The sandwicher has become the sandwiched.
$2M was lost on Tuesday night as an MEV bot got a taste of its own medicine.
The curious case of crypto-karma was spotted by Spreek, who identified the issue as an unprotected swap function within the bot’s code.
As we wrote at the time:
MEV bots act on the boundary of “code is law”.
When it comes to autonomous on-chain predators it’s hard to sympathise.
Is this a simple case of ‘you win some, you lose some’?
For all the complexity within the dog-eat-dog world of MEV, the exploit was surprisingly simple.
The bot’s code had left a swap function unprotected, which anyone could call. This was exploited to sandwich attack the bot via WETH/WBTC trades on Curve, funded via a $50M flash loan.
A bot was attacked due to the lack of access control of a public function 0xf6ebebbb, which could be exploited to manipulate swaps in Curve pools. The loss was ~$2M.
Hence the attacker could first abuse the flawed function to pump the asset price (e.g., WETH) and then make a reverse swap to make a profit.
And Peckshield provided a look at the sandwiched swaps:
Attack tx: 0xbc08860c…
Victim address: 0x05f016765c6c601fd05a10dba1abe21a04f924a5
Whenever large amounts of money move in DeFi, things tend to work out nicely for Curve (though not always), and this incident was no exception.
The swapping of vast sums necessary to imbalance the pool enough for a viable exploit generated a cool $250k in fees for the protocol.
Autonomous bots, while constantly controversial, seem to be a necessary evil of a permissionless financial system.
And with the juicy tips often paid to validators, many of the ecosystem’s key players are surely happy to tolerate the activities of the Dark Forest’s most dangerous predators.
How long until you fall prey, anon?
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
Over $6.4 million was stolen from users wallets on February 28, thanks to the bad tao of Seneca. Roughly 80% of the funds were returned within a day. Clearly Seneca knew there were issues, but chose the reckless route.
On-chain black magic led to two of Abracadabra’s cauldrons springing a leak yesterday. $6.5M gone and MIM losing its magic... What dark arts are needed for a full repeg?
Infinite approvals… the ultimate leap of faith. Socket’s Bungee bridge lost $3.3M yesterday. Have you checked your approvals lately?