Maximal Extractable Value (MEV) bot 0xbaDc0dE lost over $1 million after hackers exploited a flaw in its code.
Imagine making 800 ETH in a single arbor
…and an hour later I lose 1100 ETH to hackers
This is the story of 0xbaDc0dE, a MEV bot who won and lost everything in the last few hours tonight.
— @bertcmiller ⚡️🤖 (@bertcmiller) September 27, 2022
Flashbots Flashbots Robert Miller explained 0xbaDc0dE was a mempool bot active on ETH over the past few months, making transactions worth around $220,000.
The bot got its big break after a user attempted to sell $1.8 million worth of cUSDC on Uniswap V2, earning around $500 in return, creating a massive arbitrage opportunity.
According to Miller, 0xbaDc0dE took advantage of this opportunity and made a hefty profit of 800 ETH.
However, the euphoria was short-lived, as a code flaw caused the MEV bot to lose around $1.4 million, more than 1100 ETH, after an hour.
Miller said:
“0xbaDc0dE did not appear to properly protect the functionality used to execute the dYdX flash loan.”
Hackers exploited “callFunction”, a function called by the dYdX router as part of flash loan execution, but unfortunately the MEV bot code allowed arbitrary execution.
So the hackers had the bot approve the transaction and move all the funds to another address.
Recent incidents have shown how malicious players are taking advantage of vulnerabilities found in the code of crypto projects. Billions of dollars have been lost to hackers exploiting these vulnerabilities this year alone.
Most recently, ethical hackers rescued Arbitrum from an exploit that could have resulted in nearly $500 million in losses due to an initialization-related vulnerability.
