What's a decentralized exchange (DEX) to do when a pesky front-runner is ripping off your clientele? You hire him.
That's exactly what decentralized exchange Bancor, which prefers to be referred to as a "liquidity network," did when users of its platform noticed that a trader was jumping in front of other users' market orders. Front-running is a type of market manipulation and a common practice on Wall Street, ranging from large banks trading ahead of their clients' orders to turn a profit to executing a trade based on non-public information.
And, naturally, front-running has found its way to crypto, causing especially big headaches for decentralized exchanges. Such platforms — which support peer-to-peer exchange of cryptocurrencies — have been prone to such manipulation, as a recent academic study out of Cornell Tech noted. The study named Bancor as one of the platforms plagued by the issue as well as rival Uniswap. Specifically, Bancor identified a front-runner who was using bots to scan its platform for pending transactions.
These bots essentially exploited the fact that there are usually more transactions waiting to be verified than miners can process at any given time. Therefore, by setting a very high gas price, the bots can attract miners to execute their transactions first and front run other trades.
"This would lead to the legitimate user receiving fewer tokens in return," said Nate Hindman, Bancor Director of Communications. "The bot would immediately sell the acquired tokens at a profit, effectively stealing from the legitimate user."
By bringing on the Russian front-runner as a contractor, Bancor was able to devise a solution to the platform's front-running problem.
"We offered the front runner a bounty in exchange for information and consulting on specifically how he (and presumably numerous other front-runners) were outsmarting our protections," he said.
The solution Bancor found was to set a limit on the amount of gas — essentially fees paid to make a transaction — to keep front-runners from outbidding legitimate users.
Still, some market observers claim that this isn't a perfect solution. "This doesn't solve the problem of miners themselves doing the front-running," a source said.
"Miners get to decide which transactions go into the block so they can continue to monitor the transaction pool for Bancor transactions and then include their own trades that profit off the pending Bancor transactions."
Hindman described miner front running, however, as a "minor threat." No pun intended, adding "it is very easy to uncover front-running by Ethereum miners."
"They have an interest in maintaining the integrity of the network," he added.
DEX front-running woes
Indeed, Bancor isn't alone in having to worry about front-runners, which is a common problem across DEXes highlighted by the Cornell Tech study.
In August 2017, the daily profit of a front-running bot could be as high as $2500, as reported by the paper. It is also estimated that these front-running bots have generated over $6 million in total profit across several DEXes to date.
Besides capping the gas price like Bancor proposed to do, another solution to the front-running issue is a batch auction, which is favored by Gnosis-produced DutchX, which settles all deals in a given time period simultaneously and hence eliminates the time lag that gives front-runners trading advantage. However, this strategy also slows down transaction speeds on DEXes. While it takes milliseconds to do a trade on a centralized exchange, DEXes offer a trading window which may take minutes to hours with a batch auction. Elsewhere, AirSwap has deployed its own solution dubbed, Swap Protocol.
"In this system, traders start by negotiating the terms of a trade off-chain using cryptographic signatures," a company spokesperson said. "When they’re happy with the terms, they submit the trade to the blockchain for processing."
Meanwhile, centralized exchanges like Binance plagued by problems of their own. Last week, Binance announced a loss of $41 million from the 6th largest hack in history. In a statement, the company said that the hackers stole "a large number of user API keys, 2FA codes, and potentially other info," which are information that is not collected by DEXes and therefore less susceptible to exchange-wide hacker attacks.