Jaredfromsubway.eth MEV bot drained after approval trap, with losses traced to about $7.5M
Onchain analysts and security researchers said counterfeit tokens and fake liquidity routes tricked one of Ethereum’s best-known sandwich bots into leaving approvals open, enabling a direct sweep of WETH, USDC and USDT.
Jaredfromsubway.eth, one of Ethereum’s most active MEV sandwich bots, was drained on Saturday after an attacker used counterfeit token contracts and fake liquidity pools to trick its automated trading system into approving attacker-controlled contracts, according to onchain analysts and Blockaid. Onchain data showed a single transaction at 18:49 UTC moved 1,474.58 WETH, about 2.87 million USDC and roughly 2 million USDT, with Blockaid valuing the traced assets at roughly $7.5 million. The attacker later swapped the proceeds into about 4,427 ETH and deposited 1,000 ETH into Tornado Cash, according to Lookonchain. A forensic report by banteg said the setup used a block-armed switch that behaved normally in small test batches but left approvals open in larger ones, enabling a coordinator contract to call "withdraw" across 66 child contracts and sweep funds directly rather than through a trade. The report also said the receiving address was an EIP-7702-delegated account. An X account using the jaredfromsubway.eth name claimed a $15 million loss and offered a $1 million bounty, but several commentators flagged it as an impersonator and no security firm had verified losses above about $7.5 million.
- MEV: Short for maximal extractable value, referring to profits gained by influencing the order or inclusion of blockchain transactions.
- sandwich bot: An automated trading bot that places transactions before and after a user’s trade to extract profit from the price impact.
- EIP-7702-delegated account: A wallet setup introduced with Ethereum’s Pectra upgrade that allows a standard account to execute contract code.