In a significant breach within the Ethereum network, the notorious MEV bot known as Jaredfromsubway.eth has been exploited, resulting in a loss exceeding $7.5 million. The attacker cleverly manipulated the bot’s automated trading logic to drain funds, rather than relying on traditional phishing methods or contract vulnerabilities.
The incident, reported by security firm Blockaid, unfolded over several weeks. The attacker created a series of fake token contracts and liquidity pools that mimicked legitimate assets, including wrapped ether (WETH) and stablecoins like USDC and USDT. By tricking the bot into approving these malicious contracts, the attacker gained unauthorized access to the funds.
Jaredfromsubway.eth is infamous for its involvement in sandwich attacks, a practice where an automated trader identifies pending transactions, buys ahead of them to manipulate prices, and then sells immediately after. This tactic imposes a hidden cost on users, which accumulates across numerous trades, leading to increased gas fees without benefiting the network or its participants.
Blockaid clarified that this incident was distinct from typical phishing attacks and did not stem from a simple bug in the victim’s contract. Instead, the attacker targeted the bot’s decision-making processes, exploiting its reliance on automated approvals.
Over weeks, the attacker deployed dozens of deceptive contracts that appeared to present lucrative trading opportunities. The bot, recognizing these as potential MEV scenarios, granted approvals for the attacker-controlled contracts to transact on its behalf. Initially, these approvals were intended for legitimate trades, but the attacker later devised a strategy that allowed them to maintain open approvals, enabling the theft of substantial funds.
Subsequently, the stolen assets, including WETH, USDC, and USDT, were transferred out of Jaredfromsubway.eth’s contracts, with some funds traced to Tornado Cash, a service known for obscuring transaction origins.
The irony of this exploit is striking. Jaredfromsubway.eth has long represented the detrimental effects of MEV practices on Ethereum, contributing to estimated losses of around $60 million annually for traders, with a staggering 60,000 to 90,000 sandwich attacks occurring each month. This bot has been responsible for approximately 70% of these attacks since its emergence in early 2023.
In a notable prior incident, the bot even targeted Ethereum co-founder Vitalik Buterin, executing a sandwich attack on a small trade that netted the bot a mere $4 after investing over $1 million. This highlights the bot’s aggressive strategy of scanning for any potential trades to exploit.
While this recent exploit does not diminish the harm caused by sandwich attacks, it does underscore the vulnerabilities inherent in automated trading systems that operate at high speeds based on pattern recognition. For years, Jaredfromsubway.eth profited from unsuspecting traders, but in a twist of fate, it fell victim to the very tactics it employed.
The Ethereum MEV bot Jaredfromsubway.eth has lost over $7.5 million due to an exploit that manipulated its automated trading logic. This incident highlights the vulnerabilities of high-speed trading systems in the crypto space.