Maximal Extractable Value (MEV) bots who were trying to perform “sandwich trades” got outsmarted by a rogue validator, leading to a loss of $25 million worth of digital assets.
In a tweet, blockchain security firm CertiK highlighted that bots trying to execute sandwich transactions — spotting when traders are trying to purchase tokens and getting in between the trade for some profit — lost a massive amount of crypto to a validator that went rogue.
As the bots began to swap millions, the reverse transactions were replaced by a validator, according to CertiK. This eventually led to a loss of $1.8 million in Wrapped Bitcoin (WBTC), $5.2 million in USD Coin (USDC), $3 million in Tether (USDT), $1.7 million in Dai (DAI) and $13.5 million in Wrapped Ether (WETH). Most of the funds have been transferred to three different wallets at the time of writing.
In a Twitter thread, CertiK went into more detail about how the attack happened. The security firm explained that the vulnerability was because of the “centralization of power” with the validators. As the MEV bots tried to perform a front-run and a back-run in transactions for profit, the rogue validator swooped in to back-run the MEV’s transaction, leading to the losses.
The CertiK team told Cointelegraph that this event is one of the largest exploits on MEV bots that they have recorded since September 2022. They explained that:
“We’ve recorded a total of approximately $27 million since MEV bot exploits since September 2022, with this incident accounting for the vast majority.”
In addition, the CertiK team also highlighted that this could affect other MEV searchers that are conducting strategies like sandwich trading. “There is a possibility that MEV searchers will be wary of conducting non-atomical strategies, such as sandwich trading, since this exploit only really affects this particular strategy,” the team said.
While MEV bots have the potential to earn vast amounts of digital assets, they are also prone to hacks and exploits. On Sept. 28, 2022, an MEV bot earned 800 Ether (ETH), worth $1 million at the time, through arbitrage trades. An hour later, the bot lost everything to a hacker who exploited a vulnerability in the bot’s code.