Real-time Attack Prevention & Front-Running
Imitating DeFi Transactions
Can you defend against attacks in real-time? How much money can you make when copy/pasting transactions? We answer these questions in ourUsenix Security paper.
We show that imitation is real and can be done in real-time.
- The Imitation GameWe introduce the generalized blockchain imitation game with a new class of adversary attempting to imitate its victim transactions and associated contracts, without prior knowledge about the victim’s intent or application logic. We design APE, a generalized imitation tool for EVMbased blockchains. We are the first to show that dynamic program analysis techniques can realize an imitation attack, posing a substantial threat to blockchain users.
- Which transactions are affected?We evaluate APE over a one year timeframe on Ethereum and BNB Smart Chain (BSC). We show that APE could have yielded 148.96M USD in profit on Ethereum, and 42.70M USD on BSC. We find that 73.74M USD stems from 35 known DeFi attacks that APE can imitate. APE’s impact further becomes apparent through the discovery of five new vulnerabilities, which we responsibly disclose, as they could have caused a total loss of 31.53M USD, if exploited.
- Real-time.We show that APE executes in real-time on Ethereum (13.3-second inter-block time) and BSC (3-second inter-block time). On average, a single APE imitation takes 0.07±0.10 seconds. Because of APE’s efficiency, it could have front-run in real-time 35 DeFi attacks within our evaluation timeframe. Miners that execute APE can ultimately choose to carry out the attacks, or could act as whitehat hackers in a defensive capacity.
Conclusion?
The generalized blockchain imitation game is a new class of attacks on smart contract blockchains. Such imitations could be adopted for either selfish outcomes, e.g., a miner adopting APE can appropriate millions of USD worth of DeFi attacks; or, on a brighter note, miners could help defend the DeFi ecosystem as whitehat hackers, by front-running attacks and possibly refunding the resulting revenue to their victim. In this work, we show that such imitation games are practical and can yield significant value on Ethereum and BSC.