An MEV bot operator made 800 ETH in a single transaction on Sept. 28, before losing a whopping 1,100 ETH just one hour later, according to Bert Miller, the product lead of Flashbots, an MEV research team.
Miller flagged the transactions on Twitter. He said the address in question, which begins with the alphanumeric code ‘0xbaDc0dE’, executed 220,000 transactions over the past few months. The activity was highly indicative of MEV bot behavior.
“Imagine making 800 ETH in a single arb … and an hour later then losing 1100 ETH to a hacker,” Miller tweeted. “Stay safe and protect your execution functions.”
MEV, or Maximal Extractable Value, is a technique used by validators and bot operators to capture excess value from the slippage or spread enabled by on-chain transactions on decentralized blockchains. MEV searchers work with validators to reorder or front-run transactions to take advantage of the maximum fees or slippage allowed by Ethereum users.
While MEV is often seen as encompassing risk-free techniques, 0xbaDc0dE’s debacle appears to show it’s not.
Miller said the address took advantage of a user who tried to sell $1.8M worth of cUSDC — tokens allowing holders to withdraw USDC deposited into Compound, the money market dApp — on Uniswap v2, despite the pairing being highly illiquid.
Sandwiching the Transaction
The unlucky seller received just $500 from the transaction. However, 0xbaDc0dE pocketed 800 ETH ($1.02M) by sandwiching the transaction with an elaborate arbitrage trade involving many different DeFi dApps.
But just one hour later, all of 0xbaDc0dE’s ETH was apparently stolen, with a hacker netting 1,101 ETH ($1.4M) from the wallet. Miller noted that 0xbaDc0dE had failed to protect the function they used to execute flashloans on the dYdX exchange.
“When you get a flashloan, the protocol you’re borrowing from will call a standardized function on your contract,” Miller said. “0xbaDc0dE’s code unfortunately allowed for arbitrary execution. The attacker used this to get 0xbaDc0dE to approve all of their WETH for spend[ing] on their contract.”
PeckShield, the blockchain security firm, also spotted the transaction. They posted on-chain messages sent between 0xbaDc0dE and their attacker.
0xbaDc0dE demanded that the funds be returned by the end of Sept. 28, offering to give the attacker 20% of the funds should they comply.
“Congratulations on this, we got careless and you sure managed to get us good,” 0xbaDc0dE said. “Should the funds not be returned by then, we will have no choice but to pursue accordingly with everything in our power with the appropriate authorities to retrieve our funds,” they threatened.
But the hacker appears unperturbed, responding, “what about normal people who you have MEV’ed and literally f***ed them? Will you return them?”
They sarcastically offered to return 1% of the stolen funds should 0xbaDc0dE return all profits generated through MEV to unsuspecting Ethereum users by the end of the same day.
Flashbots develops software designed to reduce barriers to becoming an MEV searcher and to share profits gleaned through its extraction to Ethereum’s broader validator community.
The team came under fire last month when it confirmed it would be complying with U.S. Treasury Department sanctions targeting the crypto mixing service, Tornado Cash. Flashbots responded by open-sourcing some of the code for its MEV-Boost software, which enables the extraction of MEV from Proof of Stake Ethereum transactions.
On Sept. 27, Toni Wahrstatter, an Ethereum researcher, reported that zero transactions interacting with Tornado Cash contracts have been included in blocks produced using the MEV-Boost software to date.