If you don’t know what MEV is google is your friend and you probably landed here by accident. Whilst this post is Ethereum focussed, these topics are relevant for most chains. “Sandwich attacks” are probably the most bemoaned form of MEV. I wager no value judgement herein but aim to make observations.
This article is about the evolution of the crypto market structure and the evolution of the MEV competition in response, specifically sandwich attacks.
As usual, I’ll start with disclaimers and humility. There may be errors, wrong conclusions, etc. This is a quick post to share some ideas and observations, not to the standard of research paper. Please message me at twitter if there is something erroneous or for any feedback of course.
The data used is a combination of Flashbots blocks data and normal chain block data.
MEV Sandwich attacks
If you don’t know what a sandwich attack is, you can read here on the MEV wiki.
If you are of the programming persuasion, the inimitable libevm offers a straight-forwards educational code example of a basic uniswap-v2 sandwich attack here on github.
So, we know what a sandwich attack is. What about more modern “routers” and crypto market structure?
Auto/Smart Routers
There are man DEXes, and many pools of liquidity that could be used to execute a given swap. There are now also many [“auto-routers”, “smart-routers”, “aggregation-routers”, “aggregators”, …] to navigate all of this effectively. For simplicity I’ll just say “routers” from here, although they have been called routers in their original, simpler form for years.
Here is an image from this blog post on the 1inch blog, introducing their v3 router in March 2021. This picture illustrates the basic idea of a “router”. You send your swap to the router, it looks across liquidity source/ DEXes, chops up your order (assuming it is large enough to warrant it), and routes your swap across these places. The goals are to get you the best possible transaction price (lowest cost, etc).
In November 2021, 1inch released their v4 router. Blog post here. This quote indicates platform changes aimed at achieving the overall customer goals mentioned above:
Thanks to the improvements, users will be able to make swaps with the 1inch Router v4 5.4% cheaper on average than the same swaps made directly on DEXes, such as Uniswap.
1inch also introduced other interfaces/features found on traditional markets (RFQs, limit orders, etc) in the v4 router release. All of these interfaces may have interesting angles from a MEV perspective.
Here is a route from ETH to CRV on 1inch as I write this:
You can see that the swap will be routed across multiple liquidity sources/pools/DEXes, etc.
1inch is, of course, not alone. Remember, the DEXes are competing with each other, just like the bots and other agents trading in these markets are competing with one another.
Uniswap V3 was a big set of changes
There is a lot one could talk about with Uniswap-V3. I’ll only mention an aspect of their auto-routing for purposes of this post. You can read elsewhere about Concentrated Liquidity and the other Univ3 features. For more MEV reading, here is a good thread on JIT liquidity MEV on Uniswap V3 by Chainsight Analytics.
As with 1inch above, I went to Uniswap, entered a swap for Ξ100/CRV. With a bit of clicking, you can see the default is shown below. “Auto Router” that will split that order across the below pools.
*Note that the 1st 2 swaps are ETH to CRV, the 3rd swap is ETH - USDT, then USDT - CRV. There are multiple paths, some of which are even more complex than a straight A:B swap on 1 DEX. This illustrates how the order routing gets more complex as markets evolve.
How does this all connect?
As I mentioned in a tweet the other day:
Auto/smart-routing → more efficient/ cheaper exec → larger orders.
Off-chain the slicing of big into small orders "hides" implied meta-order & spreads impact
On-chain the meta-order is no longer implied but visible
Trading is an info-game. On-chain there is new info leakage
As the market/DEXes (and CEXes) competes for marketshare, they will add functionality that customers want. This should make it easier for customers to execute increasingly large orders with decreasing costs. This does make things more complex. These larger swaps are information, and in some cases, this information can be used for profiteering bots. Market structure has evolved in traditional markets for years along these lines. As market structure evolves, competition among agents trading for on those markets also evolves.
There are other interesting routers/complex paths to market that we’ll touch on in examples, but I wont’ describe as with 1inch and Uniswap.
