This is actually insane 🤯
JaredFromSubway's MEV bot (the one that's been printing money for ages) just got cooked for $7.5 million in one of the sneakiest exploits I've seen.
This wasn't a contract hack. It wasn't phishing.
The bot basically approved its own robbery because it thought it was about to feast on a juicy MEV opportunity.
What happened:
> Attacker deploys fake wrapper tokens (fWETH, fUSDC, fUSDT) along with fake liquidity pools designed to look profitable
> The bot spots the "opportunity" and does what it's programmed to do, approving attacker-controlled helper contracts as spenders
> During early tests, those approvals get used immediately, so nothing appears suspicious
> In later transactions, the bot grants approvals that are never consumed or revoked, leaving the attacker with unlimited spending power
> Once enough approvals are collected, the attacker executes the final drain
> WETH, USDC, and USDT are pulled directly from the bot contract via transferFrom and sent to the attacker's wallet (0x3e37f4A10d771Ba9dE44b6d301410b1BEdeA65d0)
One example:
The bot approved more than 92 WETH to one of the attacker's helper contracts, and that approval simply remained active until the funds were drained.
This wasn't some random wallet drainer.
The bot's own automation was turned against it. It was doing exactly what it was designed to do, and that logic ended up being its downfall.
Wild times in MEV land.
Always revoke approvals, kids.
Even if you're a bot making millions.
🚨 New Crypto Pop-Up Is Draining Users 🚨
If you use a crypto wallet, you're familiar with the embedded browser pop-up that prompts you to sign transactions. However, scammers are now exploiting this in an updated scam tactic.
When a user navigates to a scam site via social engineering, sponsored scam ads, or scam comments on X with a look-alike link, it mirrors the real website, in this case, to claim a @JupiterExchange airdrop (not real).
The website mirrors the real site exactly and follows the normal flow: clicking "connect wallet," then detecting which wallets you have installed in the browser. In this VM, I have @MetaMask and @phantom installed, so it detected both. I was already logged into MetaMask, so when I clicked on it, instead of prompting me within the MetaMask browser extension, it created a new pop-up window (separate browser window) impersonating MetaMask, displaying the URL and mimicking the real MetaMask behavior. Since my MetaMask wallet was empty, it said I "was not eligible". But if I had any funds in the wallet, it would have prompted for a wallet-draining signature/approval.
When I tested with Phantom, it followed the same flow. However, because I wasn't logged into Phantom, the fake window impersonating Phantom popped up first, followed by the real Phantom prompt within the browser asking me to log in so that way the scam window pop up could prompt me for a scam approval/signature to drain that wallet after I logged into my legit wallet.
While you may be watching this closely and catching the red flags, like the scam Vercel app URL showing in the address bar, many people don't read anything when prompted for a wallet connection or signature. They simply click. This scam has already drained many wallets because people click without taking even one second to review what they're signing. Always, no matter what, take at least a few seconds to review what you're signing in your wallet each time. Something as simple as noticing the URL bar could save you from losing everything…..
Stay Safe & Stay Vigilant
#PeckShieldAlert Wallets 0x1209...e9C and 0xaac6...508 have been compromised, leading to a loss of ~$2.3M in $USDT due to a private key leak.
The attacker swapped the stolen USDT for 757.6 $ETH and laundered the funds via #TornadoCash.
🥲The Balancer attacker exploited 'permit()' which allows off-chain signatures without requiring gas fees from the frozen address.
We previously warned about #phishing via off‑chain permit signatures — please read our analysis📖:
https://t.co/fqi6KY3mjc
An attacker started with $35. and made $5M in one hour. The liquidity pool was sucked dry. Price crashed 99.9%.
This is how SSS Project was hacked on Mar 22, 2024.
Super Sushi Samurai. It was a new game on a hot new chain. They had the hype. They had the users. And they had the map.
The token contract had a function to transfer tokens.
transfer(from, to, amount)
But it was missing one simple check: What if from and to are the same address?
Imagine telling your bank to wire your entire $10,000 balance... to yourself.
Instead of doing nothing, the bank glitches, and now you have $20,000.
That's exactly what happened.
