CertiK Logo
CertiK Logo
Products
Company
incident-response
Back to all stories
Analysis Reports
Anatomy of Front Running Scams
12/1/2022
Anatomy of Front Running Scams

Introduction

If you've spent any amount of time in Web3 you have likely seen advertisements on social media claiming to teach you how to make $1000+ a day using a front running bot. These ads will link you to a YouTube video showing you how to create and deploy a front running script that will instantly start generating "profits."

A quick search on YouTube shows a number of these scams that claim to teach users to use a front running bot to make profits that are (literally) too good to be true.

image-20221126-104111

In this post, we’ll break one of these videos down and show you exactly how you are being scammed.

What is Front Running?

Before we break down the front running video, let’s define what the term actually means.

Front running is the process of utilizing inside knowledge of an unconfirmed transaction to conduct a trade ahead of the original one, essentially beating it to the punch and taking all the profit on offer.

Each blockchain has a mempool or transaction pool.

The scam we analyze here operates on the Ethereum network which uses a mempool.

In short, when a transaction is conducted on a blockchain it needs to be validated first. This is because blockchains are immutable, they cannot be changed afterwards.

Transactions need to be checked for errors, and be confirmed by validators that they adhere to the rules of the network, before they are made live. When a user submits a transaction, it will sit in the mempool until a validator approves it. Transaction fees are the price users pay for validators to perform this work. A higher transaction fee (also called gas fee) increases the chance that a validator will pick up their transaction.

Users can access the mempool and view pending transactions, which means they can also see unconfirmed trades. A front runner will submit their own transaction to take advantage of another transaction. They’ll pay a higher gas fee to ensure the validators process the front running transaction first.

Below is a simplified diagram of front running using fake numbers to demonstrate the process:

image-20221201-215702

Diagram: Demonstrating the front running process as it relates to the transaction validation sequence.

In practice, there are other variables to take into account, such as slippage. Slippage occurs when the price of the token changes in the time between a user submitting a transaction to the mempool and it being confirmed on the blockchain. Slippage settings can protect a user from large fluctuations in a token's price when buying and selling. If the price moves more than the allowed slippage between the user submitting the transaction and validators approving it, the transaction will be rejected, saving the user from paying a much worse price than the one they agreed upon.

Slippage protection kicks in if a transaction would have resulted in a negative outcome for the user. For example, imagine a user's slippage is set to 0.5%. If they sell tokens and the price increases 10%, the transaction will still go through as it's beneficial to the user. But if they were on the other side of the transaction, setting their slippage tolerance to 0.5% would prevent them from buying tokens at a 10% markup.

Tokens with low liquidity will often advise setting slippage much higher to ensure transactions go through.

image-20221129-075346

YouTube Statistics

We analyzed YouTube for videos mentioning the phrase "front running bot" and found that of a sample of 232 videos, 84% were scams. The videos we analyzed started to circulate in 2021 and, as can be seen in the table below, saw a six-fold increase in 2022.

Screen Shot 2022-12-01 at 2.05.41 PM

Screen Shot 2022-12-01 at 1.05.23 PM

Many videos can be clearly identified as scams from their title alone:

FREE FRONT RUNNING CODE!

MAKE 10X A DAY!!!

Uniswap Front Running Bot 2022 – EASY TUTORIAL (Huge profits)

$15,000 Front Running Crypto Bot Leak! - 50X HUGE RETURNS!

PancakeSwap Front Run Bot (Sniper Bot) - Make x10 INSTANTLY (NO DOWNLOAD)

There are common themes in all of these videos: free code and huge returns. Successful runners won’t give away free code on a social media site, they will sell it for a large amount on underground forums. We'll take a look at these underground forums in a future post.

Front Running Bot Video Analysis

image-20221126-123026 Image: Thumbnail for a YouTube scam front running bot scam

Scrolling through the comments, this video appears to have generated great community engagement. Investigate any front running video and you’ll see similar feedback. These comments are overwhelmingly posted by bots, which scammers utilize to lend a veneer of credibility to their videos.

