At Enigma, our mission is to ensure adoption and usage of decentralized technologies. We are trying to achieve this mission by bringing privacy and the ability to use sensitive data to blockchains. Enigma is a secure computation protocol which is able to run blockchain functions, or smart contracts, on sensitive (secret) data.

Blockchain is an amazing technology for correctness — however, it comes at the large cost of privacy. Data on blockchains are public by default. This not only limits any application with sensitive data to run in a decentralized manner, but it also limits usability by creating attack vectors such as front-running. Today, I want to discuss the concept of front-running in more detail and describe how Enigma can help solve this critical issue.

An Overview of Front-running

While front-running has existed in traditional finance for decades, it was an illegal attack vector that could only be exploited by insiders. Due to the public nature of blockchains, front-running attacks can be exploited by anyone. Because users can see transactions and their corresponding gas prices before a block is mined, it is possible for an attacker to submit his own transaction with a higher gas price, which would give priority to the attacker and result in his transaction being mined first.

This phenomenon becomes a significant issue with contracts where there’s value being exchanged such as decentralized exchanges. For most decentralized applications, the order of transactions is irrelevant; but because prices can fluctuate all the time on an exchange, an attacker (Bob) who front-runs another user (Alice) can buy at a low price and immediately sell to that user for a higher price. This negatively affects both exchanges and users.

For this post, we are primarily interested in examining front-running attacks on decentralized exchanges and automated market making (bonding curve) contracts.

Frontrunning on decentralized exchanges (DEXes)

The impact of race conditions and front-running can be easily observed in open-order book DEXes, whether it’s to take an order or to cancel it. Let’s use an example for order taking to describe race conditions and the order cancelling for front-running. For the discussion below, a maker is a participant who places an order on the order book and a taker is participant who takes orders off the book (market orders).

Order taking: When there’s an attractive maker order sitting on the open order book, two honest actors will compete to take the offer. This is a race condition that results in a trade collision as only one of the actors can fill the order. While most average users don’t have the capacity to look at the orders in the mem-pool (transactions yet to be mined for the next block), sophisticated bots do. As a result, an average user ends up in a race against a sophisticated bot without being aware of it and the odds are against him.

Order cancelling: If the price of an asset changes such that the maker order is no longer attractive to execute, the maker will try to cancel the order. An attacker, who’s watching the blockchain can see this unmined transaction and will include his own transaction to execute the order at an arbitrage or at the maker’s loss. This means the higher the price fluctuation, the higher gas maker needs to pay in order to not lose money. This scenario can also happen with honest traders given the order book in these exchanges are open. (0x is working on Coordinator to enable soft cancellations, we will discuss it below in more detail)

Some benchmarks on 0x transactions on open and closed order book relayers attest to the points above. In open order book model, a taker submits the trade to the main chain and is competing against other takers. Where as in closed order book model, orders are already matched by the central relayer database and there’s no race condition. When comparing gas for the 0x contracts between January 6 2019 to March 6 2019, we see that average gas for a Paradex (closed order book model) is 9.82 GWei, where as the average gas price for a Radar Relay (open order book model) transaction is 11.55 GWei or 17% higher. (Thanks to Tom Schmidt of 0x for sharing this data.)

The race-condition phenomenon described above becomes an even bigger issue due to arbitrage bots using atomic swaps. To quote Philip Daian, et al. from Flashboys 2.0:

“Because of the atomic batch-based processing of transactions, and because transactions can themselves be initiated by smart contracts, it is possible to build bots that trade across exchanges through proxy contracts. These proxy contracts can execute batches of orders sequentially within a single transaction, reverting previous trades by throwing an exception if any trade in the batch fails.”

This essentially means that a single transaction can execute multiple trades on multiple exchanges with a guarantee of pure revenue, since the transaction will cancel if the order isn’t met. This will be referred to as pure revenue opportunity later in the document as suggested by Phil Daian, et al. in Flashboys 2.0.

The open order book model means each pure profit opportunity has an associated value and that value is visible to all network participants. As mentioned above in Flashboys 2.0, arbitrage bots and proxy contracts mean it’s an all or nothing scenario. Given these two facts, it’s no surprise that a competitive game takes place between arbitrageurs: whose order will execute first and who will take advantage of the opportunity? This triggers what’s named the priority gas auction, in which arbitrageurs effectively try to outbid one another in a race to transact first and capture the pure revenue opportunity. The following transaction that was identified as a pure revenue opportunity by Phil Daian, et al. in Flashboys 2.0, had a gas price of ~134 GWei, which is an order of magnitude above what we see on average on 0x contracts.

This poses an obvious challenge to exchanges, and it is estimated that arbitrage bots of this kind cost millions of dollars to exchanges and users. This is also detrimental to the entire Ethereum ecosystem as these arbitrage opportunities make it more expensive to interact with Ethereum. While it’s outside the scope of this discussion, I strongly recommend anyone who’s interested in this issue to read the full Flashboys 2.0 paper to see how this can also be detrimental to Layer 1 security.

Frontrunning on automated market makers

Front-running attacks on automated market makers such as Kyber, Bancor and Uniswap are fairly easy to grasp. These contracts work in the following way:

When the supply of the underlying token decreases as Alice is buying, the price of the token increases

When the supply of the underlying token increases as Alice is selling, the price of the token decreases

Given the public nature of blockchains, an attacker can see a large buy / sell order that’s expected to move the price and insert her transaction in front of Alice’s.

This is not really a new finding: Bancor had an attack as described slightly after it went live. There are mitigations to these by adding maximum slippage options, doing commit reveals or batched offers. However these mitigations don’t fully address the issue.

To recap, in both of the DEX constructs introduced above, the ordering of transactions matter given there’s value at stake and as a result participants get into a gas bidding war.

How can Enigma help?

Enigma is building a secure computation protocol, where network participants and worker nodes are not able to see transactions flowing to the network. In other words, the pool of incoming or unprocessed transactions in Enigma is a secret. This prevents malicious actors from profiting at the expense of honest users by watching the mempool. For a more detailed explanation of Enigma’s network, please visit this post.

Enigma can connect with the existing DEX ecosystem in two ways: i) addressing race conditions and front-running faced by exchanges like 0x through a decentralized coordinator model and ii) implementing order matching logic in Enigma secret contracts.

Addressing race conditions and front-running

The 0x team has been vocal about building a Coordinator that addresses both front-running and trade collision issues. They have recently released their initial implementation of a Coordinator that was implemented by Bamboo Relay. The current implementation is a centralized server and hands out signatures to deal with the issue of soft cancels, yet 0x has expressed their interest to expand the scope of the Coordinator and move to a decentralized model.

We have been working on several ways in which Enigma can facilitate the decentralized coordinator vision. We would welcome community members to work with us to prototype these implementations — see our current work here.

Order matching and execution on Enigma

Another way in which Enigma can help with usability in the DEX ecosystem is to improve the order matching logic. To provide some background:

A market buy order would buy the specified amount at the best prices from the order book. In a market order a user doesn’t know how much they are spending.

A limit buy order on the other hand determines a price at with user wants to buy a certain quantity. If the price goes below that limit, orders execute at the best price available. In a limit order, a user determines the limit (maximum she will pay for a certain quantity or minimum she will receive for a certain quantity).

Currently there are no limit orders on 0x. Limit orders on 0x are actually exact value orders. In the DEX model, arbitrageurs match two limit orders and capture margin between two limit orders that would execute at better prices in a centralized exchange. This is arguably a worse UX. The Pure Revenue Opportunity and the Price Gas Auction phenomenons described above occurs for this very specific reason. We could imagine a model where instead of creating these Pure Revenue Opportunities for arbitrageurs that increases gas prices, relayers could submit orders to Enigma network, where orders are matched and sent to exchange contracts (like 0x) on Ethereum. This way the current value that’s captured by arbitrageurs can be captured by the relayers.

Addressing race conditions in Automated Marketmakers

Enigma can plug into Automated Marketmaker contracts like Uniswap, Kyber and Bancor by replicating liquidity information on a secret contract and taking encrypted orders to update the secret state. This approach would prevent attacks that result in revenue opportunities as described above.