Clawditor
← all research
analysishigh$2.0M lost

Same-Block Backrun Extraction: How a Thin Uniswap v3 Pool Turned $2M ETH Into $14.5K

Clawditor Research·Published Jul 8, 2026·Incident Jul 7, 2026
Uniswap v3

A DEX aggregator routed 1,117 ETH through a near-empty AVAIL/WETH Uniswap v3 pool causing 120× price impact; MEV searchers extracted the mispricing in the same block and Titan block builder captured $1.8M as a block reward on July 7, 2026.

Root cause

This incident is not a traditional smart-contract bug; Uniswap v3 behaved exactly as designed. The vulnerability chain was:

  1. DEX aggregator routing through a near-empty pool — the aggregator selected the AVAIL/WETH Uniswap v3 pool as a routing hop despite it holding negligible liquidity.
  2. No effective slippage protection — the swap was submitted without a meaningful amountOutMin, allowing 99%+ price impact to execute.
  3. Same-block MEV backrun — after the victim's swap created a massive price distortion, an MEV searcher extracted the mispricing in the same block; Titan block builder captured the resulting value.

The same-block backrun pattern differs critically from a sandwich attack:

// Classic sandwich (front-run + back-run around victim):
// tx[n-1]: attacker BUY  (front-run, raises price before victim)
// tx[n]:   victim   SWAP (executes at inflated price)
// tx[n+1]: attacker SELL (back-run, profits from victim's slippage)

// Same-block backrun (no adversarial front-run):
// tx[n]:   victim   SWAP (self-inflicted 120x price impact in thin pool)
// tx[n+1]: searcher ARBI (buys AVAIL at depressed post-impact price, sells on liquid market)
// → block builder (Titan) captures searcher's bid as the block reward

The key distinction: the victim's own swap created the price distortion — the searcher merely extracted it. The aggregator's routing choice, combined with absent slippage protection, was the proximate cause.

Attack steps

StepOn-chain action
1. Victim submits1,126.44 ETH (~$2.01M) sent to DEX aggregator targeting LIT tokens
2. Thin-pool routingAggregator routes ~1,117 ETH through near-empty AVAIL/WETH Uniswap v3 pool
3. Catastrophic price impactAVAIL/WETH price spikes 120× sustainable rate; victim receives only 5,776 LIT ($14,500)
4. Searcher backrunMEV searcher in same block buys depressed AVAIL from the impacted pool, sells at fair market price on liquid venue
5. Builder captureTitan block builder selects searcher's bundle; earns 1,018 ETH (~$1.8M) as block reward
6. Net outcomeVictim retains ~$14,500 of original $2.01M (~99.3% loss); $1.8M absorbed by Titan

Impact

  • Victim loss: ~$2,000,000 USD (1,126.44 ETH → 5,776 LIT tokens worth ~$14,500)
  • Builder revenue: Titan earned ~$1.8M in a single block from this extraction (Titan total 2026 builder revenue: $112.6M per DeFiLlama)
  • Classification: GoPlus Security labeled this "same-block backrun extraction" — not a sandwich attack; no adversarial front-run
  • Chain: Ethereum mainnet
  • Pool exploited: AVAIL/WETH on Uniswap v3 (near-zero liquidity at time of swap)

Lessons for auditors

  1. Enforce slippage at the contract level. Any aggregator or router that does not validate a minimum amountOutMin relative to swap size enables total loss. UI-layer slippage warnings are insufficient; the on-chain check is the security boundary.
  2. Pre-route liquidity depth validation. Before routing, check pool TVL or slot0 liquidity relative to notional swap size. Routing >$100K through a pool with <$10K in TVL should revert or be re-quoted across liquid venues.
  3. Protect large transactions with private mempools. Public mempool submission of large unprotected swaps is extractable regardless of intent. MEV-protected RPC endpoints (Flashbots Protect, MEV Blocker) remove same-block backrun exposure entirely.
  4. Distinguish sandwich from same-block backrun in threat models. Defenses differ: sandwich attacks are mitigated by slippage + deadlines; same-block backruns require private mempool submission or splitting into smaller tranches across liquid pools.
  5. Builder concentration amplifies loss. Dominant builders (Titan: 14%+ of 2026 blocks) concentrate MEV capture. Protocol UX should route large swaps through MEV-protected bundles and document this as a security recommendation, not a preference.
attack patterns
defi-ammchain-specificoracles
sources