Ouch: this bot made 800ETH then lost 1100ETH to hacker

Public service announcement: just because the Merge happened doesn’t mean that MEV attacks are history. Vulnerabilities persist. Remember: code is king, so make sure yours is not going to leave you caught with your pants down and your ETH drained. One arbitrage bot just learned that the hard way, as detailed by Bert Miller, who spotted the incident and wrote about it in this Twitter thread we’re paraphrasing for you

Meet 0xbaDc0dE

Those of you familiar with memepool bots may recognize this one as it has been very active trying to arbitrage ETH transactions. We’re talking around 220,000 transactions just over the past few months, all likely either launching or trying to cancel arbitrage transactions. Its full address is: 0xbadc0defafcf6d4239bdf0b66da4d7bd36fcf05a.

The opportunity

On September 27th, somebody tried to swap out of $1.8m in cUSDC on Uniswap v2, (why not v3?). As you can imagine, the low liquidity there for such a large order was not good news for the person and they were only able to get around $500. What about the rest? Well…

The arbitrage

Our “friend” 0xbaDc0dE ran some pretty impressively long multi-touch arbitrage to take advantage of that person’s slip up. And take advantage he did: to the tune of around 800 ETH in profit from just one arbitrage. Enough for most of us to retire on ourselves and with our extended families.

The fortune reversal

But hey, easy come — easy go, right? Barely an hour has passed and 0xbaDc0dE not only lost the 800 ETH profit, but also an additional 300 ETH of its previous funds for a grand total of 1100 ETH (equivalent to roughly $1.5M at that time). Talk about short-lived triumph.

How 0xbaDc0dE got hacked

You’d think that a bot designed for taking advantage of opportunities would have solid enough code to prevent others from taking advantage of itself. But you’d be wrong because our friend left its “callFunction” unprotected from arbitrary execution. This was a big oversight since the bot needed dYdX to call the “callFunction” as part of providing flash loans for the bot’s arbitrage play.

This gave the attacker an opportunity to approve the WETH in the bot’s contract and then transfer it to the hacker’s wallet.

Tx: 0x59ddcf5ee5c687af2cbf291c3ac63bf28316a8ecbb621d9f62d07fa8a5b8ef4e

Tx: 0x631d206d49b930029197e5e57bbbb9a4da2eb00993560c77104cd9f4ae2d1a98

But hey, good job by the hacker to spot 0xbaDc0dE’s arbitrage and make its own arbitrage of 1100 WETH into its wallet.

Moral of the story: protect your code. If you’re not 200% sure you’re up to it yourself, talk to experts. We happen to have a full team of them.