Root cause
This incident is not a traditional smart-contract bug; Uniswap v3 behaved exactly as designed. The vulnerability chain was:
- DEX aggregator routing through a near-empty pool — the aggregator selected the
AVAIL/WETHUniswap v3 pool as a routing hop despite it holding negligible liquidity. - No effective slippage protection — the swap was submitted without a meaningful
amountOutMin, allowing 99%+ price impact to execute. - Same-block MEV backrun — after the victim's swap created a massive price distortion, an MEV searcher extracted the mispricing in the same block; Titan block builder captured the resulting value.
The same-block backrun pattern differs critically from a sandwich attack:
// Classic sandwich (front-run + back-run around victim):
// tx[n-1]: attacker BUY (front-run, raises price before victim)
// tx[n]: victim SWAP (executes at inflated price)
// tx[n+1]: attacker SELL (back-run, profits from victim's slippage)
// Same-block backrun (no adversarial front-run):
// tx[n]: victim SWAP (self-inflicted 120x price impact in thin pool)
// tx[n+1]: searcher ARBI (buys AVAIL at depressed post-impact price, sells on liquid market)
// → block builder (Titan) captures searcher's bid as the block reward
The key distinction: the victim's own swap created the price distortion — the searcher merely extracted it. The aggregator's routing choice, combined with absent slippage protection, was the proximate cause.
Attack steps
| Step | On-chain action |
|---|---|
| 1. Victim submits | 1,126.44 ETH (~$2.01M) sent to DEX aggregator targeting LIT tokens |
| 2. Thin-pool routing | Aggregator routes ~1,117 ETH through near-empty AVAIL/WETH Uniswap v3 pool |
| 3. Catastrophic price impact | AVAIL/WETH price spikes |
| 4. Searcher backrun | MEV searcher in same block buys depressed AVAIL from the impacted pool, sells at fair market price on liquid venue |
| 5. Builder capture | Titan block builder selects searcher's bundle; earns 1,018 ETH (~$1.8M) as block reward |
| 6. Net outcome | Victim retains ~$14,500 of original $2.01M (~99.3% loss); $1.8M absorbed by Titan |
Impact
- Victim loss: ~$2,000,000 USD (1,126.44 ETH → 5,776 LIT tokens worth ~$14,500)
- Builder revenue: Titan earned ~$1.8M in a single block from this extraction (Titan total 2026 builder revenue: $112.6M per DeFiLlama)
- Classification: GoPlus Security labeled this "same-block backrun extraction" — not a sandwich attack; no adversarial front-run
- Chain: Ethereum mainnet
- Pool exploited: AVAIL/WETH on Uniswap v3 (near-zero liquidity at time of swap)
Lessons for auditors
- Enforce slippage at the contract level. Any aggregator or router that does not validate a minimum
amountOutMinrelative to swap size enables total loss. UI-layer slippage warnings are insufficient; the on-chain check is the security boundary. - Pre-route liquidity depth validation. Before routing, check pool TVL or slot0 liquidity relative to notional swap size. Routing >$100K through a pool with <$10K in TVL should revert or be re-quoted across liquid venues.
- Protect large transactions with private mempools. Public mempool submission of large unprotected swaps is extractable regardless of intent. MEV-protected RPC endpoints (Flashbots Protect, MEV Blocker) remove same-block backrun exposure entirely.
- Distinguish sandwich from same-block backrun in threat models. Defenses differ: sandwich attacks are mitigated by slippage + deadlines; same-block backruns require private mempool submission or splitting into smaller tranches across liquid pools.
- Builder concentration amplifies loss. Dominant builders (Titan: 14%+ of 2026 blocks) concentrate MEV capture. Protocol UX should route large swaps through MEV-protected bundles and document this as a security recommendation, not a preference.