Background of the private tx service
The private tx service aims to protect users’ transactions without broadcasting the transactions on the chain. This service can help build a healthy ecosystem by protecting users from being sandwich-attacked. For instance, an attacker cannot listen to the pending pool to front-run other transactions. Besides, the private tx service can mitigate the gas fee war between MEV bots. That’s because MEV bots can leverage such a service instead of competing in the pending tool that will raise the gas price — making the normal transactions hard to be packed.
Flashbots is a well-known private service provider on Ethereum and has excellent documents on how the system works. It also provides clear APIs of the private tx data. BNB48 has provided a similar service (Enhanced RPC) on Binance Smart Chain (BSC).
Private tx has been abused by attackers
However, the private tx service can be abused by attackers to make the attack transaction be packed on the chain (without being noticed) in a fast way.
Recently, we have seen an
interesting transaction on BSC. The attacker abused the private tx service of BNB48 to hide its attack transaction (The attack profit is around
$150K USD). From the following screenshot, we can find that the this transaction was packed by the BNB48 validator with a
15Gwei gas price.
Unfortunately, we did not find a public service that can query transactions that have been packed by the private tx service of BNB48. However, we highly suspect this is the case due to the following two reasons.
- According to BNB48’s doc, to use the enhanced RPC, the transaction sender needs to set the gas privce to
15Gwei. Of course, there still exists a minor chance that the attacker did not use the BNB48 private tx service but happened to use a normal RPC endpoint for the transaction and set the gas price to
- Besides, the attacker’s contract has a code to limit that the attack transaction can only be executed on BNB48 validator (See the following figure).
From the gas price and the code logic, we highly suspect this transaction abused the BNB48 private tx service.
The attacker’s IP has been revealed
Interestingly, the victim claimed that he/she had successfully identified the IP addresses and the time of the attack transaction. Then the victim sent a message on the chain to ask the attacker to return the funds (see the following figure).
This raises the question, i.e., if the attack transaction abused the BNB48 private tx service (by sending transactions to the BNB48 RPC endpoint), how the attacker’s IP addresses can be identified and leaked? Based on the result that the funds have been returned, the IP address and the geolocation in the message should be real.
Security/privacy concerns of private tx service
We think private tx service is a critical entity in the ecosystem since it protects the transaction from being broadcasted and sandwich-attacked. However, it also raises other security/privacy concerns.
- How to prevent the private tx service from being abused by attackers is an open question. Whether a filtering service is needed in the private tx service is (still) debatable in the community. We are currently developing a system that can help the private tx service provider to monitor the attack service (awareness of the attack is valuable.)
- How to protect the privacy of the users who leverage the private tx service? For instance, the endpoint which accepts the private tx can log the sender’s information, such as the IP address and the time. Whether this information is in good protection is unknown.
The BlockSec is dedicated to building blockchain security infrastructure. The team is founded by top-notch security researchers and experienced experts from both academia and industry. We have published multiple blockchain security papers in prestigious conferences, reported several zero-day attacks of DeFi applications, and successfully protected digital assets that are worth more than 5 million dollars by blocking multiple attacks.