MEV bot drained $1m after attacker manipulated bug
A non-atomic MEV bot was reportedly drained $1 million through a bug. Further investigation shows it has been on the platform for a while and was responsible for prior bad trades.
In a Twitter thread, Flashbot’s Robert Miller explained that one bot’s attack led to the highest proposer payment of all time when an address received 691.96 ETH. He identified the bot as a non-atomic MEV bot that buys tokens in a block and sells them later. However, they sandwich occasionally, are generally profitable, and have millions of tokens on hand ($5 million).
He explains that the attacker, 0x000…2D4, swapped $1 million in Tether for 325 WaBi. The transfer seemed like sandwiching a transaction, but the second one proved otherwise.
After investigation, it was confirmed that 0x000…2D4’s first trade was a backrun, while the second was them getting a backrun. The exploiter took 375 ETH, paid 150 ETH to the builder, and made 225 ETH. Miller mentions that sometimes, the attackers send the first sandwich part through flashbots and close the second via the mempool.
Further investigation showed that this was not the first time. 0x000…2D4 was backrun by a bot earlier, making 370 ETH and repeating the same process by sending it back to the mempool.
Miller writes that the bot has had the bug for a while, whereby it made bad trades weeks ago. Someone might have noted it and laid the bait for 0x000…2D4. Since the bot has gone off the rails after several bad trades, leading it to throw millions away.
Hackers in DeFi are rampant
Last September, an MEV bot 0xbaDc0dE lost over $1 million when a bad actor exploited a flaw in the code. 0xbaDc0dE was a mempool bot on ETH that was active over a few months and made about $220,000 in transactions.
The bot lost over 1100 ETH as it did not protect the “callFunction”, which the hacker used to execute dYdX flash loans. They then approved the transaction and took the funds to another address.
Most recently, Euler Finance, a crypto lending platform, fell victim to a flash loan attack that caused a $197m net loss.