Incident Summary
On 27 September 2022, MEV bot 0xBAD was exploited for $1,463,112.71. The MEV bot owner sent the exploiter a message, congratulating them on identifying the “hard to spot” vulnerability and offering them a 20% bounty in return for no legal action and set a deadline of 23:59 PM UTC on 28 September 2022.
Before the MEV bot was exploited, it had frontrun a transaction in which they were able to gain ~$150k from just $11 USDT. The trade that was frontrun was a $1.8 million swap from cUSDC > WETH > USDC. Due to a price dip during the transactions that $1.8 million resulted in a swap for just ~$500 USDC. After the MEV bot exploit became publicized, the wallet owner of the initial trade messaged the MEV exploiter pleading for the return of their funds, explaining that they had mistakenly triggered the swap when they really meant just to unwrap their tokens.
Attack Flow
The MEV bot code is not open-source which makes it difficult to see exactly how the exploit was pulled off. If we analyze the execution trace we can determine the following steps:
The exploiter EOA (externally owned address) calls contract.exexute on the exploit contract
The exploit contract calls dydx.SoloMargin.operate, params actionType = 8 corresponding to ICallee(args.callee).callFunction()
The dydx.SoloMargin.operate triggers delegateCall dydx.OperationImpl.operate
The delegateCall is MEVBot.callFunction(byte4), byte4 is WETH9.approve(exploit contract,wad). The attack contract obtained approval and 1,101 ETH was sent to the exploiter's wallet.
On-Chain Acitivy
We are first drawn to this incident by what looks to be on the surface a horrific trade in which $1.8m is swapped for ~$500 in stablecoins.
In this trade we can see that 0x430a sends $1.8m cUSDC to Uniswap and receives $528 stablecoins in return.
MEV bot 0xBAD snipes this trade in the below transactions.
Just a couple of hours later we see a WETH transaction worth $1,463,112.71 being sent to 0xB9F7 via an unknown function. This is the exploit transaction.
Despite the MEV bot owner's message to the exploiter asking for the return of their funds, they did not garner much sympathy from the crypto community.
MEV is highly unpopular among just about everyone who doesn't operate an MEV bot. Ethereum's high fees and congestion issues coupled with a vibrant DeFi ecosystem give MEV bots plenty of opportunities to front run profitable trades.
Many users have had value extracted from their trades, which is an unpleasant but largely unavoidable experience.
Users vented their frustration with MEV by congratulating the exploiter in transaction messages:
Others took the opportunity to ask for a slice of the pie:
It remains to be seen how exactly the exploiter managed to get the MEV bot to transfer 1,101 wETH to their address. But many users who have fallen victim to value extraction in the past are cheering this attack. As they say, what goes around comes around.
