji, Phil Daian, Florian Tramer, Giulia Fanti, and Ari Juels. 2021. SquirRL: Automating attack analysis on blockchain incentive mechanisms with deep reinforcement learning. In NDSS.

[36]

Mahimna Kelkar, Fan Zhang, Steven Goldfeder, and Ari Juels. 2020. Order-fairness for byzantine consensus. In Annual International Cryptology Conference. Springer, 451–480.

Digital Library

[37]

Irni Eliana Khairuddin and Corina Sas. 2019. An Exploration of Bitcoin mining practices: Miners’ trust challenges and motivations. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems. 1–13.

Digital Library

[38]

Irni Eliana Khairuddin, Corina Sas, Sarah Clinch, and Nigel Davies. 2016. Exploring motivations for bitcoin technology usage. In Proceedings of the 2016 CHI Conference Extended Abstracts on Human Factors in Computing Systems. 2872–2878.

Digital Library

[39]

Richard Lawler. 2021. Someone stole $120 million in crypto by hacking a DeFi website. Available at: https://www.theverge.com/2021/12/2/22814849/badgerdao-defi-120-million-hack-bitcoin-ethereum.

[40]

Robert Leshner and Geoffrey Hayes. 2019. Compound Finance Whitepaper.

[41]

Bowen Liu, Pawel Szalachowski, and Jianying Zhou. 2020. A first look into defi oracles. arXiv preprint arXiv:2005.04377(2020).

[42]

Satoshi Nakamoto. 2008. Bitcoin: A peer-to-peer electronic cash system. Decentralized Business Review(2008), 21260.

[43]

Daniel Perez and Ben Livshits. 2021. Smart contract vulnerabilities: Vulnerable does not imply exploited. In 30th {USENIX} Security Symposium ({USENIX} Security 21).

[44]

Anton Permenev, Dimitar Dimitrov, Petar Tsankov, Dana Drachsler-Cohen, and Martin Vechev. 2020. Verx: Safety verification of smart contracts. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 1661–1677.

[45]

Chris Piatt, Jeffrey Quesnelle, and Caleb Sheridan. 2021. Eden Network. (2021).

[46]

Kaihua Qin, Liyi Zhou, Yaroslav Afonin, Ludovico Lazzaretti, and Arthur Gervais. 2021. CeFi vs. DeFi–Comparing Centralized to Decentralized Finance. arXiv preprint arXiv:2106.08157(2021).

[47]

Kaihua Qin, Liyi Zhou, and Arthur Gervais. 2021. Quantifying Blockchain Extractable Value: How dark is the forest?arXiv preprint arXiv:2101.05511(2021).

[48]

Kaihua Qin, Liyi Zhou, Benjamin Livshits, and Arthur Gervais. 2021. Attacking the DeFi Ecosystem with Flash Loans for Fun and Profit. In International Conference on Financial Cryptography and Data Security. Springer.

[49]

Michael Rodler, Wenting Li, Ghassan O Karame, and Lucas Davi. 2021. EVMPatch: timely and automated patching of ethereum smart contracts. In 30th {USENIX} Security Symposium ({USENIX} Security 21).

[50]

Tim Roughgarden. 2021. Transaction Fee Mechanism Design. In Proceedings of the 22nd ACM Conference on Economics and Computation. 792.

Digital Library

[51]

Corina Sas and Irni Eliana Khairuddin. 2017. Design for trust: An exploration of the challenges and opportunities of bitcoin users. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems. 6499–6510.

Digital Library

[52]

Fabian Schär. 2021. Decentralized finance: On blockchain-and smart contract-based financial markets. FRB of St. Louis Review(2021).

[53]

Clara Schneidewind, Ilya Grishchenko, Markus Scherer, and Matteo Maffei. 2020. ethor: Practical and provably sound static analysis of ethereum smart contracts. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 621–640.

Digital Library

[54]

Yaakov Sokolik and Ori Rottenstreich. 2020. Age-aware Fairness in Blockchain Transaction Ordering. In 2020 IEEE/ACM 28th International Symposium on Quality of Service (IWQoS). IEEE, 1–9.

[55]

Cryptopedia Staff. 2021. What Was The DAO?Available at: https://www.gemini.com/cryptopedia/the-dao-hack-makerdao.

