Cyber Incident Victim: Ethereum arbitrage trading bot

On September 27, 2022, a maximal extractable value (MEV) bot identified as 0xbadc0de seized a significant arbitrage opportunity involving a trader’s $1.8 million cUSDC sale on Uniswap v2, which resulted in the trader receiving only $500 worth of assets due to an imbalanced liquidity pool. The bot detected this discrepancy and executed a profitable transaction, netting approximately $1 million in gains within minutes. This profit was converted into 1,101 ETH, valued at roughly $1.41 million at the time. Less than an hour after securing these funds, the bot fell victim to an exploit targeting a vulnerability in its callback mechanism. An attacker manipulated the bot into authorizing a malicious transaction that granted arbitrary spending permissions, enabling the immediate drainage of the entire 1,101 ETH balance from the bot’s wallet. Blockchain security firm PeckShield publicly documented the incident, referencing the transaction hash and confirming the loss.

The stolen ETH, worth approximately $1.45 million, was transferred to an external wallet controlled by the attacker. No recovery efforts or victim countermeasures were disclosed in available reports. Over a week following this incident, a separate but similar exploit occurred when a vanity wallet address was compromised and drained of nearly $1 million worth of ETH. In both cases, the attackers routed the stolen funds through Tornado Cash, a cryptocurrency mixing service known for obfuscating transaction trails. The primary exploit highlighted critical flaws in the bot’s authorization logic, particularly its failure to validate callback requests during arbitrage execution. The incident underscored the persistent risks associated with MEV strategies and smart contract vulnerabilities in decentralized finance ecosystems.