Join ACCESS EU, the first-of-its-kind digital assets security and DLT summit
JUNE 7TH, 2024 @ EURONEXT AMSTERDAM ⟶
Halborn Logo

// Blog

Explained: Hacks

Explained: The 0xbad MEV Bot Hack (September 2022)


profile

Rob Behnke

October 12th, 2022


In September 2022, a highly successful MEV bot capped off 75 days of MEV exploits with an arbitrage transaction that carried an 800 ETH or $1.02 million profit.  However, shortly after, the MEV bot was tricked into a transaction that exploited a vulnerability in the bot’s code, allowing an attacker to steal all of the 1,101 ETH in the bot’s account.

Inside the Attack

MEV bots specialize in creating and exploiting arbitrage opportunities via front-running attacks.  

By taking advantage of how many blockchains organize transactions into blocks (i.e., miners or validators can reorder transactions based on fees rather than first-come-first-server), these bots can take advantage of opportunities to make money at other users’ expense.

The 0xbad bot was highly successful at this and, in September 2022, took advantage of a poor trade by a Uniswap v2 user.  Due to a lack of liquidity, an attempted swap of $1.85 million cUSDC for USDC only netted the user $500 in USDC.  A complex follow-up transaction by 0xbad allowed the bot to extract $1.02 million in profit.

However, this exploit was soon followed by one that targeted an arbitrary code execution vulnerability in the code that the MEV bot used when taking out flashloans on dYdX.  Taking out a flashloan allows the lender to call a particular function on the recipient’s contract, which, in the case of dYdX, is callFunction.

The attacker exploited this fact to trick the MEV bot into creating a DeFi approval for all of the WETH held within its account.  Once this approval was created, the attacker could drain 0xbad’s account of all of its WETH to the tune of 1,101 ETH.

After the exploit, the 0xbad bot operator tried to threaten the attacker with legal action.  

However, a reply pointed out that the source of the stolen funds — parasitic exploitation of other blockchain users — left the bot owner without a leg to stand on.

Lessons Learned From the Attack

This exploit demonstrates the importance of carefully considering the relationships and interactions that a smart contract can have with other contracts on the blockchain.  Failing to protect its internal functions properly left the MEV vulnerable to unintentionally creating malicious DeFi approvals.

Another key takeaway: don’t prey on DeFi users.  Or, if you do, make sure that your code isn’t vulnerable to exploitation itself.