This is actually insane 🤯
JaredFromSubway's MEV bot (the one that's been printing money for ages) just got cooked for $7.5 million in one of the sneakiest exploits I've seen.
This wasn't a contract hack. It wasn't phishing.
The bot basically approved its own robbery because it thought it was about to feast on a juicy MEV opportunity.
What happened:
> Attacker deploys fake wrapper tokens (fWETH, fUSDC, fUSDT) along with fake liquidity pools designed to look profitable
> The bot spots the "opportunity" and does what it's programmed to do, approving attacker-controlled helper contracts as spenders
> During early tests, those approvals get used immediately, so nothing appears suspicious
> In later transactions, the bot grants approvals that are never consumed or revoked, leaving the attacker with unlimited spending power
> Once enough approvals are collected, the attacker executes the final drain
> WETH, USDC, and USDT are pulled directly from the bot contract via transferFrom and sent to the attacker's wallet (0x3e37f4A10d771Ba9dE44b6d301410b1BEdeA65d0)
One example:
The bot approved more than 92 WETH to one of the attacker's helper contracts, and that approval simply remained active until the funds were drained.
This wasn't some random wallet drainer.
The bot's own automation was turned against it. It was doing exactly what it was designed to do, and that logic ended up being its downfall.
Wild times in MEV land.
Always revoke approvals, kids.
Even if you're a bot making millions.