There may be some genuine comments buried at the bottom of these videos, but you can bet that they won't be saying the strategy really works. One way to identify comments that likely came from bots is to check the video age and the comment age. Often, there'll be a flood of comments right after the video was posted, which is characteristic of inauthentic engagement.

image-20221126-123012 Image: Bot-generated responses to the scam video

The video begins by directing viewers to install Metamask.

The actor then directs viewers to go to Remix, which is a genuine tool used for testing and deploying smart contracts.

Viewers are told to connect their Metamask wallet to Remix.

image-20221126-122441 Image: The scammer shows Metamask connecting to the Remix IDE

The next section asks viewers to copy Solidity front running code from Pastebin into Remix.

Warning: You should never run code from an untrusted source unless you are 100% sure of everything the code does or you are running it in a secure environment. Remix will even give you the same warning.

image-20221126-130401 Image: Pasting code into Remix generates a warning

image-20221126-130442 Image: A copy of the code from the video pasted into Remix

The next section shows us a more detailed view of the first part of the scam. Let's compare what they show you on screen to what you just pasted into Remix.

The code in the video is on top and the code we pasted from Pastebin is on the bottom. In the video they import ftx.com but in the code you paste you have an IPFS link. We’ll explain IPFS shortly. In some front running videos they will show you this IPFS link, but if you’re not a programmer it’s not necessarily something you would notice.

image-20221126-130907 Image: Top, the code shown in the video. Bottom, the code the user copies.

InterPlanetary File System (IPFS) "is a distributed file storage protocol that allows computers all over the globe to store and serve files as part of a giant peer-to-peer network.”

This IPFS link stores extra code that is run in addition to the code that you were told to copy. It's generally a major red flag when code needs to be hidden.

Viewers are then shown how to deploy the contract code they just created. The next step is to add funds to the contract to cover the bot's initial trading. This video recommends 1 ETH. However, the presenter tries to convince us that the more we put in, the bigger the trades we’ll be able to front run.

Everything is set up and now you’re ready to watch the money roll in. image-20221126-134452 Image: The scammer demonstrates clicking the start button

The video then cuts ahead two and a half hours to show viewers how much “profit” they made.

Notice in the image below how the withdrawals show 0 ETH withdrawn, the video creator realizes too and quickly clicks away from this tab. image-20221126-134643 Image: The scammer claims to have withdrawn ETH, but the withdrawal amount is 0

Let’s go back to that IPFS link that was included and see exactly how the scam works.

The scam begins when you press the start or withdrawal function. Both functions are identical, yet one is supposed to start the contract running and the other is supposed to withdraw your funds.

image-20221126-140340 Image: The start() and withdrawal() functions have identical code

The functions tell the contract to transfer your wallet balance to the address in manager under the function uniswapDepositAddress(). What is manager? It's a function in the IPFS link we looked at earlier.

image-20221126-142931 Image: The manager function refers to the IPFS file

The IPFS link contains a lot of text to hide what it is doing. At first glance it appears to be a file containing token names and wallet addresses. If we search for the function being called, we find uniswapDepositAddress(), which has a list of tokens.

image-20221126-143733 Image: The uniswapDepositAddress() function hidden in the IPFS file

If we delete every line that starts with // we are left with the function's true purpose. It returns a wallet address. image-20221129-082015 Image: Deleting irrelevant code shows the function's true purpose

We can now see that the start and withdraw functions transfer the whole balance of the contract we created and funded to this address. Our main wallet balance will be unaffected, which is why the scammer encourages you to fund the contract with at least 1 ETH and continue topping it up. We ran this code in a secure test environment to demonstrate its functionality.

image-20221126-144139 Image: A simulated withdrawal transaction within a test environment image-20221126-144634 Image: ETH drained from users trying this code

Conclusion

Never run any code that you don’t fully understand or trust. It only takes one line of code to convert a seemingly innocent contract into a malicious one.

The golden rule of scamming applies here: if it seems too good to be true, it probably is. Be wary of any trading strategies or techniques that promise outsized returns, and don't execute any code unless you know exactly what you're doing. Your wallet will thank you.