Overview
- Security firm Blockaid and multiple on‑chain analyses showed the bot was drained after an attacker deployed dozens of fake token contracts and mock liquidity routes to bait its automated routing and approval logic.
- The exploit relied on the bot granting standing ERC‑20 allowances to attacker‑controlled helper contracts, which were later used with transferFrom calls to pull WETH, USDC and USDT from the bot’s contracts.
- Public on‑chain traces reviewed by Blockaid and CoinDesk put moved funds at about $7.5 million while the Jaredfromsubway.eth account disputed that number and claimed roughly $15 million in losses and offered a $1 million bounty for return.
- Some stolen funds were routed through the Tornado Cash mixer, the attacker remains unidentified, and no full recovery of assets has been confirmed as of the latest reports.
- The incident highlights a new class of risk for machine‑speed MEV systems because automated approval and routing rules can be manipulated, prompting calls for stricter approval hygiene, private mempools, and safer automation safeguards.