RIP MEV BOT 2

Attacker address (funded via Tornado Cash): 0x46d9b3dfbc163465ca9e306487cba60bc438f5a2 Attack tx: 0xbc08860c… Victim address: 0x05f016765c6c601fd05a10dba1abe21a04f924a5 On Tuesday night, a Multiverse bot experienced a significant loss of $2 million in what appears to be an instance of crypto-karma. Spreek identified the issue as an unprotected swap function within the bot's code. This incident is reminiscent of a similar occurrence last year when the notorious bot 0xbadc0de suffered losses of $1.5 million. In the world of Miner Extractable Value (MEV), bots operate on the edge of the principle "code is law." Despite the complexity of the MEV landscape, the exploit was surprisingly simple. The bot's code had an unprotected swap function that anyone could call. Exploiting this, a sandwich attack was executed on the bot through WETH/WBTC trades on Curve, funded by a $50 million flash loan. BlockSec clarified that the bot was vulnerable due to the lack of access control for a public function (0xf6ebebbb), allowing manipulation of swaps in Curve pools. The loss incurred was approximately $2 million. The attacker abused the flawed function to pump the asset price, such as WETH, and then executed a reverse swap to make a profit. The sandwiched swaps resulted in a substantial financial hit for the bot, with the attacker's address funded via Tornado Cash and the victim's address suffering the loss. The incident generated fees of $250,000 for the Curve protocol, showcasing the dynamics of large transactions in the DeFi space. In the realm of decentralized finance, autonomous bots, though controversial, are often considered a necessary element of a permissionless financial system. The ecosystem's key players, including validators who receive lucrative tips, may find themselves willing to tolerate the activities of these Dark Forest predators. As the crypto landscape continues to evolve, the question remains: how long until others fall prey to unforeseen vulnerabilities?