This is article 2 of 7 for The Tech Progressive writers community, where we will post 1 article for the next 7 days.
Introduction
If this is your first encounter with web3, great! Let’s learn something new. Maybe, just maybe, this post will spark your curiosity.
I’m a cybersecurity consultant focusing on digital forensics and incident response (web2…for now), where I work with companies responding to cyber incidents—from ransomware to internal breaches.
But on the web3 front, I got zero experience. Therefore, writing about it might be the best way to learn. I hope you can get something out of it too.
Today’s web3 attack is called ‘front-running’.
What is Front-Running?
The term came from the stock market world when trades were executed on paper and carried by hand. For example, a broker would receive an order from a client to buy a particular stock (usually in the amount that will drive up prices) but then place a buy order for themselves. Then the broker immediately sells his shares and pockets a profit.
On the blockchain, the problem becomes worse since all transactions are public. We can see all transactions before they get validated in the mempool.
Miners are the ones who validate transactions. They get to choose which transactions to mine first simply by ‘who pays the most gas price’.
So, an observer watching the mempool for a specific transaction can front-run it by submitting the same transaction but paying a higher gas price and getting validated first.
Examples?
Consensys define three categories of front-running attacks. Let’s use Jack as a user and Elon as an attacker.
Displacement
Jack is trying to register a domain name, and Elon is registering it first;
Jack is trying to submit a bug to receive a bounty, and Elon is stealing it and submits it first;
Jack is trying to submit a bid in an auction, and Elon is copying it.
Insertion
If Jack places a purchase order on a blockchain asset at a higher price than the best offer, Elon will insert two transactions: he will purchase at the best offer price and then offer the same asset for sale at Jack’s slightly higher purchase price. If Jack’s transaction is then run after, Elon will profit from the price difference without having to hold the asset.
Suppression
Or Block Stuffing attacks, after Elon runs his function, he tries to delay Jack from running his function.
Conclusion
Front-running exists from the traditional stock market world to the modern blockchain world.
There are mitigations such as Submarine Sends and others that we may touch on in future articles. My goal here is only to make you aware of the dangers out there so you can prepare yourself.
I hope you learn something from this article.
I also hope it sparks your curiosity to learn more.
I also hope that whatever it is you’re building be successful.
Let’s win and help others win securely.
You have more than a billion choices online. With a few clicks, you could be about anywhere. Thanks for reading this today.