Explained: The 0xbad MEV Bot Hack (September 2022)

MEV bots specialize in creating and exploiting arbitrage opportunities via front-running attacks.  

By taking advantage of how many blockchains organize transactions into blocks (i.e., miners or validators can reorder transactions based on fees rather than first-come-first-server), these bots can take advantage of opportunities to make money at other users’ expense.

The 0xbad bot was highly successful at this and, in September 2022, took advantage of a poor trade by a Uniswap v2 user.  Due to a lack of liquidity, an attempted swap of $1.85 million cUSDC for USDC only netted the user $500 in USDC.  A complex follow-up transaction by 0xbad allowed the bot to extract $1.02 million in profit.

However, this exploit was soon followed by one that targeted an arbitrary code execution vulnerability in the code that the MEV bot used when taking out flashloans on dYdX.  Taking out a flashloan allows the lender to call a particular function on the recipient’s contract, which, in the case of dYdX, is callFunction.

The attacker exploited this fact to trick the MEV bot into creating a DeFi approval for all of the WETH held within its account.  Once this approval was created, the attacker could drain 0xbad’s account of all of its WETH to the tune of 1,101 ETH.

After the exploit, the 0xbad bot operator tried to threaten the attacker with legal action.  

However, a reply pointed out that the source of the stolen funds — parasitic exploitation of other blockchain users — left the bot owner without a leg to stand on.

This exploit demonstrates the importance of carefully considering the relationships and interactions that a smart contract can have with other contracts on the blockchain.  Failing to protect its internal functions properly left the MEV vulnerable to unintentionally creating malicious DeFi approvals.

Another key takeaway: don’t prey on DeFi users.  Or, if you do, make sure that your code isn’t vulnerable to exploitation itself.