MEV Vulnerabilities
Detects transaction ordering dependencies exploitable by miners and MEV searchers, including sandwich attacks, frontrunning, and backrunning patterns.
MEV Vulnerabilities
Overview
The MEV vulnerabilities detector identifies patterns that allow Maximal Extractable Value (MEV) searchers or validators to profit by manipulating transaction ordering. This includes functions with price-sensitive operations that lack slippage protection, state reads followed by state-dependent writes without atomicity guarantees, and operations where the outcome depends on the position of the transaction within a block.
Why This Is an Issue
MEV extraction cost Ethereum users over $500M annually. Sandwich attacks on DEX swaps, frontrunning of oracle updates, and backrunning of liquidation opportunities extract value from users by inserting transactions immediately before or after the victim’s transaction. Contracts that do not enforce minimum output amounts, deadlines, or commit-reveal schemes are inherently vulnerable.
How to Resolve
// Before: Vulnerable — no slippage protection
function swap(address tokenIn, uint256 amountIn) external {
uint256 amountOut = getAmountOut(amountIn);
// Sandwich attacker manipulates price before and after this tx
IERC20(tokenOut).transfer(msg.sender, amountOut);
}
// After: Fixed — minimum output enforced
function swap(address tokenIn, uint256 amountIn, uint256 minAmountOut, uint256 deadline) external {
require(block.timestamp <= deadline, "Expired");
uint256 amountOut = getAmountOut(amountIn);
require(amountOut >= minAmountOut, "Slippage exceeded");
IERC20(tokenOut).transfer(msg.sender, amountOut);
}Detection Methodology
- Price-sensitive operation detection: Identifies functions that read prices or exchange rates from storage or external calls and use them in transfer operations.
- Slippage check absence: Flags functions with price-dependent outputs that lack a minimum output comparison.
- Deadline check absence: Flags swap-like functions without
block.timestampdeadline checks. - Oracle update frontrunning: Identifies oracle write functions where an attacker could submit a transaction between the oracle update and the dependent operation.
Limitations
False positives: Internal helper functions that are always called with slippage parameters by their callers may be flagged. False negatives: MEV vectors through cross-contract interactions may not be detected without cross-contract analysis.
Related Detectors
- Front-Running — detects general frontrunning patterns
- Sandwich Attack — detects DEX sandwich vectors specifically
- Slippage Validation — detects missing slippage checks