MEV Bot Fallback Function Arbitrary Call Vulnerability Attack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Screenshot Of The Transaction

A MEV bot, created on May 10, 2025, to exploit transaction ordering on Ethereum, was itself exploited due to a vulnerability in its smart contract. The flaw—an arbitrary call vulnerability in the fallback function of contract 0xb5cb...4a87—allowed an attacker to execute unauthorized calls, specifically to the protected 0x0243f5a2() function on victim contract 0xb5cb...e1b0. This was possible because a prior transaction had mistakenly granted the vulnerable contract access. TenArmor initially reported a $1.1 million loss, later updating it to around $2 million after identifying additional attack transactions. SlowMist also reported a $2 million loss. The MEV bot creator remains unidentified, and there is little public information about any recovery efforts or investigations.[1][2][3][4][5][6][7][8][9][10][11]

About MEV Bot

A MEV bot (Miner Extractable Value or Maximal Extractable Value bot) is a program that operates on blockchain networks like Ethereum to profit from the way transactions are ordered within blocks. These bots exploit inefficiencies in the blockchain's transaction execution process by front-running, back-running, or sandwiching other users' transactions. MEV bots scan pending transactions and insert their own in a way that can extract value, often at the expense of regular users. This can include arbitrage between decentralized exchanges or manipulating DeFi protocols.

This particular exploited MEV Bot was created on May 10th, 2025. The MEV bot creator doesn't appear to be published.

The Reality

Unfortunately a vulnerability existed in the smart contract code.

What Happened

An attacker exploited an arbitrary call vulnerability in the fallback function of MEV bot contract 0xb5cb...4a87, allowing unauthorized access to a protected function in contract 0xb5cb...e1b0, resulting in losses of up to $2 million.

Key Event Timeline - MEV Bot Fallback Function Arbitrary Call Vulnerability Attack
Date Event Description
May 10th, 2025 1:47:23 AM MDT MEV Bot Contract Created The MEV Bot contract which was later exploited was first created.
June 24th, 2025 1:18:11 PM MDT Permissions Granted In Contract Access permissions are granted within the MEV Bot contract, which ultimately allows for the later exploit.
June 24th, 2025 9:44:17 PM MDT Malicious Transaction Occurs The time of the malicious transaction on the Binance Smart Chain. This is reported by TenArmor as a loss of $1.1m.
June 24th, 2025 9:45:26 PM MDT Second Malicious Transaction A second attack transaction draining further funds.
June 24th, 2025 9:48:58 PM MDT Third Malicious Transaction A third malicious transaction drains further funds. According to TenArmor, total losses are now $2m. SlowMist also reports a total loss of $2m.
June 24th, 2025 10:09:00 PM MDT TenArmor Posts Tweet TenArmor posts a tweet about the suspicious transaction, reporting losses at around $1.1m.

Technical Details

The exploit involves an arbitrary call vulnerability in the fallback function of contract 0xb5cb...4a87, which allows it to execute unauthorized external calls. The attacker used this vulnerability to call the 0x0243f5a2() function on the victim contract 0xb5cb...e1b0, a function that normally requires strict access control. However, due to a prior transaction that mistakenly granted 0xb5cb...4a87 permission, the attacker was able to bypass access restrictions and exploit the victim contract.

Total Amount Lost

TenArmor reports "an approximately loss of $1.1M" initially, and due to "[a]nother two attack t[ransactio]ns", later revised this to a "total loss [of] about $2M". SlowMist reported "losses of approximately $2 million".

The total amount lost has been estimated at $2,000,000 USD.

Immediate Reactions

The attack was noticed by both TenArmor and SlowMist. It is unclear what reaction the MEV Bot creator may have had.

Ultimate Outcome

It is unclear if anything was done to trace or recover the funds.

Total Amount Recovered

The total amount recovered is unknown.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

There is limited information about whether any investigation is underway.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Attack Transaction 1 - BSCScan (Accessed Jul 21, 2025)
  2. Exploiter BSC Address - BSCScan (Accessed Jul 21, 2025)
  3. Attack Transaction 2 - BSCScan (Accessed Jul 21, 2025)
  4. Attack Transaction 3 - BSCScan (Accessed Jul 21, 2025)
  5. Smart Contract Permissions Granted - BSCScan (Accessed Jul 21, 2025)
  6. TenArmor - "Our system has detected a suspicious attack involving #MEV bot 0xb5cb on #BSC, resulting in an approximately loss of $1.1M." - Twitter/X (Accessed Jul 21, 2025)
  7. MEV Bot Contract - BSCScan (Accessed Jul 21, 2025)
  8. MEV Bot Contract Creation - BSCScan (Accessed Jul 21, 2025)
  9. Ethereum Foundation’s explanation of MEV (Accessed Jul 21, 2025)
  10. Flashbots (a major MEV research group) Documentation (Accessed Jul 21, 2025)
  11. What Is MEV and Why It Matters - CoinDesk (Accessed Jul 21, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=MEV_Bot_Fallback_Function_Arbitrary_Call_Vulnerability_Attack&oldid=6828"