JaredFromSubway, a well-known Ethereum MEV bot, was drained of approximately $7.5 million in an exploit involving attacker-controlled contracts. The incident occurred when the bot’s automated trading system granted token approvals to the attacker, according to security firm Blockaid. This was not a typical phishing attack or a direct bug in the victim contract, but rather an exploitation of the bot’s trading workflow.
Exploit Details
The attacker used 66 fake token contracts that mimicked the appearance and function of WETH, USDC, and USDT, paired with fake liquidity pools. These contracts tricked the bot into approving spending rights, which were later used to drain funds from the JaredFromSubway MEV bot contract. The final transaction used the open approvals to transfer WETH, USDC, and USDT from the bot contract to the attacker’s wallet.
Aftermath
The JaredFromSubway account claimed the loss was $15 million and offered a $1 million bounty for the full return of the funds. The difference in the estimated loss amount has not been fully explained. The incident highlights the risks associated with token approvals used by automated systems and the potential for exploitation when controls around approvals are weak.
Context
JaredFromSubway is one of Ethereum’s most watched sandwich bots, known for targeting small swaps, including one by Ethereum co-founder Vitalik Buterin in April. The exploit adds to the ongoing debate over MEV, sandwich trades, and user protection on Ethereum. The incident serves as a reminder of the importance of robust security measures and careful management of token approvals in automated trading systems.
Based on reporting from crypto.news.