On Tuesday night, an Ethereum MEV bot gained 800 ETH through the use of clever arbitrage, only to lose all of it and more to a hacker an hour later.
Here’s how the situation played out on-chain:
- The event began with a third-party trader mistakenly losing nearly $2 million to spreads on Uniswap v2 trade. While he initially traded in 1.8 million cUSDC, he only received 518 USDC in return.
- According to Flashbots Product Lead Robert Miller, this only created a “massive arbitrage opportunity” for another trader to swoop in and claim plenty of ETH.
- “0xbaDc0dE [the MEV bot] dutifully backran the arb in the mempool (!) in a looong arb touching many protocols,” he explained. In the end, the bot netted 800 ETH.
- However, that ETH was entirely stolen just an hour later. Miller claims the bot didn’t properly protect the function it’s used to execute dydx flashloans, leaving it vulnerable.
“When you get a flashloan the protocol you’re borrowing from will call a standardized function on your contract,” he said. “0xbaDc0dE’s code unfortunately allowed for arbitrary execution.”
- Using this vulnerability, an attacker approved all of the bot’s WETH for spending on the contract, then transferred it to his own address. That was 1,106 WETH in total, worth over $1.4 million at writing time.
- Numerous vanity addresses generated by Profanity have also been drained of roughly $1 million in ETH this month.