MultiversX Tracker is Live!

Analysis of Front Running Scams Bots

All Cryptocurrencies

by COINS NEWS 148 Views

Analysis of Front Running Scams Bots

I'm going to try to introduce you to a type of scam that I think is resurfacing at the moment. I've seen it passed around quite a few times on social networks and even on Reddit. I am not an expert on the subject but I hope to enlighten some people and especially to prevent some novices from being scammed.

Finally, I'm going to show you ONE way this scam works, although you can imagine that there are many creative alternatives.

This crypto scam promises to make you several hundred dollars a day with a Solidity bot that uses the front running principle.

First of all, what are we talking about?

I will answer this question quite simply with an explanation found on the Certik website (sources below):

Front running is the process of utilizing inside knowledge of an unconfirmed transaction to conduct a trade ahead of the original one, essentially beating it to the punch and taking all the profit on offer.

Each blockchain has a mempool or transaction pool.

The scam we analyze here operates on the Ethereum network which uses a mempool.

In short, when a transaction is conducted on a blockchain it needs to be validated first. This is because blockchains are immutable, they cannot be changed afterwards.

Transactions need to be checked for errors, and be confirmed by validators that they adhere to the rules of the network, before they are made live. When a user submits a transaction, it will sit in the mempool until a validator approves it. Transaction fees are the price users pay for validators to perform this work. A higher transaction fee (also called gas fee) increases the chance that a validator will pick up their transaction.

Users can access the mempool and view pending transactions, which means they can also see unconfirmed trades. A front runner will submit their own transaction to take advantage of another transaction. They’ll pay a higher gas fee to ensure the validators process the front running transaction first.

Front running process

In practice, there are other variables to take into account, such as slippage. Slippage occurs when the price of the token changes in the time between a user submitting a transaction to the mempool and it being confirmed on the blockchain. Slippage settings can protect a user from large fluctuations in a token's price when buying and selling. If the price moves more than the allowed slippage between the user submitting the transaction and validators approving it, the transaction will be rejected, saving the user from paying a much worse price than the one they agreed upon.

Slippage protection kicks in if a transaction would have resulted in a negative outcome for the user. For example, imagine a user's slippage is set to 0.5%. If they sell tokens and the price increases 10%, the transaction will still go through as it's beneficial to the user. But if they were on the other side of the transaction, setting their slippage tolerance to 0.5% would prevent them from buying tokens at a 10% markup.

Tokens with low liquidity will often advise setting slippage much higher to ensure transactions go through.

Slippage

But then how can such a "complicated" concept for a novice become so appealing?

It all starts with YouTube videos and a lot of comments under them. The videos are often short and very instructive, the victim is even reassured by "checking" the smart contract and the addresses present in it:

Smart contract code

After a first quick look, we return our variables with the correctly associated wETH token (https://etherscan.io/token/0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2).

The repositories to Uniswap are also original addresses. As for the formulas for the front-running part, it is very complex but it seems coherent.

The actor then directs viewers to go to Remix, which is a genuine tool used for testing and deploying smart contracts.

Viewers are told to connect their Metamask wallet to Remix. So, as in the video, you will create a "bot.sol" file, then copy and paste the code into that file.

In the end, you find absolutely nothing suspicious and decide to continue the experiment. So you compile your code as in the tutorial and there. Wonderful, everything seems to work fine.

Finally, the last step, deploy the contract on the Ethereum blockchain. You click on the Deploy button. The window allowing to check the MetaMask transaction appears and you validate, everything seems correct, the fees are consistent, the action allows to create the smart contract, once again everything seems to be going well.

Once again, you are rather cautious and as you do things right, you start by sending 0.01 ETH on the contract. A quick glance shows you that your Ether fragments are there and you decide to put a little more to test this bot in real conditions.

Overview of transactions after depositing ETH on the contract

Everything is going well, the blockchain confirms your deposits and that they went well. Now, there is only one thing left to do: launch the solidity bot.

The big moment has arrived, and despite some doubts, you give in to temptation and click on the Start button which is holding out its arms to you. A new MetaMask transaction is displayed to give your approval, which you check once again, so that you have a clear conscience and don't miss anything.

After a look at the blockchain contract, the bot seems to be on its way, but one thing catches your sharp eye. Curiously, the balance of the contract is now at 0.

A few hours pass and finally the contract balance is still at 0. Since this doesn't work, it's time to get your ETH back. One click on the withdrawal button and a new MetaMask transaction appears. Again, you take all the necessary precautions before signing the transaction.

A few moments later, the transaction is finally validated. Unfortunately, you don't get your money back and you have been scammed and will never see your ETH again.

But what happened?

First of all, it is very likely that the video you have just seen has been slightly modified.

Secondly, you have probably used a version of Remix that is compromised. Indeed, here are various addresses with alternative versions of Remix whose aim is to scam you:

remixethereumcompiler.net/

remixethereumcompiler.github.io/

remixethereum-ide.github.io/

remix-eth.github.io/

To save you searching, the official Remix address is: https://remix.ethereum.org/

Even if the interfaces look similar and everything works perfectly, it is perfectly possible to hijack the source code you submitted. For example, by simply changing the removal address that should be yours to that of a hacker. This type of manipulation is done with a simple line of code in JavaScript.

Finally, the code uses complex functions that use the mempool with bytes as well as numbers that are incomprehensible to a novice (or to most people actually).

These complex functions will simply generate the address of the hacker or a new function that will step into the process to make a withdrawal :

Generating an address using functions

As you can see, using source code that you do not master can cause great damage. You should not trust the names of variables, functions and even comments. It is easy to misuse code by making it look like it does one thing when in fact it does another.

Conclusion

Never run any code that you don’t fully understand or trust. It only takes one line of code to convert a seemingly innocent contract into a malicious one.

The golden rule of scamming applies here: if it seems too good to be true, it probably is. Be wary of any trading strategies or techniques that promise outsized returns, and don't execute any code unless you know exactly what you're doing. Your wallet will thank you.

Sources (or for more information):

https://aucoindubloc.com/arnaque-crypto-bot-front-run-solidity/

https://www.certik.com/resources/blog/4vyzhUfARnkBQZkkx2eGeb-front-running-scams

https://coinsbench.com/beware-of-this-resurfaced-nasty-crypto-scam-6a8d69b61adf

https://medium.com/illumination/dont-be-fooled-by-this-crypto-scam-ac12606f2c40

Edit :

It was this article that just appeared on Medium that made me want to do this post. This is obviously a scam, so beware:

https://medium.com/@GeorgeBates.eth/how-to-make-50k-passive-income-in-2-month-mev-front-running-on-uniswap-arbitrage-bot-mev-bot-cdf62f5c6daa

submitted by /u/Emeric59
[link] [comments]

Get BONUS $200 for FREE!

You can get bonuses upto $100 FREE BONUS when you:
πŸ’° Install these recommended apps:
πŸ’² SocialGood - 100% Crypto Back on Everyday Shopping
πŸ’² xPortal - The DeFi For The Next Billion
πŸ’² CryptoTab Browser - Lightweight, fast, and ready to mine!
πŸ’° Register on these recommended exchanges:
🟑 Binance🟑 Bitfinex🟑 Bitmart🟑 Bittrex🟑 Bitget
🟑 CoinEx🟑 Crypto.com🟑 Gate.io🟑 Huobi🟑 Kucoin.



Comments