Share this page!

@bertcmiller ⚡️🤖 Profile picture
Twitter logo
Sep 27 12 tweets 2 min read
Imagine making 800 ETH in a single arb

... and an hour later then losing 1100 ETH to a hacker

Here is the story of 0xbaDc0dE, an MEV bot who gained and lost it all in a few hours tonight
0xbaDc0dE is the prefix of the contract for a mempool bot that's been pretty active on ETH in the last few months.

In that time they sent ~220k transactions to Ethereum, I believe all arbs or trying to cancel arbs.

Address: 0xbadc0defafcf6d4239bdf0b66da4d7bd36fcf05a
Earlier today some poor soul tried to sell $1.8m in cUSDC on Uniswap v2 (!). They got ~$500 out in return. Yikes.

Meanwhile, this generated a massive arb opportunity.

tx: 0x96a129768ec66fd7d65114bf182f4e173bf0b73a44219adaf71f01381a3d0143
0xbaDc0dE dutifully backran the arb in the mempool (!) in a looong arb touching many protocols.

The profit from this was ~800 ETH!

tx: 0x2a615005a63785284f11a4c5cb803d1935d34e358c10a3b4d76398d2e7bb2f9d
... But just an hour later all of 0xbaDc0dE's ETH was stolen

I'll let the reader make the joke about the code themselves
Digging in, it seems that the 0xbaDc0dE did not properly protect the function that they used to execute dYdX flashloans.

Note "callFunction," which is the function called by the dYdX router as a part of flashloan execution
When you get a flashloan the protocol you're borrowing from will call a standardized function on your contract.

In this case dYdX called "callFunction" on 0xbaDc0dE.

0xbaDc0dE's code unfortunately allowed for arbitrary execution.
The attacker used this to get 0xbaDc0dE to approve all of their WETH for spender on their contract.

tx: 0x59ddcf5ee5c687af2cbf291c3ac63bf28316a8ecbb621d9f62d07fa8a5b8ef4e
The attacker then simply transferred the weth out to their address.

tx: 0x631d206d49b930029197e5e57bbbb9a4da2eb00993560c77104cd9f4ae2d1a98
Stay safe and protect your execution functions searchers!
Bad code, great content
Surprised that at this point this stuff happens on-chain and there's not a thread about it 4 hours later.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with @bertcmiller ⚡️🤖

@bertcmiller ⚡️🤖 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @bertcmiller

@bertcmiller ⚡️🤖 Profile picture
Sep 17
Flashbots builder pub keys:

0xa1dead01...6289ef27f
0x81babeec...3dbc8e80f
0x81beef03...cb7bcb994f
0xa1defa73...81ff84fc1b
You can back these out by looking for our graffiti in extra data too
defa is a “default" builder that submits blocks that are only built with mempool txs

We submit that to provide a baseline and for analytics purposes
Read 4 tweets
@bertcmiller ⚡️🤖 Profile picture
Sep 17
For mev-boost blocks:

Proposer payment - equal to the eth value of the last tx in the block

Builder profit - equal to the difference in the fee recipient's eth balance before and after the block

Here's an example of a proposer payment
etherscan.io/txs?block=1553…
Proposer profit - the difference between what the proposer is paid for a block and what the the value of a mempool block would have been

Can't be derived from just on-chain data unfortunately, but have some data coming out on that in the next week or two
Also assuming that the builder sets their address as the fee recipient and doesn't take oob payments.
Read 5 tweets
@bertcmiller ⚡️🤖 Profile picture
Sep 10
The other day @nikete reminded me of this wild moment last year where Justin Sun had a $1b ETH position on @LiquityProtocol which could have been liquidated during market turmoil, but wasn't

Sharing in case some folks missed it the first time.
Some details in case you're curious. I believe the conclusion was he could've been liquidated but wasn't by chance and a bunch of bot misfires.
medium.com/liquity/how-li…

I need to make a compendium with little its of MEV history like this. Lots of fascinating moments that otherwise might be lost in the wind. Maybe after the merge.

Read 4 tweets
@bertcmiller ⚡️🤖 Profile picture
Aug 1
Since value left in DEX routers is topical right now this is a funny long tail MEV bot:

etherscan.io/address/0x4cad…

1inch router occasionally has dust in it that anyone can sweep. This bot watches for that and sweeps it out, sometimes making as little as ~$3 (!).
1inch routing tries to not keep erc20 tokens in its router, but occasionally leaves dollars of tokens in the router for gas reasons

Over time these accumulate. Some people watch for that.
Here's another person who scalped $2 in wBTC & paid $1 in gas fees to do so

etherscan.io/tx/0x6bd596151…
Read 4 tweets
@bertcmiller ⚡️🤖 Profile picture
Jul 7
Random interesting thing I noticed on-chain this morning: someone sent money to an address and THEN another account deployed a contract which rescued that money

Without the contract later deployed the 0.6 ETH would've been unrecoverable

etherscan.io/address/0xA49D… Image
If we dig into the rescuer's transaction history we can see them rapidly making a lot of transactions to themself, then deploying the rescue transaction

That's because contract addresses on Ethereum are deterministic! They're a function of the account address, nonce, and code. Image
So this fellow knew what they were doing. They deliberately incremented their nonce to the precise value whereby they could deploy a rescue contract to get the ETH.

If they accidentally made 1 more tx before deploying their contract I think the money would have been lost.
Read 7 tweets
@bertcmiller ⚡️🤖 Profile picture
Jul 6
Today an NFT started minting with a function which unfortunately which lets anyone drain all their ETH

A few hours later there was an MEV bot skirmish over the ETH in this contract, here's a short thread with some details Image
The vulnerability here is simple.

ownerWithdrawAllTo() is a function that sends all the ETH in the contract to an address the caller can specify.

The author forgot to a check to ensure only the owner of the contract can call this, which exists on other functions.
They also forgot to check the auction had ended, as they did on other withdraw functions. Not sure what happened there.

But takeaway: anyone can take any money in this contract at any time
etherscan.io/address/0xE85A…
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

Email the whole thread instead of just a link!

Separate emails with commas

:(