Skip to content

Exploiter Front Runs $25M From MEV Bots Using Ethereum Validator

Twitter reminds us that the MEV exploit in the code is a feature, not a bug

Photo by Bj Pearce / Unsplash

Table of Contents

In smart contract land, it is well known that if there's a vulnerability in the code, it is a feature and not a bug. One sophisticated exploiter albeit with malicious intent had successfully deployed an exploit using an Ethereum validator and a Flashbots MEV-relay to drain a group of MEV bots for a total of $25 million at time of writing.

The exploiter planned the reverse-sandwich attack by essentially honey potting a group of top performing Maximal Extractable Value (MEV) bots after verifying that these bots used his validator on low-liquidity pools throughout an 18-day operation.

What are MEV bots?

MEV bots use complex algorithms to identify and exploit profitable opportunities in DeFi ecosystems. MEV bots extract profits by through arbitrage opportunities, liquidation events, and other market inefficiencies.

MEV bots leverage the transparency and programmability of blockchain networks to monitor the transaction pool and identify opportunities to extract value. These bots can detect when there are discrepancies in prices or liquidity across different platforms and execute trades to capture the profits.

What happened this time?

An Ethereum validator identified as Sandwich the Ripper prepared assets across multiple tokens and baited the targeted group of MEV bots to try to front run his transaction on low liquidity V2 Uniswap pools.

Typically, a sandwich attack happens when an MEV bot reads an incoming transaction, and front runs the order, pushing up the price of the asset for the original buyer.

The buyer pushes the price up even further through buying the same assets as originally intended. The MEV bot then sells the asset immediately after the original buyer's transaction goes through, making arbitrage profit off the buyer.

In this case, the exploiter baited the MEV bots with an exploited transaction forcing the bots to spend its WETH to arbitrage the baited assets inside a low liquidity pool while the exploiter needed not make an actual purchase transaction.

Read more: "AI Can't Live Inside a Blockchain": Fantom's Andre Cronje

The exploiter then modified the transaction order within the same block and sold all of its tokens (that it had prepared before the attack) immediately after the MEV bot had bought the baited assets. The exploiter then sold his tokens at a higher price to drain all of the WETH from the low liquidity pool, leaving the MEV bot behind with worthless tokens that it had acquired in the process.

While the exploit was simple to execute, this typically cannot happen as there are multiple safeguards in the design of the swaps. However as the exploiter was running his own validator, he had permissions to modify the parameters of the MEV-relay hosted on Flashbot.

The exploiter managed to successfully drain five MEV bots using the same strategy over 24 transactions. The exploiter has since distributed the stolen tokens into three separate wallets, with at time of writing, each respectively holding $20 mn, $2.3mn & $2.9mn.

What's happened since?

The Flashbot community has since rolled out a patch to all relays to prevent future attacks like these from happening again. While formal channels have reported the attack as 'malicious', some crypto twitter users were found on the other side of the fence, reasoning that the attack on the MEV bot was instead part of the game and that no foul play was made.  

The world of Web3 can be quite a whirlwind. Whether it’s crypto news in Singapore, South East Asia or even across the globe, we understand how busy the industry is keeping you, so we kindly send out three newsletters each week:

  • BlockBeat for a wrap-up of the week’s digital assets news
  • Blockhead Brief for weekend happenings as well as what to look forward to in the week ahead
  • Business Bulletin for macroeconomic updates and industry developments.

To avoid FOMO and access member-only features, click here to subscribe for FREE.