Beware of a Sandwich attack in the Defi.

Beware of a Sandwich attack in the Defi.

I am a fan of Defi, but I am very cautious of Defi, as I have always considered Defi to have risks. In my earlier posts, I have already mentioned the impermanent loss, Change in the liquidity APR, locking of the capital in the pool. But the latest issue that I recently learned about in Defi or in another word, we can say that the user is completely rekt with this transaction. Some are considering this as Money laundering option as user itself give opportunity to the attacker to rekt him and may be in background both are colluding with each other.

Source

User lost more than $700K USDC in a transaction and to be honest is not the case of losing $700K USD but user lost almost 97.5% of it's initial money. Look a very different picture when the user pays 2.5% transaction fees for a transaction, In this case,look like the user lost 97.5 in the transaction.

What exactly happened?

A Defi user was using Uniswap V3 protocol . User want to swap the $732583 USDC to USDT. (Note both USDC and USDT are stablecoins, so the expectation is that the User will get almost the same amount of USDT after performing the swap. Actually user received $18000 worth of USDT , losing more than $700000 worth of money in this transaction.

How it happened.

If you ever done transaction or performed swap in the Defi Platform, you noticed the Defi slippage tolerance in the interface. Slippage tolerance ensures that what percentage of loss you can bear in the transaction on what you initially observed when you started the transaction and what is your minimum threshold to receive while swapping one asset to another asset. Since user had used a slippage tolerance of 100% and amount you receive while swapping is the function of the liquidity in the pool for both of the token. User transactions are intercepted and Mev Bot did the transaction before and after the user large transaction.

Is it planned?

Since user did not used ant frontends and allowed the slippage of 100% that lead to believe some analyst whether user has colluded in this sandwich attack to launder the funds. Since the wallet initiating the transaction was funded likely by a mixer, and no frontend is used to linit slippage for this transaction.

My 2 cents.

I am not sure if user really lost it's fund or actually it was all planned but there are 2 lessons to be learned form here.
a.) Do not do a very big single transaction , it is better to break them in chunk of smaller values.
b.) Always set your "slippage tolerance/percentage " to some realistic value or the value that you are expecting to be happen while performing the transaction.

I hope, everyone will be now more careful and cautious while interacting with any Defi protocol.