Tales of Stolen Bitcoin Billions: The Rise of Sandwich Attacks on Blockchain Networks

5tGG...kNBo
6 Jan 2024
406

In a sandwich attack, the attacker attempts to insert their own wallet address between two transactions originating from a victim's wallet, redirecting funds to themselves in the process. It exploits the way some cryptocurrencies confirmation process works - waiting for multiple network confirmations before funds are released.


By squeezing their wallet address between two transactions in the queue and accelerating the confirmations on the sandwiching transactions, an attacker tricks the network into confirming the theft as legitimate before the victim's wallet realizes the hack. This attack works because of race conditions in the confirmation process.

Some key characteristics of a crypto sandwich attack:


  • Targets cryptocurrency networks with multi-confirmation transactions like Ethereum
  • Relies on speed to have theft transaction confirmed faster
  • Inserts hacker wallet between two victim wallet transactions
  • Exploits race conditions in transaction ordering and confirmation


A successful sandwich attack allows a hacker to redirect crypto funds being transferred to a new destination by squeezing their own address into the confirmation sequence and fooling the network to validate the theft transaction first before the legitimate pending transactions.

Who is Vulnerable to Sandwich Attacks?


Any blockchain network like Ethereum that relies on multiple transaction confirmations prior to executing transfers faces potential vulnerability to sandwich attacks. Networks that allow replacement of pending transactions under certain conditions also incur sandwich attack risks.

Specifically, the following groups are vulnerable:


  • Cryptocurrency exchanges holding customer deposits
  • Over-the-counter (OTC) cryptocurrency brokers relying on manual transaction steps
  • Users transferring large amounts of crypto to a new wallet address
  • Decentralized Finance (DeFi) applications with admin keys accessible
  • High net worth crypto traders frequently moving funds around


Sandwich attacks are most successful when aimed against high-value fund transfers that remain unconfirmed on the network for longer durations. The longer the lag, the bigger window for initiating a sandwich attack.

Common Scenarios for Sandwich Attacks


While sandwich attacks are complex to execute, the rise in high-value crypto transactions and markets like DeFi or OTC desks introduce lucrative targets for persistent hackers. Some common scenarios include:

1. Cryptocurrency Exchanges: Exchanges holding crypto deposits can have customer withdrawal transactions targetted using sandwich attacks that siphon funds to the hacker before the exchange systems detect a problem.

2. OTC Desks: During high-value over-the-counter cryptocurrency trades, manual processes introduce lag between transactions that skilled attackers utilize to initiate sandwich attacks unnoticed.

3. Decentralized Apps: DeFi applications with flaws in administering admin keys/privileges can expose pending high-value transactions to sandwich attacks and fund theft.

4. Whale Crypto Moves: Savvy attackers track transactions by major cryptocurrency traders and exchanges to spot large pending transfers as lucrative targets for sandwich attacks.

The common thread in these scenarios is the combination of high-value crypto transactions and delays or loopholes in transaction handling - exactly the properties needed to successfully perpetrate sandwich attacks beneath the victim's notice.

Anatomy of a Crypto Sandwich Attack


At a step-by-step level, here is the anatomy of how a hacker executes the theft of funds using a sandwich attack:

1. Initiate First Transaction: The initial transaction originates from the target victim wallet to send funds to a new receiving address. This remains pending confirmation on the blockchain network.

2. Initiate Sandwich Transaction: Before the first transaction receives adequate confirmations, the hacker initiates their own transfer sending funds from the victim's wallet to their own wallet address instead.

3. Accelerate Attack Transaction: Utilizing various techniques the hacker accelerates the confirmation process for this second malicious transaction to have it validated before the initial one.

4. Execute Final Transaction: After their own sandwich transaction gets confirmed, the attacker queues one more transaction from the victim's wallet to hide the activity trail.

5. Delay Initial Transaction: The hacker leverages denial of service type attacks to slow down the confirmations for the initial legitimate transaction from Step 1 above.

If executed precisely, the timing and sequence enables the hacker’s sandwich transaction to get confirmed while the initial transfer remains pending. By the time the network untangles the mess, the funds have already reached the attacker’s wallet address irreversibly.

