April 4, 2023: Turd Sandwiches 💩🥪
Advent of the Sandwich Slayer MEV Attack
Some rare good news after weeks of attacks. Euler Finance has recovered most funds!
Bot on Bot Crime
Yesterday was a crazier than usual day in crypto, between rumors of an Interpol Red Notice aimed at CZ and $DOGE pumping after Elon flipped the bird logo for Kabosu.
Yet by far the most fascinating story was within the dark forest of MEV. If you need a bit of a refresher on the state of MEV, Curve’s Fiddy appeared on a great panel by bloXroute Labs earlier this week:
Unfortunately the panel was recorded before this new attack vector made the rounds, or it surely would have been good fodder for discussion. Yesterday, MEV observers noted a rogue validator attacking an MEV bot to drain tens of millions worth of value, a previously unnoticed line of attack.
In this case, the validator preyed on MEV bots executing a sandwich attack, which is only as delicious as it sounds if you happen to the one making the sandwich. A sandwich attack is among the most common types of MEV. Here’s how it works:
Imagine you’re trying to trade a million dollars worth of $DOGE using $POO. In a shallow liquidity pool, this would raise the pool’s price of $DOGE.
To profit, an MEV bot sniffing the mempool can simply add in two transactions around your transaction (the sandwich) to manipulate the prices in the pool and extract a profit at your expense.
The first transaction can buy loads of cheap $DOGE from the pool. Afterwards, the second transaction can sell back the $DOGE at a favorable rate. The person making the original transaction (the sandwich’s meat) gets less $DOGE than expected, which gets transferred to the sandwich attacker.
These maneuvers happen frequently on-chain. A good way to protect yourself against sandwich attacks when using Curve is to keep the “slippage tolerance” of your transaction set to a very small value, so that any transaction will revert if you get fewer tokens than expected.
How does this tie into the Sandwich Slayer attack?