A well-known Ethereum MEV bot, Jaredfromsubway.eth, has been drained of approximately $7.5 million in an exploit that leveraged a transaction approval trap, according to on-chain security firm Blockaid. The attack targeted a vulnerability in the bot's router contract, forcing it to execute unfavorable sandwich trades that benefited the attacker. Blockaid first flagged the incident on its monitoring channels and shared a detailed analysis on X.
Exploit Mechanism
The attacker used custom smart contracts to trick the bot into approving and executing trades that were unprofitable for the bot but profitable for the attacker. Blockaid explained that the exploit exploited a weakness in how the bot processed transaction approvals, essentially manipulating it into a series of losing trades. The bot, known for its high gas consumption and active arbitrage strategies, was unable to detect the trap before its contract balance was drained.
Implications for Automated Bots
This incident underscores that even sophisticated MEV bots are vulnerable to protocol-level smart contract traps. Blockaid's analysis, available on X, highlights the need for continuous security auditing and vigilance, even among established Ethereum participants. The exploit serves as a reminder that automated trading systems must constantly adapt to new attack vectors, as cleverly designed traps can bypass standard safeguards.