overview
Decentralized finance (English: Decentralized finance, commonly known as DeFi) is a kind of finance created on the blockchain. It does not rely on financial institutions such as brokerages, exchanges or banks to provide financial tools, but uses the intelligence on the blockchain to contract to carry out financial activities. There are a large number of arbitrage opportunities in DeFi, including but not limited to liquidation and spread arbitrage. This article will analyze the arbitrage opportunities that some decentralized exchanges (DEX) and aggregators (Aggregators) may have on the contract code.
analyze
Uniswap
analyze
Uniswap V2 Router
Uniswap is a decentralized cryptocurrency trading platform that adopts the Automated Market Maker (AMM) model. There are currently two popular versions, namely Uniswap V2 and Uniswap V3. We will analyze the possible arbitrage opportunities in them respectively.
In Uniswap V2, users generally interact with the Pair contract and the Factory contract through the Router contract. Generally speaking, Router only transfers tokens in transactions, but does not store tokens. However, due to various reasons, such as airdrops and transfer errors, certain tokens are stored in the Router contract. So how to withdraw these tokens?
By analyzing the code of the Uniswap V2 Router 02 contract, it is found that there is a removeLiquidityETHSupportingFeeOnTransferTokens function:
This function is used to remove the liquidity where one of the tokens is WETH. The address of to passed in when the removeLiquidity function is called internally is address(this), that is, the two tokens will be transferred to the Router contract first, and then The Router contract then transfers the two tokens to the specified address. Although the amount of WETH transferred here is returned by removeLiquidity and cannot be modified, the amount of another Token transferred is balanceOf(address(this)), which is the balance of the token in the Router contract.
Therefore, according to the above analysis, we can get an arbitrage process:
It is monitored that there are ERC 20 tokens in the Router 02 contract;
It is monitored that there are ERC 20 tokens in the Router 02 contract;
Call addLiquidityETH to add the liquidity of the ERC 20 token and WETH;
Call removeLiquidityETHSupportingFeeOnTransferTokens to remove liquidity.
limitation:
If the token has not had liquidity with WETH before, it will lose a small amount of liquidity (MINIMUM_LIQUIDITY) when adding liquidity for the first time;
Uniswap V2 Pair
No method to extract WETH and ETH in the Router 02 contract has been found yet.
The Uniswap V2 Pair contract, the so-called liquidity pool, stores two types of tokens that provide liquidity. Because the Pair contract uses reserve to record the balance instead of balanceOf(address(this)), someone directly transfers the liquidity by mistake. There will be a difference between balance and reserve when the permanent tokens are put into the contract, and there is a balance function skim in the Pair contract, we can call this function to extract the tokens of the difference:
It can be seen that this function will transfer the tokens of the difference between the balance and reserve of the two liquidity tokens in the liquidity pool to the to address.
In addition to these two tokens in the liquidity pool, there will also be other ERC 20 tokens due to mistransfers, airdrops, etc. How to withdraw these tokens?
After analyzing the code of the Pair contract, it is found that this part of tokens cannot be withdrawn, except for one case: when the pools LP tokens exist in the liquidity pool.
Uniswap V3 SwapRouter
When this happens, we can call the burn function of the Pair contract to remove the liquidity and take out the corresponding two liquidity tokens:
The SwapRouter contract of Uniswap V3 will also have the same situation as Uniswap V2 Router, there are ERC 20 tokens and ETH, but fortunately, the SwapRouter contract provides several functions to facilitate the extraction of the tokens.
To withdraw ERC 20 tokens we can use the sweepToken function:
To withdraw ETH we can use the refundETH function:
You can also directly call the unwrapWETH 9 function to restore WETH to ETH and extract it:
The above is the arbitrage analysis of the Uniswap V3 SwapRouter contract.
SushiSwap
After analyzing the code of the Uniswap V3 Pool contract, it was found that there is no way to extract other tokens in the contract, and there is no difference between balance and reserve in the Uniswap V2 Pair contract.
SushiSwap started out as a fork of Uniswap and later developed into an independent ecosystem offering many different financial services and products.
SushiXSwap
Because SushiSwap is the same as Uniswap V2, the above-mentioned arbitrage method for Uniswap V2 is also applicable to SushiSwap.
SushiXSwap is a LayerZero-based full-chain transaction protocol launched by SushiSwap. The supported networks include Optimism, Arbitrum, Fantom, BNB Chain, Polygon and Avalanche. Users can conduct cross-chain transactions between supported networks and assets.
How to withdraw the tokens in the SushiXSwap contract?
The main functions in SushiXSwap are implemented through the cook function, which provides a series of operations, and the list of supported operations is as follows:
Among them is an operation ACTION_DST_WITHDRAW_TOKEN, whose code is implemented as follows:
First, decode the data passed into the cook function, and then judge whether the amount is equal to 0. If it is equal to 0, set the value of the amount to the balance of the contract’s ERC 20 token or the balance of ETH. Finally call _transferTokens to transfer tokens to the specified address:
Sushi BentoBox
Therefore, we only need to construct the actions and datas passed into the cook function, that is, set the actions to ACTION_DST_WITHDRAW_TOKEN, construct the tokens to be transferred, the receiving address, and the quantity in the data, and then transfer the tokens in the SushiXSwap contract.
