Overview
- On Saturday on‑chain analysis by security firm Blockaid found attacker‑controlled contracts used open ERC‑20 approvals to pull roughly $7.5 million from Jaredfromsubway.eth, while the bot operator publicly claimed a $15 million loss and posted a $1 million bounty.
- The attacker spent weeks deploying dozens of fake token contracts and mock liquidity pools that mimicked WETH, USDC and USDT to bait the bot into approving attacker helper contracts.
- Those standing approvals were later used with ERC‑20 transferFrom calls to move WETH, USDC and USDT out of the bot’s contracts and some proceeds were routed through the Tornado Cash mixer.
- Blockaid emphasized this was not a stolen key or classic smart‑contract bug but a manipulation of the bot’s automated decision logic that granted persistent spending rights to malicious contracts.
- The incident raises fresh pressure on MEV operators to tighten approval hygiene, consider private relays and stricter route vetting, and it highlights risks for traders because Jaredfromsubway.eth has been a dominant sandwich operator since 2023.