[56]

Liya Su, Xinyue Shen, Xiangyu Du, Xiaojing Liao, XiaoFeng Wang, Luyi Xing, and Baoxu Liu. 2021. Evil Under the Sun: Understanding and Discovering Attacks on Ethereum Decentralized Applications. In 30th {USENIX} Security Symposium ({USENIX} Security 21).

[57]

Nick Szabo. 1996. Smart contracts: building blocks for digital markets. EXTROPY: The Journal of Transhumanist Thought,(16) 18, 2(1996).

[58]

Artemij Voskobojnikov, Borke Obada-Obieh, Yue Huang, and Konstantin Beznosov. 2020. Surviving the cryptojungle: Perception and management of risk among North American cryptocurrency (non) users. In International Conference on Financial Cryptography and Data Security. Springer, 595–614.

Digital Library

[59]

Artemij Voskobojnikov, Oliver Wiese, Masoud Mehrabi Koushki, Volker Roth, and Konstantin Beznosov. 2021. The U in Crypto Stands for Usable: An Empirical Study of User Experience with Mobile Cryptocurrency Wallets. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems. 1–14.

Digital Library

[60]

Ye Wang, Yan Chen, Shuiguang Deng, and Roger Wattenhofer. 2021. Cyclic Arbitrage in Decentralized Exchange Markets. Available at SSRN 3834535(2021).

[61]

Sam M Werner, Daniel Perez, Lewis Gudgeon, Ariah Klages-Mundt, Dominik Harz, and William J Knottenbelt. 2021. Sok: Decentralized finance (defi). arXiv preprint arXiv:2101.08778(2021).

[62]

Gavin Wood 2014. Ethereum: A secure decentralised generalised transaction ledger. Ethereum project yellow paper 151, 2014 (2014), 1–32.

[63]

Siwei Wu, Dabao Wang, Jianting He, Yajin Zhou, Lei Wu, Xingliang Yuan, Qinming He, and Kui Ren. 2021. DeFiRanger: Detecting Price Manipulation Attacks on DeFi Applications. arXiv preprint arXiv:2104.15068(2021).

[64]

Yaxing Yao, Yun Huang, and Yang Wang. 2019. Unpacking People’s Understandings of Bluetooth Beacon Systems-A Location-Based IoT Technology. In Proceedings of the 52nd Hawaii International Conference on System Sciences.

[65]

Akif Yüksel. 2021. Mitigating sandwich attacks in Kyber DMM. (2021).

[66]

Ren Zhang and Bart Preneel. 2019. Lay down the common metrics: Evaluating proof-of-work consensus protocols’ security. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 175–192.

[67]

Liyi Zhou, Kaihua Qin, Antoine Cully, Benjamin Livshits, and Arthur Gervais. 2021. On the just-in-time discovery of profit-generating transactions in defi protocols. arXiv preprint arXiv:2103.02228(2021).

[68]

Liyi Zhou, Kaihua Qin, Christof Ferreira Torres, Arthur Gervais, 2021. High-Frequency Trading on Decentralized On-Chain Exchanges. In IEEE Symposium on Security and Privacy, 23-27 May 2021.

[69]

Liyi Zhou, Kaihua Qin, and Arthur Gervais. 2021. A2MM: Mitigating Frontrunning, Transaction Reordering and Consensus Instability in Decentralized Exchanges. arXiv preprint arXiv:2106.07371(2021).

Cited By

Oak RShafiq Z(2024)Understanding Underground Incentivized Review ServicesProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642342(1-18)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642342
Si JSharma TWang K(2024)Understanding User-Perceived Security Risks and Mitigation Strategies in the Web3 EcosystemProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642291(1-22)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642291
Niedermayer TSaggese PHaslhofer BChua TNgo CKumar RLauw HKa-Wei Lee R(2024)Detecting Financial Bots on the Ethereum BlockchainCompanion Proceedings of the ACM Web Conference 202410.1145/3589335.3651959(1742-1751)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589335.3651959
Show More Cited By

Index Terms

Impact and User Perception of Sandwich Attacks in the DeFi Ecosystem

Index terms have been assigned to the content through auto-classification.

