Ethereum, a popular cryptocurrency platform, is widely known for its strong security.
However, a new study by computer scientists from Northeastern University and ETH Zurich reveals that Ethereum may not be as secure as it seems.
According to this research, certain trading methods on Ethereum’s rollups—off-platform systems that handle high transaction volumes faster—can leave users vulnerable to unfair trading practices.
Ethereum operates on a blockchain, a decentralized database of transactions across many computers.
Once a new block of transactions is added, it can’t be removed, thanks to strong cryptographic protections.
This secure and open network has allowed Ethereum to grow rapidly, but it also faces scalability challenges, with costs increasing as more people use it.
Rollups, such as Arbitrum, Optimism, and zkSync, were created to ease this issue by moving transactions off the main Ethereum chain, lowering transaction costs and improving speed.
However, the recent research, presented by Northeastern Ph.D. student Ben Weintraub, shows that rollups may still be vulnerable to certain manipulative trading tactics.
His team discovered three new ways for predatory traders to profit by exploiting transaction timings on these rollups. While similar tactics, like “sandwiching,” are already known to occur on Ethereum, they weren’t previously thought possible on rollups.
Sandwiching happens when a trader sees someone’s intention to buy a cryptocurrency, buys it first to drive up the price, and then sells it at a profit after the price increases. This strategy benefits only the predatory trader while raising costs for everyone else involved in the trade.
The researchers analyzed trading behaviors both on Ethereum and across its rollups, finding that some traders used maximal extractable value (MEV) techniques to manipulate the order and timing of transactions for profit.
MEV lets traders extract extra value from their trades by manipulating transaction sequences.
According to Weintraub, such tactics can be harmful because they exploit the user’s delay between Ethereum and the rollups, allowing attackers to act on this lag and profit.
The study also examined the profits made from these manipulative trades over the past three years, estimating that predatory traders made roughly $2 million by exploiting this weakness.
The researchers tested these methods on Ethereum’s test-net, a simulation network that uses “fake” money for experiments, to see how the vulnerabilities could be exploited.
They found that two of the three new attack methods could be prevented with some protocol changes. However, the third method remains challenging to stop.
Weintraub believes that making these findings public is essential for increasing awareness and pushing developers to improve security. He and his team are in contact with the developers behind major rollups to explore protective measures. “It’s better for researchers to discover these issues than for people to lose money by accident,” Weintraub said.
This research was presented at the ACM CCS 2024 conference and is available for further reading on the arXiv preprint server.