Sushi BentoBox is a component in the SushiSwap ecosystem. BentoBox is a highly flexible decentralized finance (DeFi) rate optimization product. In simple terms, it is a smart contract platform that allows users to store, borrow and earn interest. The main purpose of BentoBox is to optimize users income in the DeFi field.
A large number of tokens are stored in the BentoBox contract on Ethereum, so is there room for arbitrage in this contract?
In the BentoBox contract, users can perform deposit operations through the deposit function, and the implementation of the function is as follows:<= _tokenBalanceOf(token).sub(total.elastic)。
You can see that the user passes in the specified token address, debit address, receiving address, quantity, and the number of shares. The function first performs a series of checks, and then converts the amount or share. The key points are in lines 195-198, here Made a check: amount
The balance of a certain token in the BentoBox contract is recorded using total.elastic, similar to the reserve in the Uniswap Pair contract, in some cases there will be a difference with _tokenBalanceOf(token), we can use the characteristics of the deposit function here , and convert the difference into your own balance in the BentoBox contract.
DODO
Therefore, when we pass in parameters, we set token as the token address with a difference, set the value of amount as the difference, then set from as the address of the BentoBox contract, and set to as our own address. At line 207, due to The address is the address of the BentoBox contract, so there will be no transfer, but the value of total.elastic and _tokenBalanceOf(token) will be balanced and converted into the balance of the to address in the contract.
DODO is a decentralized trading platform that uses an original Proactive Market Maker (PMM) algorithm to provide efficient on-chain liquidity for Web3 assets. DODO not only provides liquidity itself, but also aggregates liquidity from other exchanges.
DODO V2 Proxy 02
DODO has a series of contracts, in which users will exchange tokens through the DODO V2 Proxy 02 contract. Similar to the Uniswap Router contract, this contract also has some tokens for various reasons. How should we withdraw these tokens?
There is an externalSwap function in the DODO V2 Proxy 02 contract, which is used to call the external platform aggregated by DODO for exchange, such as 0x, 1inch, and the code is implemented as follows:
Lines 1719-1721 are checking the incoming parameters, and then line 1724 is checking whether the fromToken is ETH. If not, the caller’s token will be transferred to the contract, and then authorized. After analyzing the code of the DODOAPPROVE contract Later, it was found that only fromTokenAmount needs to be set to 0 to bypass:
Then the external contract to be called will be verified, and only those in the whitelist can be called. The swapTarget and calldataConcat here are both controllable by the user, so you can set swapTarget to the contract address of 0x or 1inch, and then set calldataConcat to The encoding of the view function of the contract, so that the returned value is true, can also pass the subsequent require verification:
Through the above steps, we can extract the ERC 20 tokens and ETH in the DODO V2 Proxy 02 contract.
1inch
secondary title
1inch is a decentralized exchange (DEX) aggregator that pools liquidity from multiple DEXs in order to provide users with the best token exchange prices. By integrating liquidity from different sources, 1inch helps users optimize transactions and find the best prices across platforms. 1inchs smart contract automatically trades between various decentralized exchanges, enabling users to easily obtain the best price and lowest slippage between different exchanges. In addition, 1inch also provides other functions such as liquidity mining and governance tokens.
AggregationRouterV 5
The main contract of 1inch is AggregationRouter, and V 4 and V 5 versions are used more now. These two contracts also have some tokens for various reasons. We can extract the parameters in the contract by constructing the parameters in the incoming function. tokens.
There is a swap function in the AggregationRouterV 5 contract, and its implementation is as follows:
After verifying the minReturnAmount in desc, get srcToken and dstToken from desc, and the next lines 986-997 can be bypassed by constructing the flags and srcToken in the desc structure:
Then execute the function _execute, where the call will be made and the execution status will be verified. Since the executor is passed in by the user, we can use the 0 address to bypass it here:
Then get the balance of dstToken in the contract. Lines 1007-1018 we can construct flags and minReturnAmount in desc to bypass:
Finally, the dstToken balance in the contract will be transferred to the dstReceiver address, which is also controlled by the user:
AggregationRouterV 4
Through the above steps, we can construct the parameters passed to the swap function to withdraw the tokens in the AggregationRouterV 5 contract.
secondary title
Summarize
Summarize
This article briefly introduces some decentralized exchanges and aggregators, and discusses the possible arbitrage among them, and analyzes the principle of arbitrage from the contract code level, but the success in practice is also related to many factors, such as GAS, node speed etc.
about Us
At Eocene Research, we provide the insights of intentions and security behind everything you know or dont know of blockchain, and empower every individual and organization to answer complex questions we hadnt even dreamed of back then.