Recommendations

Eliminating Sandwich Attacks with the Help of Game Theory
ASIA CCS '22: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security

Predatory trading bots lurking in Ethereum's mempool present invisible taxation of traders on automated market makers (AMMs). AMM traders specify a slippage tolerance to indicate the maximum price movement they are willing to accept. This way, traders ...
An empirical study of DeFi liquidations: incentives, risks, and instabilities
IMC '21: Proceedings of the 21st ACM Internet Measurement Conference

Financial speculators often seek to increase their potential gains with leverage. Debt is a popular form of leverage, and with over 39.88B USD of total value locked (TVL), the Decentralized Finance (DeFi) lending markets are thriving. Debts, however, ...
Attacking the DeFi Ecosystem with Flash Loans for Fun and Profit
Financial Cryptography and Data Security
Abstract
Credit allows a lender to loan out surplus capital to a borrower. In the traditional economy, credit bears the risk that the borrower may default on its debt, the lender hence requires upfront collateral from the borrower, plus interest fee ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '22: Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems

April 2022

10459 pages

ISBN:9781450391573

DOI:10.1145/3491102

Editors:
Simone Barbosa
PUC-Rio, Brazil
,
Cliff Lampe
University of Michigan, USA
,
Caroline Appert
Université Paris-Saclay, France
,
David A. Shamma
Toyota Research Institute, USA
,
Steven Drucker
Microsoft Research, USA
,
Julie Williamson
University of Glasgow, UK
,
Koji Yatani
University of Tokyo, Japan

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 April 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

CHI '22

Sponsor:

SIGCHI

CHI '22: CHI Conference on Human Factors in Computing Systems

April 29 - May 5, 2022

LA, New Orleans, USA

Acceptance Rates

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
909
Total Downloads

Downloads (Last 12 months)293
Downloads (Last 6 weeks)30

Reflects downloads up to 15 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Oak RShafiq Z(2024)Understanding Underground Incentivized Review ServicesProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642342(1-18)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642342
Si JSharma TWang K(2024)Understanding User-Perceived Security Risks and Mitigation Strategies in the Web3 EcosystemProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642291(1-22)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642291
Niedermayer TSaggese PHaslhofer BChua TNgo CKumar RLauw HKa-Wei Lee R(2024)Detecting Financial Bots on the Ethereum BlockchainCompanion Proceedings of the ACM Web Conference 202410.1145/3589335.3651959(1742-1751)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589335.3651959
Wahrstätter AErnstberger JYaish AZhou LQin KTsuchiya TSteinhorst SSvetinovic DChristin NBarczentewicz MGervais AChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Blockchain CensorshipProceedings of the ACM Web Conference 202410.1145/3589334.3645431(1632-1643)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645431
Alsulami FKulkarni AHazari NNiamat M(2024)ZEBRA: Zero Trust Architecture Employing Blockchain Technology and ROPUF for AMI SecurityIEEE Access10.1109/ACCESS.2024.344970212(119868-119883)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3449702
Kulkarni AHazari NNiamat M(2024)A Zero Trust-Based Framework Employing Blockchain Technology and Ring Oscillator Physical Unclonable Functions for Security of Field Programmable Gate Array Supply ChainIEEE Access10.1109/ACCESS.2024.341857212(89322-89338)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3418572
Park SJeong WLee YSon BJang HLee J(2024)Unraveling the MEV enigmaFuture Generation Computer Systems10.1016/j.future.2023.11.014153:C(70-83)Online publication date: 16-May-2024
https://dl.acm.org/doi/10.1016/j.future.2023.11.014
Zhang YLiu PWang GLi PGu WChen HLiu XZhu J(2024)FRAD: Front-Running Attacks Detection on Ethereum Using Ternary Classification ModelUbiquitous Security10.1007/978-981-97-1274-8_5(63-75)Online publication date: 13-Mar-2024
https://doi.org/10.1007/978-981-97-1274-8_5
Liang YWang XWu YFu HZhou M(2023)A Study on Blockchain Sandwich Attack Strategies Based on Mechanism Design Game TheoryElectronics10.3390/electronics1221441712:21(4417)Online publication date: 26-Oct-2023
https://doi.org/10.3390/electronics12214417
Li KGuan SLee D(2023)Towards Understanding and Characterizing the Arbitrage Bot Scam In the WildProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/36267837:3(1-29)Online publication date: 12-Dec-2023
https://dl.acm.org/doi/10.1145/3626783
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents