From Zapper Post-Mortem to using Front-run in project defense. Theory post

Introduction:

They story started when my friend Andrei Kei VV firstly noticed that over 30 contracts of Zapper had a critical bug since November 2020. All of them used similar logic of external calls to exchanges like 0x. As a result, anyone who gave an allowance to spend ERC20 tokens to any of those contracts were in danger of losing tokens from their wallet at any time.

The vulnerability in those 35 contracts potentially lets anyone call any method of any contract on behalf of Zapper contracts. Therefore all wallets that had any ERC20 approvals for that contract turn out to be vulnerable. And any exploiter could transfer funds from user wallets to their own directly via specially engineered calls to Zapper contracts.

The problem consisted of possibility to set the address of swapTarget to any ERC20 token and encode a call to transferFrom(userWithAllowance, exploiterAddress, amount) method into swapCallData . As a result, funds will be transferred to exploiterAddress from the userWithAllowance wallet, which gave an allowance to the vulnerable contract any time in past.

After development, VV reached Zapper, collaborated with their dev team, deployed contracts, and performed an attack. In the end, he transferred ownership 0x6a3eedcd970b3ba2c2d24942aa81e46ab07479be02e95e709308e82592615fca of the safe storage contract to the Zapper team.

He hadn’t used any private pool, and as a result, part of his transactions had been frontrunned by some bots. Luckily, the bot owners have contacted the Zapper developer team, and most of the funds appear to be restored.

Body

After reading his post-mortem, I DMed him and asked if frontrun bots can protect the project from the withdrawal of money under “certain” conditions? To me it seemed that Zapper might have been using their own bots.

I received an answer that he doubts that the bots belonged to the project, I asked also on the forum: and got a similar answer, but I decided to look at it again from a different angle.

While searching for information about such cases I found this article where the same use of front-run bots is described (coincidence or not there were two of them there too), and some other less known cases: With Curve and Wild credit.

Apparently, the Bancor Team or some white hackers discovered this issue before anyone could begin draining user wallets and made attempts to rescue user funds by withdrawing them from user wallets. Subsequently, two automatic front-runners joined in, helping the Bancor Team to withdraw funds from user wallets.

As a result, it lead to that even if now such bots are used only by the community, and not used by projects, now it’s the time to integrate them into SIEM and other tools for monitoring incidents. It opens a unique opportunity for the first fair use of frontrun.

The only one question still remains, wether it is ethically correct or not? Personally, I took an easy way out and made the decision that lets me sleep the most soundly: returning the money to users is worth it.

4 Likes

Several tools that might be connected with the Guard Frontrun Bot :

Setting other scoring methods also theoretically possible, for example for TXs performed without own pool for over 1 million $. Or connecting it with amlbot.com as an addition to scoring.

5 Likes

These are all great observations and questions. The forum recently had a poster suggest an “ethics” tag for discussions of ethics within the space, and I feel this thread would probably qualify for that tag.

In that context, the ethical debate of whether frontrunning can be used for good or not seems to be less about the “if” than the “who controls the bots”?

Considering the outcome of the Zapper vulnerability discovery in tandem with the white hat front-running, it’s abundantly clear that front-running CAN be ethical and CAN be used for good. The issue is “it’s done for good until it’s not”.

Let’s suppose we create a “front-run for good” project in the same vein as the Flashbots. What makes them ethical or unethical? The intentions? Actions? Results?

Is front-running for good with no results “ethical”?

In that context, I believe as long as the intentions are good, and the actions are meant for the greater good, there is no question in my mind that front-running can be used for the benefit of the community. Again, the issue becomes “who is writing the scripts for the bots, and what is their intention?”

I see the act of “front-running” as inherently “neutral”. It is the “what is being done with the front-run transaction” that determines the “ethical implications”.

5 Likes

This is such a great and difficult question. There are so many camps of thought on this that it can become dizzying and so murky to get into, but it’s still a fundamentally important question. My initial thought would be that a utilitarian perspective probably provides the most guidance because of its focus on outcomes. In this crypto ecosystem, we can actually track outcomes on the block, so it gives everyone the same point of entry into the discussion. That keeps us away from worrying about intention or rationales; notoriously difficult variables to reliably access and assess. Obviously, that creates many blind spots as well, but considering the ethical implications of scripts is a great point of entry to considering what blockchain does as a technology to the world around us.

This discussion has a lot of connection to the post @jasonanastas recently wrote. Research Summary: “Blockchain Ethics Research: A Conceptual Model”. One of the many takeaways I got from that was that the original authors seem to be pulling together and proposing ethical checksheets. Could we apply one of those frameworks, such as theThe PAPA Framework for Data Ethics to this post-mortem as a way to test out these checksheets to see if their application brings us to clearer answer to @OffcierCia’s question:

4 Likes

I think it is “logical” to look at the outcome of something to determine its “impact”, but in the context of ethics, “intention” cannot be taken out of the equation. In that, if someone “intends” to do something malicious, but the results are accidentally beneficial to the ecosystem, does the outcome negate their intentions?

I would assert that the intentions still were malicious, and thus the actor was a “malicious actor” even if the results of their actions were a “net positive” for the ecosystem. I believe unethical intentions can result in outcomes that “appear” to have ethical implications, and as such we can assess the level of ethics at the “intention”, “action”, and “outcome”. Was the “intention” ethical? Was the “action” ethical? Was the “outcome” ethical? Three questions that can have three different answers in the same situation and not be contradictory.

In that same light, someone with perfectly ethical intentions could act in a way that results in an unethical outcome. The DAO hack rollback is an example that is still being debated on whether the rollback was “ethical” or not, even though the rollback benefited the ecosystem.

5 Likes