Earn $1 Million and Lose It in an Hour

MEV bot, arbitrage. Before moving on to the story, let's remember (or find out for the first time) what these concepts mean.

MEV is short for Maximal Extractable Value (formerly Miner Extractable Value). What does this mean? This is an indicator that shows the profit of a miner (or validator) from including, excluding or changing the order of transactions in the block being created.

Now, let's turn to the great Wikipedia for a concise definition of the word “arbitrage”:

“In economics and finance, arbitrage is the practice of taking advantage of a difference in prices in two or more markets; striking a combination of matching deals to capitalise on the difference, the profit being the difference between the market prices at which the unit is traded.”

Simply put, arbitrage is an opportunity to instantly buy something at a low price and sell at a high price. Manually, of course, it is not very convenient to do this. That's why MEV bots were invented. These are bots that automatically search for and use an arbitrage opportunity. Thereby, earning profit for the owner.

Great, we've sorted out the terms, let's talk about the story.

Robert Miller, an employee of the research and development organization Flashbots, earned 800ETH on his MEV bot with the prefix 0xbaDc0dE in one arbitrage. But Robert was not happy for a long time, because an hour later a hacker stole 1100ETH from the bot. Robert told this sad story on his Twitter.

It all started with an incredible profitable arbitrage opportunity. Someone tried to sell $1.8 million in cUSDC on Uniswap V2, receiving about $500 in return.

Robert's MEV bot did not miss a great opportunity and brought Robert 800ETH.

But fortune did not stay on Robert's side for long. An hour later, an unknown hacker stole all the funds of the bot – 1100ETH.

Robert suggested that the vulnerability was that the bot did not protect the function used to execute dYdX flashloans well enough.

PeckShield Inc., a blockchain security and data analytics company, also wrote about this vulnerability of the 0xbaDc0dE bot. The company analysed the situation and concluded that the error “is part of the MEV bot's callback routine, i.e., CallFunction(), which was exploited to approve an arbitrary address for spending.”

The vulnerability helped the hacker steal all of the bot's funds.

As Robert correctly pointed out, “bad code, great content.” Be careful, dear readers, always check your code. And we continue to observe.