CertiK Logo
CertiK Logo
Products
Company
incident-response
Back to all stories
Analysis Reports
MEV Bot OxBAD... Incident Analysis
9/28/2022

TL;DR

MEV bot 0xBAD... was exploited for $1,463,112.71 by 0xB9F78... Whilst both the exploiter and the MEV bot contracts are unverified, the transaction flow shows that the exploit contract was approved by 0xBAD to transfer 1,101 ETH. This MEV bot itself just frontran a transaction in which it gained $150k from just $11 USDT. The MEV exploiter (0xB9F78) has been widely praised due to the unpopular nature of MEV.

What is MEV?

MEV stands for "miner extractable value" or "maximal extractable value." Miners – or more accurately validators now that Ethereum has switched to Proof of Stake - have the power to sequence transactions within blocks. This ability to reorder transactions means they can frontrun user's transactions. One of the most common forms of MEV is called a sandwich attack, where a validator sees that someone is trying to buy a certain asset, so they insert a transaction of their own ahead of the original transaction, buy the asset, and then sell it to the original purchaser at a markup. They have extracted value from this user, who is often none the wiser that they didn't get the price they were expecting. MEV bots who repeat these kinds of transactions multiple times can make hefty profits.

A (very) simplified example explains the principle behind MEV. If a token was priced at $1 and you bought $1 million worth, you’d expect to get 1 million tokens (ignoring fees). But if an MEV bot spots your transaction in an unconfirmed block, it will buy X amount of tokens for $1 before you can. The price now increases to $2 (for the sake of this example) before your trade executes, so you end up only receiving 500,000 tokens. Your swap also increases the price to $3. The MEV bot will now sell the tokens it bought for a higher price.

MEV Bot OxBAD... Incident Analysis

Incident Summary

On 27 September 2022, MEV bot 0xBAD was exploited for $1,463,112.71. The MEV bot owner sent the exploiter a message, congratulating them on identifying the “hard to spot” vulnerability and offering them a 20% bounty in return for no legal action and set a deadline of 23:59 PM UTC on 28 September 2022.

MEV Bot Text 1

Before the MEV bot was exploited, it had frontrun a transaction in which they were able to gain ~$150k from just $11 USDT. The trade that was frontrun was a $1.8 million swap from cUSDC > WETH > USDC. Due to a price dip during the transactions that $1.8 million resulted in a swap for just ~$500 USDC. After the MEV bot exploit became publicized, the wallet owner of the initial trade messaged the MEV exploiter pleading for the return of their funds, explaining that they had mistakenly triggered the swap when they really meant just to unwrap their tokens.

MEV Bot text2

Attack Flow

The MEV bot code is not open-source which makes it difficult to see exactly how the exploit was pulled off. If we analyze the execution trace we can determine the following steps:

  1. The exploiter EOA (externally owned address) calls contract.exexute on the exploit contract

  2. The exploit contract calls dydx.SoloMargin.operate, params actionType = 8 corresponding to ICallee(args.callee).callFunction()

  3. The dydx.SoloMargin.operate triggers delegateCall dydx.OperationImpl.operate

  4. The delegateCall is MEVBot.callFunction(byte4), byte4 is WETH9.approve(exploit contract,wad). The attack contract obtained approval and 1,101 ETH was sent to the exploiter's wallet.

MEV Transaction 1

On-Chain Acitivy

We are first drawn to this incident by what looks to be on the surface a horrific trade in which $1.8m is swapped for ~$500 in stablecoins.

MEV Transaction 2

In this trade we can see that 0x430a sends $1.8m cUSDC to Uniswap and receives $528 stablecoins in return.

MEV bot 0xBAD snipes this trade in the below transactions.

MEV Transaction 3

MEV2.5

Just a couple of hours later we see a WETH transaction worth $1,463,112.71 being sent to 0xB9F7 via an unknown function. This is the exploit transaction.

MEV Exploit

Despite the MEV bot owner's message to the exploiter asking for the return of their funds, they did not garner much sympathy from the crypto community.

MEV is highly unpopular among just about everyone who doesn't operate an MEV bot. Ethereum's high fees and congestion issues coupled with a vibrant DeFi ecosystem give MEV bots plenty of opportunities to front run profitable trades.

Many users have had value extracted from their trades, which is an unpleasant but largely unavoidable experience.

Users vented their frustration with MEV by congratulating the exploiter in transaction messages:

congrats1

congrats2

Others took the opportunity to ask for a slice of the pie:

congrats3

It remains to be seen how exactly the exploiter managed to get the MEV bot to transfer 1,101 wETH to their address. But many users who have fallen victim to value extraction in the past are cheering this attack. As they say, what goes around comes around.