Cryptocurrency Networks at Risk


Given its reliance on architectural factors, sandwich attacks pose the biggest threat to blockchain networks that incorporate:

  • Multi-confirmation transactions
  • Custom transaction prioritization
  • Replacement of pending transactions
  • Programmatic transparency in mempools


These technical properties exist in networks like Ethereum and Bitcoin Cash making them vulnerable to sandwich attacks. The rise in complex smart contracts and decentralized finance ecosystems based on such networks also exacerbate risks for participants due to transaction delays and accelerated confirmation loops.

Even cryptocurrency custody and wallet service providers relying on replacing pending transactions face enhanced sandwich attacks risks. The simple act of transaction replacement builds foundations for the confirmation race conditions that hackers capitalize on using sandwich attacks.

Sandwich Attack Techniques and Tools


Now that we have reviewed the fundamentals around crypto sandwich attacks, let's examine the common techniques and tools hackers employ to perpetrate such attacks aimed at stealing funds. Understanding these methods can help crypto exchanges, wallet providers and network developers implement better safeguards.

Common techniques used in sandwich attacks include:


1. Transaction Rebroadcasting
2. Mempool Manipulation
3. Miner Bribery
4. Time-Jacking
5. Delayed Proof-of-Work (dPoW)

We will analyze how each approach works and popular tools that enable hackers to conduct sandwich attacks against target blockchain networks and wallets.

Transaction Rebroadcasting Attack Tools


The simplest sandwich attack technique relies on broadcasting a new transaction with higher transaction fees before an original pending transaction gathers enough blockchain confirmations.

By simply resending a transaction as a replacement, hackers can position their wallet address within the sequence of an ongoing fund transfer. If the replacement occurs quickly enough, it could receive confirmations before the legitimate transaction is even processed, enabling the hacker to siphon funds.

This is directly enabled by the transaction replacement facilities offered by cryptocurrency wallet providers and exchanges. Two common tools abused are:

Replace-by-Fee (RBF): Bitcoin network feature allowing unconfirmed wallet transactions to get modified or replaced with an updated higher fee transaction broadcast to the network.

Cancel and Replace Transaction: Similar to RBF but more flexible allowing users to resend an entirely new transaction before initial confirmation, not just fee modification. This is commonly offered by custodial wallets and crypto exchanges.

By relentlessly rebroadcasting payments using higher fees before the original transaction confirmation, hackers can front-run genuine transfers and facilitate sandwich attacks.

Mempool Manipulation Tools


Every cryptocurrency network maintains a holding area called the memory pool or mempool for incoming transactions awaiting confirmation. Priority is assigned based on factors like fees, age, network rules, etc.

Sophisticated attackers attempt to manipulate the mempool activity to ensure their malicious transaction gets highest precedence for confirmation ahead of pending legitimate transfers. Some popular tools for mempool manipulation are:

Flashbots: Service explicitly created for honest MEV usage but often exploited by attackers to manipulate mempools and sandwich attack transactions.

MegaPool: Botnet for pool mining enabling control of pooled collective mining hash power from smaller miners. Combined hashing power allows governing mempool transaction ordering to front-run target transactions.

Minimum-viable-fee (MVF) Tools: Estimates lowest viable network fee required to achieve accelerated confirmation by analyzing mempool data. Enables hackers to fine tune attacks.

By deliberately manipulating mempool transaction queues, hackers can ensure their sandwich attack transactions jump ahead of target victim transactions and get confirmed faster by incentivized miners. This acts as a key prerequisite step for successfully stealing funds.

Miner Bribery Sandwich Attack Tools


Gaining preferential treatment for transaction confirmation from the mining network provides the most straightforward path for sandwich attack success. Hackers study blockchain transaction patterns to determine the likely next few miners to solve the required Proof-of-Work and propose the next block.

By directly bribing such miners and incentivizing them to schedule the malicious transaction ahead of others in their allocated block, attackers can front-run regular transactions. This guarantees the theft transaction will receive the first confirmation providing critical head start over genuine pending transfers.

Censorship Bribery - White hat hackers paying mining pools to censor transactions from blacklisted entities or wallets

Two major tools enable hacker-to-miner bribery schemes:


Stratum V2 Mining Protocol: Introduces encryption enabling covert communication between miners and external entities who can now secretly offer transaction prioritization incentives.

