BACKRUNNER: Mitigating Smart Contract Attacks in the Real World

TL;DR

This paper reveals the limitations of current smart contract attack protections and introduces BACKRUNNER, a novel framework that effectively mitigates attacks by adapting exploits to safeguard assets in real-world scenarios.

Contribution

The paper presents BACKRUNNER, a new approach that overcomes limitations of existing protections by using exploit adaptation to prevent and recover from smart contract attacks.

Findings

Existing protections can be bypassed in real-world attacks.

BACKRUNNER successfully rescued over $410 million in previous attacks.

In two months, BACKRUNNER protected assets worth over $11.2 million.

Abstract

Billions of dollars have been lost due to vulnerabilities in smart contracts. To counteract this, researchers have proposed attack frontrunning protections designed to preempt malicious transactions by inserting "whitehat" transactions ahead of them to protect the assets. In this paper, we demonstrate that existing frontrunning protections have become ineffective in real-world scenarios. Specifically, we collected 158 recent real-world attack transactions and discovered that 141 of them can bypass state-of-the-art frontrunning protections. We systematically analyze these attacks and show how inherent limitations of existing frontrunning techniques hinder them from protecting valuable assets in the real world. We then propose a new approach involving 1) preemptive hijack, and 2) attack backrunning, which circumvent the existing limitations and can help protect assets before and after an attack. Our approach adapts the exploit used in the attack to the same or similar contracts before and after the attack to safeguard the assets. We conceptualize adapting exploits as a program repair problem and apply established techniques to implement our approach into a full-fledged framework, BACKRUNNER. Running on previous attacks in 2023, BACKRUNNER can successfully rescue more than \$410M. In the real world, it has helped rescue over \$11.2M worth of assets in 28 separate incidents within two months.