An innovative cyber attack has led to the loss of around $20 million by Flashbots, a developer of bots dedicated to mining MEV (maximum extractable value) to generate profits in Ethereum.
The incident occurred on Monday, April 3, and was reported by several prominent Ethereum developers, including Mudit Gupta and Sam Sun. “A user managed to drain five MEV bots by exploiting a vulnerability in the mev-boost relay,” Sun explained on Twitter.
However, it is important to note that no ETH was removed from the Flashbots organization itself. The stolen funds were spread across eight addresses, with three of them storing the majority of the stolen amount.
To do so, the hacker had to become a network validator beforehand. To that end, he deposited the necessary 32 ethers (ETH) on March 15. When it was his turn to propose a block as a validator, he had the opportunity to rearrange transactions in the way he needed for his attack.
Validators are not run on Flashbots software; they are part of the Ethereum protocol and run on the Ethereum core protocol software. To prevent similar attacks in the future, the Flashbots developer group released a patch that instructs relayers to publish the block to the Beacon network before returning to the proposer.
The Flashbots developer group reacted to the event by releasing a patch to prevent this type of attack. Broadly speaking, the patch instructs relayers, which are mediators between blocks and validators, to “publish the block to the Beacon network before returning to the proposer (and if it fails, not to return the content to the proposer at all).”
In addition to the release of this solution, Flashbots announced that it would publish a report on what happened in the next few hours.
The bots that Flashbots develops operate as high-frequency traders that use their resources to capture arbitrage opportunities on networks such as Ethereum. These bots are referred to as MEV-boost.
With solutions like MEV-boost, Flashbots allow Ethereum validators to capture and monetize transaction profits due to the insider information they possess about the current state of the network.
A “sandwich attack” is a technique that takes advantage of asset price volatility to produce a financial gain. The attacker buys or sells a large amount of an asset to move the price in his favor, and then performs a transaction to exploit someone else who is trading that asset. Finally, the attacker completes the sandwich by selling or buying back the asset at a favorable price and making a net profit.
As detailed by blockchain security and analytics account PeckShield, the stolen funds were spread across eight addresses, with three of them storing the most funds at the time of writing.
A brief analysis of the attack Mudit Gupta, a well-known Ethereum and Polygon developer, explained, “In this case, the validator is taking advantage of the fact that the MEV bot incurs a loss on the first sandwich transaction.”
“The vulnerability is due to a design flaw in Flashbots, which does not financially penalize the creator of the malicious transaction. This has led to a situation where the economic incentive is broken and only works thanks to a tacit agreement not to do wrong,” he explained.
In that sense, he detailed that the punishment for violating the rules (a fine of 1 ETH or about $1,800 USD) is less than the potential profit that can be made through manipulation.
Information on the MEV bot hacker’s address and the theft of millions of ethers is also provided.
Overall, Gupta says this situation highlights the limitations and risks of MEV on Ethereum. As MEV adoption increases, it is likely that more vulnerabilities will be discovered, and more attention and action will be required to prevent them, according to the specialist.
Read Next
- Hedera (HBAR) Crypto Soars Over 20% in One Week Thanks to Network Partnership
- Elon Musk Asks Court to Dismiss $258 Billion Lawsuit Over Dogecoin Tweets
- AI creators should pay for news content used in their products, says News Corp CEO
- Top 10 Hacks Of 2022: Over 3.5 Billion Lost in Total
- US authorities recover $30 million of hacked “Axie Infinity” funds
- Curve Finance (CURVE) hacked – 570K of funds stolen
Previous Articles:
- Hedera (HBAR) Crypto Soars Over 20% in One Week Thanks to Network Partnership
- Astar Network to Launch Multichain Smart Contracts Supporting EVM and WASM VM
- Elon Musk Asks Court to Dismiss $258 Billion Lawsuit Over Dogecoin Tweets
- AI creators should pay for news content used in their products, says News Corp CEO
- “Crypto King” Aiden Pletersky Kidnapped and Tortured After Embezzling Millions from Investors