BlockAoT: Secondary network protocol that creates private communication channels allowing external transaction submitters priority access to miners in return for disproportionately high fees.

Together such network upgrades facilitate direct miner bribery tactics to schedule fraudulent transactions like sandwich attacks ahead of legitimate transactions by other network participants.

Time-Jacking Attack Tools


This novel class of attacks manipulates the perception of time itself achieved by compromising the time server pools that most blockchain nodes and miners synchronize with. By deliberately feeding false timing data, hackers can trick applications into accepting incorrect transaction sequences.

Hackers can potentially utilize this to slow down block creation times or introduce random time dilations. Such artificial lag and perturbations provide additional windows to execute transaction reordering or replacement that assists sandwich attacks.

Some attack tools that enable time distortion tricks include:


Global Positioning System (GPS) Spoofing: Transmit manipulated GPS signals to public network time servers to skew timing feed data that network nodes rely on achieving consensus.

Network Time Protocol (NTP) Amplification DDoS: Manipulate publicly accessible NTP servers to achieve similar broad time distortions preventing genuine transaction ordering.

Quantum Computer Time Hacking: Future potential to leverage quantum algorithmic speed to deliberately compute falsified times and break time-sensitive cryptography around block ordering and confirmations.

By warping the perception of chronology itself, hackers gain opportunities to fool confirmation protocols into validating sandwich attack transactions aimed at stealing funds from cryptocurrency participants.

Delayed Proof-of-Work Attack Tools


Also known as Bitcoin delayed proof-of-work (dPoW) attacks, this technique relies on manipulating network rule requirements around proof-of-work (PoW) verification that validates blocks and contained transactions.

Leveraging inconsistencies between nodes running varying Bitcoin core software versions in validating proof-of-work, attackers can introduce artificial confirmation delays and race conditions between blocks. This helps separate originally paired transactions to sneak in their own wallet address allowing them to steal funds.

Some potential tools that introduce disadvantages between node rulesets enabling delayed PoW confusion tricks:

Core Node Policy Splits: Run forked versions of Bitcoin core node software among select miners and pools that apply customized validation rules compared to the rest of the network miners.

Transaction Relay Limits: Introduce artificial caps on certain node software limiting how many unconfirmed transactions they will relay introducing network-wide delays ideal for confirmation lag tricks.

Custom Miner Rulesets: Mine blocks with specialized parameters like shorter block intervals, increased block sizes, alternative transaction ordering techniques that other miners may initially reject or delay before building consensus.

The common aim in all these techniques is to deliberately build block propagation inefficiencies allowing custom blocks confirming attacks to achieve initial Wconfirmation status that is difficult to reverse once detected. This facilitates not only sandwich attacks but other transaction redirection frauds.

Securing Against Crypto Sandwich Attacks


Now that we have built comprehensive awareness around cryptocurrency sandwich attacks, their techniques and real-world impact, let's focus our attention on security controls and safeguards to protect funds against such sophisticated threats.

Broadly, defenders should address two priorities in parallel:

1. Minimizing Attack Surface: Design wallets, networks and transaction flows minimizing risks for initiation of sandwich attacks due to inherent delays, bottlenecks or manual processes allowing insertion of fraudulent transactions.

2. Enabling Real-Time Fraud Detection: Embed tailored analytics across blockchain transaction activity and service access enabling intelligent real-time monitoring capable of detecting anomalous behaviors indicative of sandwich attacks and related fraud.

We will detail specific security measures under each area to equip architects, developers and cyber defenders with practical techniques and controls to safeguard cryptocurrency owners against sophisticated sandwich attacks.

Minimizing Attack Surface


Use Native Sequencing Guarantees: Prioritize native blockchain transaction ordering and confirmation protocols over custom techniques prone to introducing race conditions or parallel override triggered during sandwich attacks.

Enforce Multi-factor Authorization: Require additional identity verification or device verification factors for transactions above pre-defined size thresholds via approaches like two-factor authentication preventing rogue admin attacks.

Automate Admin/Superuser Actions: Remove human coordination delays in workflow administration or superuser transactions to close latency windows hackers leverage to sneak in sandwich attack transactions.

