PANews, June 21 – MEV bot developer JaredFromSubway.eth posted that his MEV bot was hacked and drained of approximately $15 million in assets. He publicly offered a $1 million bounty for the full return of the funds, promising complete confidentiality and a secure return, emphasizing that this is a legitimate and time-sensitive bounty, and calling on the hacker to contact him privately.

Security firm Blockaid stated that the attacker constructed fake token wrappers and liquidity pools, tricking the automated MEV execution system into granting token approvals to attacker-controlled contracts. The attacker then exploited the unrevoked approvals to transfer out assets such as WETH, USDC, and USDT held by the bot via transferFrom. Blockaid noted that this incident was neither a traditional phishing attack nor a smart contract vulnerability in the victim contract itself; rather, the attacker exploited a flaw in the bot’s mechanism for automatically identifying arbitrage opportunities and generating approvals.