A transaction made in the UNISWAP V3 protocol, the popular Decentralized Exchange (DEX) based on Ethereum (ETH), has raised suspicions in the community. In it, a user tried to exchange approximately $ 221,000 in USDC, a stablecoin linked to the dollar, for the USDT equivalent, another stable currency.
However, The result of that operation was a loss of approximately $ 216,000which led Michael Nadeau, founder of The Defi Report, an analysis site on-chain of decentralized finance (defi), to publish a preliminary analysis in the social network X.
In principle it was believed that it was a computer attack
Initially, Nadeau suggested that the user had been the victim of a computer attack known as «Sandwich attack«. As explained, a bot designed to take advantage of the removable value for miners (MEV) He manipulated the transaction When advancing to it and withdraw all the USDC liquidity from the Uniswap pool, and then return it after the exchange is executed.
A Bot Mev is a programmed tool for Identify and exploit opportunities Of profit in pending transactions before the network is confirmed, a phenomenon that arises in the way in which the miners or validators prioritize operations according to the rates offered.
That mechanism would have left the user with a significant loss in a pool that, in theory, had more than 35 million dollars in liquidity between USDC and USDT, according to The Defi Report estimates.
A “sandwich attack” occurs when an actor, usually an automated bot, detects a pending transaction in the network and manipulates it in his favor. First, perform an operation just before (front-running) to alter the pool conditions, such as the price of assets, and then executes another operation immediately later (back-running) to benefit from the change, leaving the original user with an unfavorable result.
When the user tried to change their USDC 221,000 for USDT, the price would have been so altered by the attacker who received only a fraction of what was expected (about 5,000 USDT), losing $ 216,000. Immediately afterwards, the hacker would have returned the liquidity to the pool (selling USDT by USDC), taking advantage of the imbalance that created and obtaining a gain when restoring the price from its normal state.
According to Nadeau’s data, the attacker paid $ 200,000 to the block builder (in this case, identified as («bobTheBuilder») to ensure that these three transactions (the initial, the user and the final of theirs) were executed in The exact order and in the same block. Without this bribe, another validator could have prosecuted transactions differently, preventing the attack.
Thus, according to the investigator’s publication, the attacker would have obtained a gain of $ 8,000 product of his own transactions (front-running y back-running), After manipulating pool. It is not money that “removed” the user directly in a physical sense, but the result of buying and selling strategically in the pool at altered prices.
A second presumption: money laundering through cryptocurrencies
However, Nadeau’s analysis did not stay in the computer attack hypothesis. After reviewing the details, he raised an alternative possibility, although he did not delve into details:
“It seems that this could be money laundering. But what makes no sense is that the attacker (or money washer) paid $ 200,000 as a bribe to include the transaction. Why do that instead of using a mixer?
Michael Nadeau, founder of The Defi Report.
Cryptocurrency money laundering implies, among other practices, hide the origin of illicit funds. To specify that task, who make it, use mixers (mixers), which are services that combine transactions of multiple users to hinder their tracking.
Nadeau’s question points to the incoherence of paying the attacker’s own pocket for such a high sum (200,000 dollars) to a block builder («bobTheBuilder») to prioritize transaction when a mixer would be “a more discreet and economical option.”
Nadeau exposes the idea that the purpose of the transaction may not have been a direct economic gain (as in a typical attack), but to hide the origin of the funds.
UNISWAP version: a configuration error
To this discussion was added a member of the Dex UniSwap team, who calls himself “Nikokampouris.” In a publication in that social network he explained that this “was not done in the UNISWAP interface (which has suggested sliding settings); It was performed through the old v3 exchange router (not the universal router); It seems that they set the sliding in 100% for this operation ». His words suggest that the incident It did not happen within the usual parameters of the official platformwhat changes the narrative.
UNISWAP interface includes predetermined protections against sliding (slippage), A term that refers to the difference between the expected price of an exchange and the real price when executing, something that can vary by movements in the pool or external manipulations.
Those configurations point to minimize losses In scenarios such as sandwich attacks. However, the user who exchanged the USDC for USDT did not use that interface, but the old v3 exchange router, an intelligent contract that allows direct operations, but Without the safeguards of the current interface (Next image).
In addition, according to the DEX member, the sliding was set at 100%, which means that the user allowed the transaction to be completed regardless of how unfavorable the final price was. In practice, this is equivalent to giving up any protection against extreme manipulations or fluctuations.
The Universal Router, mentioned by Nikokampouris, is a more recent and optimized version of UNISWAP contracts, designed to improve user experience and security. That the transaction has used a previous version suggests an oversight or a deliberate decision by the operator.
The combination of these factors (an execution outside the current interface and a maximum sliding tolerance) could explain the loss No need to attribute it only to an attack or money laundering.
Thus, Nadeau’s analysis and nikokampouris conjectures reflect both the sophistication of decentralized finances and the difficulties in interpreting events in the network. His first hypothesis, that of the Sandwich attack, is plausible given the history of this type of exploits in Uniswap and others Dex, while from Uniswap allude to an oversight of the user who made the transaction.