A group of blockchain bots has suffered a devastating loss of over $25 million due to a sophisticated exploit. The bots are part of a process called maximal extractable value (MEV), which involves capturing arbitrage opportunities through blockchain-based high-frequency trading.
However, to do so, they have to risk large amounts of money. This is where the attacker saw their opportunity, to compromise the MEV bots by substituting their regular transactions with malicious ones.
According to Joseph Plaza, a decentralized finance trader at Wintermute, the attacker likely set “bait” transactions to lure the MEV bots. The attacker then replaced the initial baiting transactions with new, malicious ones, allowing them to steal the funds.
The attacker had also deposited 32 ETH 18 days before the incident to become a validator, waiting until it was their turn to propose a block, before reorganizing the contents of the block and creating a new one containing their malicious transactions to drain assets.
The incident was initially revealed by smart contract developer “3155.eth” on Twitter, and PeckShield subsequently traced the stolen assets to three Ethereum addresses, consolidated from eight other lessons.
Flashbots, the developer of the primary MEV software used on Ethereum, known as MEV-Boost, has responded with a fix to prevent such incidents from occurring in the future.
The team has introduced a feature that instructs relayers, a trusted mediator party between block builders and validators, to publish a signed block before transmitting its contents to a proposer, a step that was previously absent.
This action aims to decrease the likelihood of a malicious proposer within MEV-Boost proposing a block that deviates from what they received from a relay.