On Tuesday evening, an Ethereum MEV bot gained 800 ETH by using intelligent arbitrage, solely to lose all of it and extra to a hacker an hour later.
Right here’s how the scenario performed out on-chain:
- The occasion started with a third-party dealer mistakenly shedding almost $2 million to spreads on Uniswap v2 commerce. Whereas he initially traded in 1.8 million cUSDC, he solely acquired 518 USDC in return.
- Based on Flashbots Product Lead Robert Miller, this solely created a “huge arbitrage alternative” for one more dealer to swoop in and declare loads of ETH.
- “0xbaDc0dE [the MEV bot] dutifully backran the arb within the mempool (!) in a looong arb touching many protocols,” he defined. In the long run, the bot netted 800 ETH.
- Nonetheless, that ETH was fully stolen simply an hour later. Miller claims the bot didn’t correctly shield the perform it’s used to execute dydx flashloans, leaving it susceptible.
“If you get a flashloan the protocol you’re borrowing from will name a standardized perform in your contract,” he stated. “0xbaDc0dE’s code sadly allowed for arbitrary execution.”
- Utilizing this vulnerability, an attacker accredited all the bot’s WETH for spending on the contract, then transferred it to his personal handle. That was 1,106 WETH in whole, price over $1.4 million at writing time.
- Quite a few vainness addresses generated by Profanity have additionally been drained of roughly $1 million in ETH this month.