MEV bot earns $1M but loses everything to a hacker an hour later

An Ethereum arbitrage trading bot managed to hit the jackpot and lose it all on the same day in an ironic turn of events in decentralized finance (DeFi). 

In a Twitter thread, Robert Miller, who works at the research firm Flashbots, shared how a Maximal Extractable Value (MEV) bot with the prefix 0xbadc0de was able to earn 800 Ether (ETH), around $1 million, through arbitrage trades.

According to Miller, the bot took advantage of a huge arbitrage opportunity that came when a trader attempted to sell $1.8 million in cUSDC through the decentralized exchange (DEX) Uniswap v2 and only got $500 worth of assets in return. The bot detected this chance and immediately sprung to action and gained massive profits.

However, only an hour later, a hacker exploited a vulnerability in 0xbadc0de’s “bad code” and tricked it into authorizing a transaction that drained its balance of 1,101 ETH, which was around $1.41 million at the time of writing.

#MEV A very profitable MEV bot, internally named as 0xbad, was somehow tricked/hacked with 1,101 ETH loss (~$1.45M) in the following tx: https://t.co/FxXSY8AyhX

— PeckShield Inc. (@peckshield) September 27, 2022

According to the blockchain security firm PeckShield, the bug can be traced back to the bot's callback routine, and this was exploited by the hacker to approve an arbitrary address for spending. 

Related: Pantera CEO bullish on DeFi, Web3 and NFTs as Token2049 gets underway

On Sept. 18, a vulnerability in Profanity, an Ethereum vanity address generator, was exploited, draining $3.3 million in funds from various wallets. Investigations done by the decentralized exchange (DEX) aggregator 1inch Network highlighted that there was ambiguity in terms of the creation of the wallets. The DEX warned users that their wallets were at risk and urged them to transfer their assets.

More than a week later, another vanity wallet address was exploited and drained of almost $1 million worth of ETH. After stealing the funds, the hackers immediately sent them to the controversial crypto mixer Tornado Cash. 

Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'   Feb. 3, 2022
STEPN impersonators stealing users' seed phrases, warn security experts   April 25, 2022
Rari Fuze hacker offered $10M bounty by Fei Protocol to return $80M loot   May 1, 2022
DeFi exploits and access control hacks cost crypto investors billions in 2022: Report   Feb. 13, 2023
Hope Finance exploit results in $2M stolen from users' funds   Feb. 21, 2023