(The Herald Post) – On Monday, April 3, An innovative attack to steal $25 million of Ethereum on the blockchain, The attack was carried out on the bots dedicated to MEV (Maximum Extractable Value) for profit on the Ethereum network. The incident was reported by prominent Ethereum developers, including Mudit Gupta and Sam Sun.
According to Sun, the attacker managed to drain five MEV bots by exploiting a vulnerability in the mev-boost relay. To accomplish this, the hacker had to become a network validator, depositing the required 32 ethers (ETH) on March 15. When the attacker’s turn came to propose a block, they reordered transactions to enable their attack.
In response, the Flashbots developer group released a patch to prevent similar attacks. The patch instructs relayers to publish the block on the Beacon network before returning it to the proposer or, if unsuccessful, not to return the content at all. Flashbots also announced they would publish a report on the incident in the coming hours.
The group of developers develops high-frequency trading robots that capitalize on arbitrage opportunities on networks like Ethereum, known as MEV-boost. These robots have previously been scrutinized for their obligation to censor transactions in compliance with regulations from the United States Office of Foreign Assets Control (OFAC).
At the heart of the hack on Flashbots was a “sandwich attack” technique, which leverages price volatility to generate financial gain. The attacker buys or sells a large amount of an asset to move the price in their favor, executes a transaction to exploit another person trading that asset, and then sells or buys back the asset at a favorable price, making a net profit.
Blockchain security and analysis account PeckShield reported that the stolen funds were distributed to eight addresses, with three of them holding the majority of the funds at the time of writing.
Ethereum and Polygon developer Mudit Gupta provided a brief analysis of the attack, stating that the vulnerability resulted from a design flaw in Flashbots. The flaw did not economically penalize the creator of the malicious transaction, leading to a broken economic incentive reliant on an unwritten agreement not to do harm. Gupta emphasized that the penalty for breaking the rules (a fine of 1 ETH or about $1,800 USD) is less than the potential profit obtainable through manipulation.
Gupta’s analysis underscores the limitations and risks of MEV in Ethereum. As MEV adoption increases, more vulnerabilities are likely to be discovered, necessitating greater attention and action to prevent similar incidents in the future.
(This article has been rewritten to correct a misconception in paragraphs 1, 5 and title)