One of the most significant advantages of blockchain technology is its transparency. The data is publicly available so that anyone can view the transactions. But on the flip side, the same data is also available to bad actors. They exploit the open data in endless ways.
For instance, a malicious trader can get prior knowledge of upcoming transactions with market-moving potential and place an order before the others to sell the assets later at a higher price. This is known as front-running.
Front-running attacks can take place in any market. They are common in the NFT space, as well.
The NFT front-running process
Consider a typical scenario of an NFT purchasing process. Most NFTs run on the Ethereum blockchain. When you want to buy an NFT, you must pay a gas fee in addition to the NFT’s price. Gas fees are used to reward Ethereum miners for verifying and conducting the transaction.
Now, think about what happens if you pay a higher gas fee than other transactions. Your order will be prioritized, and miners will process it before the others.
This is how an NFT front-running process occurs. Accelerating the transactions by paying high gas fees, traders with bad intentions are able to put orders before the major orders that can affect the market price of that NFT.
In practice, front-running bots are used to achieve this.
How do front-running bots work?
The application of bots automates the front-running trades. The bot scans the pending transactions on the blockchain and detects a profitable transaction. It then estimates the gas price of the transaction, copies it and submits it with a higher fee.
Put another way; front-running occurs when the bot discovers the transaction after it has been broadcast but before it has been confirmed and manages to have its own transaction completed before the original transaction.
All of this happens in milliseconds, making manual trading impossible to compete.
Sandwich attacks are a popular form of NFT front-running
In a front-running event, attackers can also place two orders simultaneously. One before and one after the trade that they want to copy. In other words, the original trade is sandwiched between the two fake transactions.
In this case, the original transaction will still execute. However, since the price will increase, its trader won’t receive the intended advantage.
Let’s say trader A places a genuine bid on an NFT at a higher price than the current best offer in an NFT marketplace. Trader B detects this pending transaction and inserts two orders at the same time. One in order to buy the NFT asset with the best offer and one to put the NFT for sale at a price slightly higher than trader A’s bidding price. When the transaction of trader A takes place, the attacker benefits from this price difference.
Methods to mitigate NFT front-running
There are primarily two approaches to combat front-running attacks.
- Transaction sequencing
In this approach, traders and miners are forced to follow an ordering rule so that paying higher gas fees won’t allow front-running. One such rule is the Canonical Transaction Ordering rule proposed for Bitcoin Cash. It enforces sequencing according to transaction IDs.
- Improve confidentiality
Some blockchain protocols allow users to improve their privacy through private mempools (memory pools), which are the places where the pending transactions are stored on the Ethereum blockchain. Private mempools are paid services that help receive bots’ key information and detect which transactions they intend to exploit. A blockchain protocol that leverages private mempools is, for example, Omnia.
Despite these precautions, front-running attacks are unavoidable in most cases. That’s why traders should also consider dividing large transactions into smaller ones.