An MEV bot gained massive profits worth $1 million by seizing an arbitrage opportunity. However, it was tricked into authorizing a malicious transaction that drained the funds.
An Ethereum arbitrage trading bot managed to hit the jackpot and lose it all on the same day in an ironic turn of events in decentralized finance (DeFi).
In a Twitter thread, Robert Miller, who works at the research firm Flashbots, shared how a Maximal Extractable Value (MEV) bot with the prefix 0xbadc0de was able to earn 800 Ether (ETH), around $1 million, through arbitrage trades.
According to Miller, the bot took advantage of a huge arbitrage opportunity that came when a trader attempted to sell $1.8 million in cUSDC through the decentralized exchange (DEX) Uniswap v2 and only got $500 worth of assets in return. The bot detected this chance and immediately sprung to action and gained massive profits.
However, only an hour later, a hacker exploited a vulnerability in 0xbadc0de’s “bad code” and tricked it into authorizing a transaction that drained its balance of 1,101 ETH, which was around $1.41 million at the time of writing.
#MEV A very profitable MEV bot, internally named as 0xbad, was somehow tricked/hacked with 1,101 ETH loss (~$1.45M) in the following tx: https://t.co/FxXSY8AyhX
— PeckShield Inc. (@peckshield) September 27, 2022
According to the blockchain security firm PeckShield, the bug can be traced back to the bot’s callback routine, and this was exploited by the hacker to approve an arbitrary address for spending.
Related: Pantera CEO bullish on DeFi, Web3 and NFTs as Token2049 gets underway
On Sept. 18, a vulnerability in Profanity, an Ethereum vanity address generator, was exploited, draining $3.3 million in funds from various wallets. Investigations done by the decentralized exchange (DEX) aggregator 1inch Network highlighted that there was ambiguity in terms of the creation of the wallets. The DEX warned users that their wallets were at risk and urged them to transfer their assets.
More than a week later, another vanity wallet address was exploited and drained of almost $1 million worth of ETH. After stealing the funds, the hackers immediately sent them to the controversial crypto mixer Tornado Cash.