MEV Bot Tricked And Drained By Dummy Token Swap
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
An MEV (Maximal Extractable Value) bot on Ethereum, which profits by manipulating transaction order within blocks, was exploited due to a critical vulnerability stemming from poor access control. The attacker created a malicious token and a fake liquidity pool within the same transaction, tricking the bot into swapping all its ETH—about 116.78 ETH—for the worthless token. This was achieved by exploiting a poorly validated function and using a private mempool to avoid detection. Despite the bot’s owner quickly offering a bounty and redeploying a more secure version, the attacker has not responded, and the stolen funds are unlikely to be recovered.[1][2][3][4][5][6][7][8][9][10][11]
About MEV Bots
"An MEV bot on Ethereum is a trading bot that exploits maximal extractable value. This is the maximum profit that can be extracted from block production. This is done by reordering, inserting or censoring transactions within a block.
The bot observes Ethereum’s pool of pending transactions and looks for potential profits. These bots can do front-run, back-run, or sandwich transactions. This makes the bots very controversial as they steal value from regular users during high periods of volatility or congestion. "
The Reality
The MEV bot had a vulnerability which allowed a fake/dummy token to be swapped for all of the ethereum in the bot.
What Happened
"According to the SlowMist MistEye security monitoring system, a MEV bot has lost approximately 116.7 ETH due to a lack of access control."
| Date | Event | Description |
|---|---|---|
| April 7th, 2025 12:10:35 PM MDT | Attack Transaction | The MEV Bot is exploited and all 116.782684444757422875 ETH in the MEV Bot are extracted. |
| April 7th, 2025 12:57:23 PM MDT | MEV Bot Reached Out | The MEV Bot reaches out to the exploiter "Ugh, that one hurts. Can we talk? Happy to offer a bounty ..." |
| April 7th, 2025 10:11:00 PM MDT | SlowMist Reports Tweet | SlowMist reports a tweet about the incident. |
| April 8th, 2025 12:40:00 AM MDT | Vladimir Sobolev Confirmation | Vladimir S picks up the incident from SlowMist and shares some additional information. |
| April 8th, 2025 1:12:00 AM MDT | muststopye Tweets More | Ye (muststopye) shares more information about the specific exploit in the MEV Bot. |
| April 8th, 2025 5:27:41 AM MDT | CoinTelegraph Article Published | CoinTelegraph publishes an article with further details about the exploit. |
Technical Details
"address: 0x49e27d11379f5208cbb2a4963b903fd65c95de09"
"a lack of access control."
"Attacker was able to make vulnerable MEV to call Uni PoolManager.unlock, which triggered unlockCallback from the MEV bot, which got maliciously instructed to swap all the ETH MEV bot had for dummy token via a Pool which was created by attacker in the same tx. (1/3)"
"It appears that the function 0x051e65ae() lacks proper parameter validation and was tricked into performing a two-hop swap using a pool created by the attacker. Worse still, the malicious token was somehow set as the recipient in the second swap, resulting in a loss of 117 ETH!"
"Threat researcher Vladimir Sobolev, also known as Officer’s Notes on X, told Cointelegraph that an attacker exploited a vulnerability in the bot, causing it to swap its ETH to a dummy token.
Sobolev said this was done through a malicious pool created by the attacker within the same transaction. The threat researcher added that this could have been prevented if the MEV owner implemented stricter access controls."
"attack tx was executed via private mempool, tactic which is employed by black hats more and more frequently."
Total Amount Lost
"approximately 116.7 ETH"
Blockchain: 116.782684444757422875 ETH
The total amount lost has been estimated at $210,000 USD.
Immediate Reactions
"Just 25 minutes into the exploit, the MEV’s owner proposed a bounty to the attacker. The owner then deployed a new MEV bot with stricter access control validation."
Ultimate Outcome
The hacker was offered a bounty and the MEV bot was redeployed with stricter security within an hour.
Total Amount Recovered
It does not appear that the attacker has responded in any way.
There do not appear to have been any funds recovered in this case.
Ongoing Developments
It does not appear there is any likelihood of recovering the funds.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist - "We have detected that a MEV bot 0x49e27d11379f5208cbb2a4963b903fd65c95de09 has lost 116.7 ETH due to the lack of access control." - Twitter/X (Accessed May 16, 2025)
- ↑ Vladimir S - "A MEV bot 0x49e27d11379f5208cbb2a4963b903fd65c95de09 has lost 116.7 ETH due to the lack of access control - (Accessed May 16, 2025)
- ↑ [@SlowMist_Team" - Twitter/X @SlowMist_Team" - Twitter/X] (Accessed May 16, 2025)
- ↑ MEV / Sandwich / Front-run & Back-run - Graph.org (Accessed May 16, 2025)
- ↑ MEV bot loses $180K in ETH from access control exploit - CoinTelegraph (Accessed May 16, 2025)
- ↑ "Ugh, that one hurts. Can we talk? Happy to offer a bounty ..." - MEV Bot To Exploiter (Accessed May 16, 2025)
- ↑ Exploit Transaction Takes 116.782684444757422875 ETH - Etherscan (Accessed May 16, 2025)
- ↑ First Malicious Smart Contract Deployed - Etherscan (Accessed May 16, 2025)
- ↑ Second Malicious Smart Contract Deployed - Etherscan (Accessed May 16, 2025)
- ↑ Ye (muststopye) - "Attacker was able to make vulnerable MEV to call Uni PoolManager.unlock, which triggered unlockCallback from the MEV bot, which got maliciously instructed to swap all the ETH MEV bot had for dummy token via a Pool which was created by attacker in the same tx." - Twitter/X (Accessed May 16, 2025)
- ↑ Ten Armor - "Our system has detected that a MEV bot on #ETH was exploited, resulting in an approximately loss of $180K." - Twitter/X (Accessed May 16, 2025)