What to know:
- Ethereum MEV bot JaredFromSubway lost an estimated $7.5 million in a sophisticated trading trap.
- Attackers deployed 66 fake token contracts to manipulate the bot’s decision-making logic.
- The bot operator estimates losses could reach $15 million and has offered a $1 million recovery bounty.
The Ethereum MEV bot JaredFromSubway, one of the most famous MEV bots for Ethereum, was estimated to have lost up to $7.5 million due to hacking attacks targeting its automated trading. According to Blockaid, such losses were not the result of a smart contract exploit, phishing, or key theft. The hackers exploited flaws in the trading algorithm of the bot.
JaredFromSubway is an excellent Ethereum MEV bot that looks out for lucrative trading options within the mempool and then conducts the sandwich attack on traders through sandwiching their trades. JaredFromSubway came into the limelight in April 2023 because of its expenditure of more than one million dollars in gas fees in just a day.
Also Read | Two Brothers Plead Guilty in $8M Minnesota Crypto Robbery
How the Ethereum MEV Bot Was Tricked
According to Blockaid, the attacker took weeks to set up the scheme by creating 66 false contracts of tokens that seemed identical to popular assets like WETH (Wrapped Ether), USDC (USD Coin), and USDT (Tether).
Since the fake contracts appeared legitimate, the Ethereum MEV bot found them to be profitable trading channels and dealt with them. In this context, the bot authorized the use of tokens for helper contracts under the control of the hacker. One such authorization allowed access to more than 92 WETH.
The attacker then proceeded to send one last contract utilizing the available allowances in order to move actual funds out of the bot’s wallets. This was done without taking advantage of any programming error but rather by exploiting the decision-making logic of the bot.
Attacker Turns Ethereum MEV Strategy Against Itself
According to Blockaid, the whole attack involved attacker-controlled smart contracts tricking an automatic executing system into giving permissions for spending tokens that were never supposed to be spent in the first place. With such permissions given, all the attacker had to do was spend them.
This example proves that an Ethereum MEV approach that is concerned with speed and aggressive profit-taking can be exploited by malicious parties through the development of deceptive traps. The hacker did not go after the infrastructure but rather the bot itself.
This isn’t the first time that MEV mechanisms have come under attack. Back in 2023, it was reported that a rogue validator had managed to siphon off roughly $25 million from “sandwich bots.” The idea that sandwich attacks carry hidden costs has been the basis of criticism for years.
Blockaid and PeckShield have estimated that the loss of funds is about $7.5 million (WETH, USDC, USDT). At the same time, the bot operator estimated the potential loss of funds as ~$15 million and offered a bounty of $1 million for the recovery of the lost funds.
The entire thing depends on acceptance by the attacker of this offer. This particular case reveals the fact that no matter how sophisticated an Ethereum MEV system is, it is always prone to enormous risks.
Also Read | Shiba Inu Holder Count Nears 1.59 Million as 3,464 New Wallets Join in June
Be the first to comment