An MEV bot has taken advantage of a huge arbitrage opportunity. But he lost his treasure due to bad code. He still managed to earn 800 ETH. Here are the details…
A bot won 800 ETH
On Tuesday night, an Ethereum MEV bot earned 800 ETH using smart arbitrage. But an hour later he lost them all, and even more, to a hacker. The event started with Uniswap v2 transactions that a third-party trader accidentally made. He lost about $2 million to spreads on the trading platform. It initially traded with 1.8 million cUSDC, but received only 518 USDC in return.
According to Flashbots Product Lead Robert Miller, this just created a “huge arbitrage opportunity” for another trader to step in and claim plenty of ETH. “The 0xbaDc0dE (MEV bot) dutifully rushed back to the opportunity in the mempool,” Miller explained.
Hacker stole $1.4 million
As a result, the bot earned 800 ETH. However, this Ethereum was completely stolen just an hour later. Miller notes that the bot does not properly preserve the functionality it uses to execute dYdX (DYDX) flash credits. He claims that this also leaves him vulnerable. Miller uses the following expressions:
When you get a flash loan, the protocol you borrow will look for a standard function in your contract. 0xbaDc0dE’s code unfortunately allowed arbitrary execution.
An attacker who exploited this vulnerability approved the entire WETH of the bot to be spent on the contract. He then forwarded it to his own address. This was equivalent to a total of 1,106 WETH. It’s currently worth over $1.4 million.
Profanity hack happened recently
Meanwhile, many private addresses created by Profanity came to the fore with the theft of $1 million in ETH this month. cryptocoin.com As we reported, the most recent exploit occurred after 1inch discovered a serious vulnerability in the Profanity tool. He then stated that user funds were at risk of loss following a potential exploit. Launched in 2017, Profanity is a tool designed to enable ETH users to create “private addresses”.
According to 1inch’s report, the private address generator uses a random 32-bit vector for 256-bit private keys. Profanity was released by its developers after they identified underlying security issues in generating private keys. Shortly after the 1inch security report, a hacker stole $3.3 million worth of cryptocurrencies from several Ethereum addresses created with the tool last week.