Limit Manual Transaction Queuing: Minimize manual staging of high-value transaction sequences between wallets and exchanges allowing little scope for parallel insertion of fraudulent wallet addresses or transactions via user interface intrusions.

Isolate Transaction Construction: Physically isolate wallet systems responsible for assembling and administering crypto transactions from those processing confirmations introducing containment against parallel sequence attacks across environments.

Segment Transaction Privileges: Follow principles of least privilege in allocating wallet address and transaction construction rights to contractors, partners or internal teams to minimize attack vectors from privilege hijacking.

Enabling Real-Time Detection


Tailored Sandwich Alerts: Define transaction activity patterns specifically associated with different sandwich attack techniques allowing configurable rules detecting those behaviors in real-time.

Anomaly Detection via ML: Build machine learning models baseline patterns on administrator activity, wallet transactions and mining behavior flagging statistically significant deviations indicative of underlying sandwich attacks.

Track Confirmation Delays: Closely trace average time for gather required blockchain confirmations by transaction type to spot outlier delays potentially signaling manipulation attempts.

Honeypot High-Value Accounts: Conceal production wallet addresses via obfuscation while inserting decoy ‘honeypot’ wallets with small balances mirroring the transaction types, sizes and activity levels tying larger target transfers for attempts of sandwich attacks against those honey accounts.

Query Transaction Order: Cross-verify order of transaction confirmation against mempool sequence before delay allows redirection of funds enabling policy payouts in case of consensus mismatch signaling attacks.

Independent Verification Triggers: Require on-demand independent confirmation verification checkpoints of high-value transactions by administrators detecting tampering before primary wallet confirmation releases funds allowing reversal window.

Time-Synchronized Surveillance: Monitor multi-channel timing data like atomic clock signals, NTP and GPS sources detecting improbable time measurement distortions attempting to distort blockchain transaction sequences enabling sandwich attacks.

With both sets of controls aimed at preventing and intercepting cryptocurrency sandwich attacks, organizations can equip themselves to battle this sophisticated threat targeting owners and traders of digital assets across varied scenarios.

The onus lies on wallet developers, cryptocurrency exchanges and blockchain platforms themselves to acknowledge the seriousness of sandwich attacks and invest in tailored safeguards defending against hacker tools and techniques attempting blockchain time heists using clever confess tricks

If you enjoyed this article, please read my previous articles


How do newbies participate in DeFi projects?
The Life and Teachings of Jesus
The Power of a Second Chance
The Path to Writing Mastery: A Practical Guide for Blog Writing
Tips and Strategies for Maximizing Productivity in a Busy Life
Asset Management in DeFi


Thank you for reading! If you found this content valuable, please show some love by commenting, reading, reacting and Tips to this article. ✨


BITCOIN :  bc1qehnkue20nce3zgec73qvmhy0g3zak69l24y06g
SOLANA :  5tGG8ausWWo8u9K1brb2tZQEKuDMZ9C6kUD1e96dkNBo
ETHEREUM/polygon/OP/ARB/FTM/ AVAX/BNB :
0x608E4C17B3f891cAca5496f97c63b55AD2240BB5
TRX and TRX USDT :  TMtuDzU9XE5HHi83PZphujxSFiiDzyUVkA
ICP :  wbak4-ujyhn-jtb4f-gyddm-jkpwu-viujq-7jwe3-wl3ck-azbpz-gy45g-tqe
BCH : qpvs92cgn0722lwsraaumczj3dznpvclkv70knp0sn
XRP : rGzWnVNpecRVqzb95pWvGxqUY8DpSTGATT
ADA: addr1qx026lu93l7nj229alh0qcf2e69fx0selxmm870f80h9uzsgze4den3cvq337q65esfgw8t5zttfvkm6j6fljjsh00cqca3nqx
LTC :  ltc1qq0jp3xj5vmjwm57lr6339xhp8sf6c3lq9fv3ye 
ATOM :  cosmos1dvvn0p4dgdtzjh9eudy2gcrcys0efhd2ldhyvs 
Flow Address  : 0xc127a6d0990af587

BULB: The Future of Social Media in Web3

Learn more

Enjoy this blog? Subscribe to CapitalThink

43 Comments