Sandwiches + Routers
Here, we’ll go into a few examples of where routers take in swaps, perform their logic, send swaps around, and the bots get involved.
Example #1, 1inch V3 Router
Here is a 1inch v3 router example in block #14212378. This 3 part transaction bundle shows the standard pattern, transaction before, transaction in the middle, transaction afterwards.
Here is that same transaction shown in the Flashbots bundle explorer:
If you don’t know what Flashbots is, go have a read. For the purposes of this small write-up, with Flashbots searchers/users submit “bundles” of transactions that atomically happen or don’t. A user submits these bundles to the Flashbots relay where they participate in an auction. Then the relay submits the best bundles (you can read the rules) to the miners for acceptance into blocks.
Back to our 1inch v3 example. Here is the first (bot) transaction in the sequence, as it landed on chain:
Here is the second (router) transaction:
Here is the final bot swap:
Explained:
- The initial user swap into the 1inch v3 router was ~7.2 ETH in and some amount of XFT out. There was some slippage settings, etc.
- This was split by the router across Uniswap V3 and Sushiswap.
- The Sushiswap leg was surrounded by the bot.
Example #2, ZeroEx Proxy
This example is in block #14212391.
Here is the same sequence in the bundle explorer:
Here is the first (bot) transaction
Here is the second (router) transaction:
Here is the final (bot) transaction
Explained:
- The initial user swap into the ZeroEx proxy
- This was split by the router across 1) executed with 0x Protocol and 2) sent to Uniswap V2
- The Uniswap V2 leg was surrounded by the bot.
The theme is the same normal sandwich theme, front-run, target transaction, back-run. The routers themselves have some differences of course. Across routers and interfaces of various sorts, is interesting nuance.
Example #3, Metamask: Swap Router
Links: Etherscan block, Bundle explorer
This one again, has its own nuances. Go look at the details of each transaction in the bundle on your own. I’ll move on to a few more examples for now without being exhaustive.
Example #4, Uniswap V3: Router 2
Links: Etherscan, Bundle explorer
This one does have some cool features. The Uniswap V3; Router 2 has so many transactions and interesting MEV.
Here is the first (bot) transaction
Here is the second (router) transaction
Here is the third (bot) transaction
This one has some cool features inasmuch as it works on 2 of the 3 legs of the router swaps.
There are very many interesting Uniswap V3: Router 2 transactions when you look. Here are 2 back-to-back at the top of the same block.
Example #5, CoW Protocol: GPv2Settlement
I didn’t really expect to see this one. A lot of the transactions for CowSwap execute via Flashbots. I’m not 100% clear on the CoW Protocol: GPv2Settlement vs CowSwap, etc, but if you look at the transactions at the CoW Protocol: GPv2Settlement contract address you will see many transactions do route through Flashbots. In case you didn’t know, you can see if a transaction went through Flashbots on Etherscan like this:
Here, for example, is an example of the CoW Protocol: GPv2Settlement contract transacting via Flashbots.
Here are the bundle explorer and Etherscan links to a CoW example. (The same bot actually also has a second bundle right behind the CoW example on the 1inch v4 router).
Here is the first (bot) transaction
Here is the second (router) transaction. There is a lot going on in this transaction. There is more to scroll through in the transaction link.
Here is the final (bot) transaction
There is a better view of the gorey details of the cow transaction here. Or here pic below. If you’ve not used either ethtx.info or tenderly tools/explorers of those explorers go check them out.
There are plenty of interesting things to say about this transaction and the routing, but for now, I think I’ve typed enough. One of the legs of that complex transaction gets sandwiched.
Concluding
The goal for this was to describe some sandwich attacks as they are today. Clearly the bots evolve as market systems evolves.
Each router has many different interfaces and parameters. I’m sure the effort going into the methods is significant. Although all of these have “the sandwich pattern”, there are many interesting features that make some of them more interesting, smart and creative even.