JaredFromSubway, an Ethereum MEV bot, lost $15 million after an attacker tricked its detection logic with fake trading opportunities, fake pools, and malicious tokens. The attacker gained long-lived token approvals and then drained WETH, USDC, and USDT from the bot, while JaredFromSubway later offered escalating bounties and entered negotiations for recovery. #JaredFromSubway #Ethereum #MEV #WETH #USDC #USDT
Keypoints
- The JaredFromSubway MEV bot suffered a $15 million loss.
- An attacker used fake pools and tokens to exploit the bot’s opportunity-detection logic.
- The bot approved attacker-controlled helper contracts through ERC-20 permissions.
- The attacker delayed withdrawal until enough valid spending permissions accumulated.
- The stolen WETH, USDC, and USDT were drained using the transferFrom function.