The Worst Sandwich: How to Lose 90% in One Swap
Developer DAO #2652 Managing partnerships for the DAO and publishing our weekly Newsletter, "Probably Nothing"
I went for a wild ride on the MEV train this morning. It’s tax season here in the US and in trying to cash out some funds I learned a very scary lesson. Here's my short cautionary tale about implicit risk.
Disclaimer: I am not an MEV expert, so I apologize for mistakes and appreciate any corrections. This just seems like something more people should know about. Even if relatively rare, any one instance of this sort of situation could be catastrophic. It’s a serious problem.
My goal was moving MATIC from Polygon to L1. There are a few ways to do that but I was trying to get this done and move on with my day, so I decided to use FibSwap. I’ve used this dex a few times and been impressed with it’s speed and ease-of-use.
As usual, I picked my source and destination assets. The exchange rate looked good, so I went ahead and initiated the trade. I confirmed the transaction from my Polygon wallet, and the funds left my wallet.
This is where things got weird. FibSwap cross-chain exchanges require two transactions: one on the originating wallet, and one on the receiving wallet. When I went to finalize the transaction on my receiving wallet, something was very off.
I sent ~9000 MATIC in the initial transaction, but I only received 876 MATIC on L1. I didn’t freak out just yet because, well, I didn’t want to believe it. I thought that maybe FibSwap was doing this piecemeal. That would be annoying but at least I would get my funds eventually.
Turns out, that 876 was all I was getting. That was it. In one swap I’d lost >90% of my funds. How could that possibly be? Was this my fault? Did I drop a digit?
Nope. Fibswap uses USDC liquidity pools on both sides of the transaction. So, MATIC L2 > USDC L2 > USDC L1 > MATIC L1. Here’s the first half of that:
Now here’s the second half. Notice how Uniswap V2 suddenly decided that my transaction was only worth ~876 MATIC.
So what happened? Is there something nefarious in the FibSwap contract? Do they have some kind of deal where it turns our I am the supply? At this point it looks like I’m getting fleeced by Uniswap. Experienced readers are already face-palming.
Someone finally directed me to the FibSwap Telegram support channel. This channel shouldn’t be so hard to find, but thank Satoshi I finally did.
Their team was telling me that there were only two ways this could happen:
- Price impact on the liquidity pool (they claimed this wasn’t it because FibSwap has slippage protections)
- I got front run by an MEV bot
I was skeptical.
My initial reaction to this was to call “bullshit.” It sounded a lot like customer service CYA. Couldn’t there be an error in the FibSwap implementation? And anyways, how is a bot going to front run just the Uniswap part of this transaction?
But of course, this is crypto, so the proof is on chain. This was a sandwich attack. A kind soul named Arno, from Fibswap, found my transaction.
Still in disbelief, I make my way over to the Uniswap ETH/MATIC page on Etherscan…… Fuck.
There it is. For a fleeting moment, the price of MATIC was over $14. That just happened to be the same moment that my swap was executing. A sandwich attack
Here's another example in the wild. I’m not sure exactly how rare this kind of thing is but I’m clearly not the only person affected by this. https://twitter.com/pmcgoohanCrypto/status/1510977122931822605
I’m not sure exactly how rare this kind of thing is but I’m clearly not the only person affected by this. https://twitter.com/pmcgoohanCrypto/status/1510977122931822605 https://twitter.com/stonecoldpat0/status/1504149593134673921
I wouldn’t call myself a “maxi” but I will say that I have a saved email from Feb 7, 2014 telling friends about the upcoming Ethereum launch. To this day, I’ve never been more bullish on any other tech than ETH, but this is hard to reconcile.
For those of you here for the happy ending: The folks at FibSwap made me whole. They didn’t have to. This wasn’t really their fault. The best way they could avoid this happening on their app is by not supporting Ethereum L1.
There are a lot of interesting projects out there, so I have my work cut out for me. Arbitrum has taken matters into their own hands, and folks like Shutter are facing the problem head on. But this is clearly a very present threat.
I’ll be digging into MEV with newfound enthusiasm. If anyone has any resources please send them my way. And go ahead and check out FibSwap while you’re at it. A big ole’ hat tip to them for restoring my confidence in humanity.
