A Maximal Extractable Value (MEV) bot 0xbaDc0dE lost over $1 million after a hacker exploited a flaw in its code.

Imagine making 800 ETH in a single arb

… and an hour later then losing 1100 ETH to a hacker

Here is the story of 0xbaDc0dE, an MEV bot who gained and lost it all in a few hours tonight

— @bertcmiller ⚡️? (@bertcmiller) September 27, 2022

Flashbots’ Robert Miller of Flashbots explained that 0xbaDc0dE was a mempool bot active on ETH over the past few months, making about $220,000 transactions.

The bot got its big break after a user tried to sell cUSDC worth $1.8 million on Uniswap V2 but got about $500 in return, which generated a massive arbitrage opportunity.

According to Miller, 0xbaDc0dE took this opportunity and raked a handsome profit of 800 ETH.

However, the euphoria was short-lived because the MEV bot lost over 1100 ETH, around $1.4 million an hour later, due to a flaw in the code.

Miller said:

“It seems that the 0xbaDc0dE did not properly protect the function that they used to execute dYdX flash loans.”

The hacker exploited the “callFunction,” which is the function called by the dYdX router as a part of the flashloan execution, and the MEV bot code unfortunately allowed arbitrary execution.

So, the hacker got the bot to approve the transaction and moved all the funds to another address.

The recent incident showed how malicious players are taking advantage of vulnerabilities found in codes of crypto projects. This year alone, billions have been lost to hackers exploiting these vulnerabilities.

Only recently, a white hacker saved Arbitrum from an exploit that could have resulted in a loss of almost $500 million due to an initialization-related vulnerability.