0xbad MEV Bot (on-chain MEV arbitrage contract): Unprotected flashloan callback — arbitrary execution via callFunction → WETH approval exploit
A notorious Ethereum MEV bot that had spent 75 days frontrunning users had its own smart contract drained of 1,101 ETH after an attacker found an unprotected flashloan callback that allowed arbitrary execution and WETH approval theft.
Summary #
0xbad MEV Bot (on-chain MEV arbitrage contract) suffered a MEV / Arbitrage Bot (not a DeFi protocol for depositors) on 2022-09-27, resulting in a loss of approximately $2M.
What happened #
A notorious Ethereum MEV bot that had spent 75 days frontrunning users had its own smart contract drained of 1,101 ETH after an attacker found an unprotected flashloan callback that allowed arbitrary execution and WETH approval theft.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited — proprietary bot contract]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: N/A]
- RD-F-076 — related : Protocol age (Cat 5 — < 6 months age signal) [via dashboard_risk_factors/Protocol age: 75 days of operation at time of hack]
- RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Anonymous (bot operator identity unknown)]