Skip to content

Latest commit

 

History

History

README.md

Exploting A Smart-Contract Using Flashbots

Problem:

In this case a developer is seeking to exploit a poorly written smart-contract. As shown below anyone can call BrokenContract and withdraw the contract's entire ETH balance by executing the withdraw function.

//SPDX-License-Identifier: Unlicense
pragma solidity ^0.8.0;

contract BrokenContract {
    // allow this contract to receive ether
    receive() external payable {}
    // this function will withdraw the entire ether balance in this smart-contract to the first person who calls it
    function withdraw() external {
        payable(msg.sender).transfer(address(this).balance);
    }    
    // this function can be used to keep track of the contract's ethereum balance
    function balance() external view returns(uint) {
        return address(this).balance;
    }
}

Here's the problem - if the developer sends an normal Ethereum transaction calling the withdraw function they will likely get front-runned by other sniper bots. Recall anytime a transaction is made interacting with a smart-contract, there will be associated call data encoded which is available for anyone to see when the transcation hits the mempool. In this case if the developer wanted to call withdraw then he would have to sign a transaction with the following hex call-data 0x3ccfd60b as shown in the animation below. Given this transaction is sitting in the public mempool before it gets confirmed, all of this transaction data is visible to sniper bots.

This data field is in hex and is not decipherable to humans, however, sophisticated sniper bots can take this data value and simulate what the transaction would look like if they ran this transaction themselves. Therefore, if this transaction is left in the public mempool, then these sophisticated sniper bots can still front-run the transactions by bidding up higher gas transaction fees. It might get to a point where the sniper bots are paying 0.199 ETH worth of gas fees and receiving 0.2 ETH, hence only resulting in 0.001 ETH of profit.

Solution:

Rather than sending this transaction through the public mempool, the developer would be better off just using the Flashbots relayer service to mask this transaction from sniper bots. This would ensure the transaction will not be revealed until after it is mined into the blockchain. Therefore, there’s no opportunities for the other sniper bots to front-run the transaction given it is already included in the blockchain.

Goerli Addresses Used In This Analysis: