BRC20 Snipping Attack

TL;DR

This paper presents a novel sniping attack on BRC20 token markets that exploits transaction fee mechanisms to manipulate bidding fairness, demonstrating its effectiveness through implementation and testing on Bitcoin testnet.

Contribution

The paper introduces the first practical BRC20 sniping attack that targets the transfer process, revealing vulnerabilities in open market mechanisms using PSBT.

Findings

Attack successfully replaces legitimate transactions with higher-fee PSBTs.

The attack disrupts fairness in BRC20 token bidding processes.

Validated effectiveness through multiple tests on Bitcoin testnet.

Abstract

In this paper, we introduce and implement BRC20 sniping attack. Our attack manipulates the BRC20 token transfers in open markets and disrupts the fairness among bidding participants. The long-standing principle of ``highest bidder wins'' is rendered ineffective. Typically, open BRC20 token markets rely on Partially Signed Bitcoin Transactions (PSBT) to broadcast selling intents and wait for buying auctions. Our attack targets the BRC20 buying process (i.e., transfer) by injecting a front-running transaction to complete the full signature of the PSBT. At its core, the attack exploits the mempool's fee-based transaction selection mechanism to snipe the victim transaction, replicate metadata, and front-run the legesmate transaction. This attack applies to platforms using PSBT for BRC20 token transfers, including popular Bitcoin exchanges and marketplaces (e.g., Magic Eden, Unisat, Gate.io, OKX). We implemented and tested the attack on a Bitcoin testnet (regtest), validating its effectiveness through multiple experimental rounds. Results show that the attacker consistently replaces legitimate transactions by submitting higher-fee PSBTs. We have also made responsible disclosures to the mentioned exchanges.