Ouch: this bot made 800ETH then lost 1100ETH to hacker
Public service announcement: just because the Merge happened doesn’t mean that MEV attacks are history. Vulnerabilities persist. Remember: code is king, so make sure yours is not going to leave you caught with your pants down and your ETH drained. One arbitrage bot just learned that the hard way, as detailed by Bert Miller, who spotted the incident and wrote about it in this Twitter thread we’re paraphrasing for you
Those of you familiar with memepool bots may recognize this one as it has been very active trying to arbitrage ETH transactions. We’re talking around 220,000 transactions just over the past few months, all likely either launching or trying to cancel arbitrage transactions. Its full address is: 0xbadc0defafcf6d4239bdf0b66da4d7bd36fcf05a.
On September 27th, somebody tried to swap out of $1.8m in cUSDC on Uniswap v2, (why not v3?). As you can imagine, the low liquidity there for such a large order was not good news for the person and they were only able to get around $500. What about the rest? Well…
Our “friend” 0xbaDc0dE ran some pretty impressively long multi-touch arbitrage to take advantage of that person’s slip up. And take advantage he did: to the tune of around 800 ETH in profit from just one arbitrage. Enough for most of us to retire on ourselves and with our extended families.
The fortune reversal
But hey, easy come — easy go, right? Barely an hour has passed and 0xbaDc0dE not only lost the 800 ETH profit, but also an additional 300 ETH of its previous funds for a grand total of 1100 ETH (equivalent to roughly $1.5M at that time). Talk about short-lived triumph.
How 0xbaDc0dE got hacked
You’d think that a bot designed for taking advantage of opportunities would have solid enough code to prevent others from taking advantage of itself. But you’d be wrong because our friend left its “callFunction” unprotected from arbitrary execution. This was a big oversight since the bot needed dYdX to call the “callFunction” as part of providing flash loans for the bot’s arbitrage play.
This gave the attacker an opportunity to approve the WETH in the bot’s contract and then transfer it to the hacker’s wallet.
But hey, good job by the hacker to spot 0xbaDc0dE’s arbitrage and make its own arbitrage of 1100 WETH into its wallet.
Moral of the story: protect your code. If you’re not 200% sure you’re up to it yourself, talk to experts. We happen to have a full team of them.