A group of blockchain bots have lost over USD 25 million due to a sophisticated exploit that took place on April 3.
The bots, which operate using maximal extractable value (MEV) to generate revenue, were compromised by an attacker who substituted their regular transactions with malicious ones. According to Joseph Plaza, a decentralized finance trader at Wintermute, the attacker likely set bait transactions to lure the bots and then replaced them with malicious ones to steal the funds.
The attacker made preparations for the incident by depositing 32 ETH to become a validator 18 days prior. It’s likely that the attacker waited for their turn to propose a block as a validator, at which point they restructured the block’s contents and created a new block that included their malicious transactions, enabling them to siphon off assets.
After smart contract developer “3155.eth” revealed the attack on Twitter, PeckShield was able to track the stolen assets back to three Ethereum addresses, which were consolidated from eight others. To prevent future attacks, Flashbots, the team responsible for MEV-Boost, the primary MEV software used on Ethereum, has implemented measures.
Flashbots, the creator of MEV-Boost, has introduced a new mechanism that mandates relayers, who act as an intermediary between validators and block builders, to publish a signed block before transmitting its contents to a proposer. This added step aims to reduce the possibility of a malevolent proposer in MEV-Boost proposing a block that differs from what they received from a relay.