MEV bot loses $180K in ETH from access control exploit

A maximal extractable value (MEV) bot lost about $180,000 in Ether after an attacker exploited a vulnerability in its access control systems. 

On April 8, blockchain security firm SlowMist reported that the MEV bot lost 116.7 Ether (ETH) because of the lack of access control. Threat researcher Vladimir Sobolev, also known as Officer’s Notes on X, told Cointelegraph that an attacker exploited a vulnerability in the bot, causing it to swap its ETH to a dummy token. 

Sobolev said this was done through a malicious pool created by the attacker within the same transaction. The threat researcher added that this could have been prevented if the MEV owner implemented stricter access controls. 

Just 25 minutes into the exploit, the MEV’s owner proposed a bounty to the attacker. The owner then deployed a new MEV bot with stricter access control validation. 

Sobolev compared the exploit to a similar incident in 2023, where MEV bots lost $25 million after being exploited. On April 23, 2023, bots who performed sandwich trades lost their crypto to a validator that went rogue. 

Related: ‘Unlucky’ MEV bot takes out huge $12M loan just to make $20 in profit

Rise in fake MEV bot guides

An MEV bot on Ethereum is a trading bot that exploits maximal extractable value. This is the maximum profit that can be extracted from block production. This is done by reordering, inserting or censoring transactions within a block. 

The bot observes Ethereum’s pool of pending transactions and looks for potential profits. These bots can do front-run, back-run, or sandwich transactions. This makes the bots very controversial as they steal value from regular users during high periods of volatility or congestion. 

Despite the controversies surrounding MEV bots, many continue to use them. However, beginners looking to profit from these bots can often fall into a different trap crafted by scammers. 

Sobolev told Cointelegraph that there has been a rise in fraudulent MEV bot tutorials online. The researcher said the tutorials offer ways to earn money using MEV bots and publish fake installation instructions. “Very often, this will simply allow hackers to steal your money,” Sobolev said. 

He urged users to check their resources and ensure they are not falling prey to scammers. 

Magazine: How crypto bots are ruining crypto — including auto memecoin rug pulls