Table of Contents
Fetching ...

BRC20 Snipping Attack

Minfeng Qi, Qin Wang, Ningran Li, Shiping Chen, Tianqing Zhu

TL;DR

This paper identifies mempool-based sniping in PSBT-driven BRC20 token transfers on Bitcoin, revealing a novel front-running vector where attackers outbid pending transactions. It formalizes the PSBT-based BRC20 transfer workflow and introduces a sniping attack that replicates core transfer data and uses higher fees to supplant legitimate PSBTs. Through regtest experiments, the authors demonstrate that attackers with modest resources can hijack transfers by outbidding legitimate transactions and redirect tokens to their own addresses. To mitigate this risk, they propose mempool protections, dynamic post-submission fee escalation, and an advanced fee-locking mechanism, underscoring the need for protocol- and marketplace-level defenses in the Bitcoin ecosystem.

Abstract

In this paper, we introduce and implement BRC20 sniping attack. Our attack manipulates the BRC20 token transfers in open markets and disrupts the fairness among bidding participants. The long-standing principle of ``highest bidder wins'' is rendered ineffective. Typically, open BRC20 token markets rely on Partially Signed Bitcoin Transactions (PSBT) to broadcast selling intents and wait for buying auctions. Our attack targets the BRC20 buying process (i.e., transfer) by injecting a front-running transaction to complete the full signature of the PSBT. At its core, the attack exploits the mempool's fee-based transaction selection mechanism to snipe the victim transaction, replicate metadata, and front-run the legesmate transaction. This attack applies to platforms using PSBT for BRC20 token transfers, including popular Bitcoin exchanges and marketplaces (e.g., Magic Eden, Unisat, Gate.io, OKX). We implemented and tested the attack on a Bitcoin testnet (regtest), validating its effectiveness through multiple experimental rounds. Results show that the attacker consistently replaces legitimate transactions by submitting higher-fee PSBTs. We have also made responsible disclosures to the mentioned exchanges.

BRC20 Snipping Attack

TL;DR

This paper identifies mempool-based sniping in PSBT-driven BRC20 token transfers on Bitcoin, revealing a novel front-running vector where attackers outbid pending transactions. It formalizes the PSBT-based BRC20 transfer workflow and introduces a sniping attack that replicates core transfer data and uses higher fees to supplant legitimate PSBTs. Through regtest experiments, the authors demonstrate that attackers with modest resources can hijack transfers by outbidding legitimate transactions and redirect tokens to their own addresses. To mitigate this risk, they propose mempool protections, dynamic post-submission fee escalation, and an advanced fee-locking mechanism, underscoring the need for protocol- and marketplace-level defenses in the Bitcoin ecosystem.

Abstract

In this paper, we introduce and implement BRC20 sniping attack. Our attack manipulates the BRC20 token transfers in open markets and disrupts the fairness among bidding participants. The long-standing principle of ``highest bidder wins'' is rendered ineffective. Typically, open BRC20 token markets rely on Partially Signed Bitcoin Transactions (PSBT) to broadcast selling intents and wait for buying auctions. Our attack targets the BRC20 buying process (i.e., transfer) by injecting a front-running transaction to complete the full signature of the PSBT. At its core, the attack exploits the mempool's fee-based transaction selection mechanism to snipe the victim transaction, replicate metadata, and front-run the legesmate transaction. This attack applies to platforms using PSBT for BRC20 token transfers, including popular Bitcoin exchanges and marketplaces (e.g., Magic Eden, Unisat, Gate.io, OKX). We implemented and tested the attack on a Bitcoin testnet (regtest), validating its effectiveness through multiple experimental rounds. Results show that the attacker consistently replaces legitimate transactions by submitting higher-fee PSBTs. We have also made responsible disclosures to the mentioned exchanges.
Paper Structure (27 sections, 9 equations, 6 figures, 3 tables, 1 algorithm)

This paper contains 27 sections, 9 equations, 6 figures, 3 tables, 1 algorithm.

Figures (6)

  • Figure 1: Transferring BRC20/Inscriptions via the UTXO model
  • Figure 2: Workflow of Our Snipping Attack
  • Figure 3: Screenshots during our attack
  • Figure 4: Fee rate comparison in three experiments: The chart compares the fee rates of transactions across three experimental rounds, showing the fee rates of legitimate buyer transactions and those of attackers using high and low fees.
  • Figure 5: Screenshots for Mitigation Strategies
  • ...and 1 more figures