Overview
- JaredFromSubway, which was drained Saturday, lost roughly $7.5 million by Blockaid’s estimate while the bot operator publicly claimed $15 million and offered a $1 million bounty for return of the funds.
- Blockaid and on‑chain traces say the attacker spent weeks deploying 66 fake ERC‑20 tokens and sham liquidity pools to bait the bot into approving attacker‑controlled helper contracts.
- Those open ERC‑20 allowances were later used with transferFrom calls to move WETH, USDC and USDT out of the bot’s contracts and portions of the proceeds were routed through Tornado Cash, and no full recovery has been confirmed.
- Security firms emphasize this was not a stolen‑key or classic smart‑contract bug but an attack on the bot’s automated routing and approval workflow, highlighting how powerful token approvals are when granted at machine speed.
- The incident targets a broader issue: JaredFromSubway has been one of Ethereum’s largest sandwich‑attack operators since 2023 and the drain will likely push calls for stricter allowance management, stronger pre‑trade simulation, and wider use of private or encrypted transaction routing.