The code subtracted the balance, then added it back to the same wallet, effectively doubling it.
An attacker discovered this.
They started with $35.
They spammed the self-transfer function.
Their balance doubled. And doubled. And doubled.
In less than an hour, they turned $35 into an infinite pile of tokens.
Then they dumped them on the market, draining the liquidity pool of $4.8M.
The token price plunged 99.9%. Game over.
The project was audited by Verichains but they missed it.
The team was left with nothing.
Then the attacker sent a message: "This was a whitehat rescue hack."
did you notice the genius move here. They didn't report the bug for a small bounty.
By taking the money, they took all the leverage.
They went from being a helpful researcher to the person who controlled the entire negotiation for the return of the funds.
The team was no longer in control. They were hostages. Their only path forward was to negotiate with the person who had just publicly executed them. They took all the money.
so, the attacker returned 95% of the funds and they released a plan. A plan to relaunch with a new token, SSS v2. A promise to restore the pool to its pre-hack value. A snapshot to try and make everyone whole. They weren't building a company anymore; they were managing a crisis created by a single person who simply looked closer.
https://t.co/MEJJBdXbg4
Your biggest vulnerability is not the complex attack vector. It's the simple logic you assumed was too obvious to need a check. That one require(from != to) check was worth $4.8M.
"Audited" is the most dangerous word in crypto. It creates a false sense of security. The real question is not if it was audited, but how well and by whom.
ALERT! Our system has detected two attack transactions targeting an unknown contract (0x5a46c6) on #BSC, resulting in a loss of ~$85K.
Specifically, the attacker utilized EIP-7702 on its own address to leverage the flash loan callback function, manipulating prices and conducting staking activities. By exploiting the flawed time check mechanism, the attacker directly executed two transactions (stake and unstake) to illicitly profit.
Notably, three key vulnerabilities enabled this attack:
1) Flawed flash loan protection check: The attacker exploited EIP-7702 to bypass the flash loan protection mechanism.
2) Spot price dependency.
3) Flawed time interval check for staking and unstaking: The duration calculation incorrectly uses "timestamp modulo day" (timestamp % day) instead of relying on the end time of the previous stake.
TX1: https://t.co/it5TXGtOcY
TX2: https://t.co/pOJ5zpUg2R
I made a 🦊 wallet plugin that:
1. Decodes your calldata
2. Uses that decoded data as input to an AI
3. Which then searches the web to see if the transaction has anything "fishy" about it.
Here is an example where you'd be sending money to the ByBit hackers, but it catches it!
🔍 The scam uses Punycode to trick users: What appears as "арр.еulеr.fіnаnсе" is actually a subdomain of "https://t.co/nstQ4ePWpX[.]com" - NOT the real Euler Finance site.
how to avoid being phished?
be cautious of phishing attempts in these common scenarios,
and familiarize yourself with common phishing signatures that can lead to the theft of your assets. https://t.co/FbeOaGkoqU
One of the beauty of using EIP-7702 is that you can rescue all funds from a compromised wallet using a paymaster and a friendly delegator. There is _no need_ to send ETH to the compromised wallet at all! I decided this morning to write and open-source a fully-fledged Bash script that empowers anyone to run such rescues themselves. The flow of the script is basically:
- A paymaster account that covers gas fees and broadcasts all transactions (including the deployment of the friendly delegator).
- A victim account that signs the EIP-7702 authorisations.
- A friendly Vyper-based delegator contract `recoverooor` deployed for each rescue and protected by a trusted `OWNER` account (defaults to the paymaster account).
- A single script, `go_eip7702.sh`, that can batch recover all assets (you have a multicall possibility for any complex interactions needed, e.g. unstake and transfer).
I haven't fully tested everything so use with caution and use your brain as always please.
Wallet drainers just got deadly efficient.
Smart accounts made draining faster and easier to miss.
Here's the first real example I've seen and how to protect yourself. 🧵
1/ Wallet Drainers are misusing Create2 to bypass security alerts in some wallets by generating new addresses for each malicious signature.
After a discussion with @SlowMist_Team, a group has employed the same technique in Address Poisoning to steal $3M since Aug.
Basically the hacker was able to attack each signer's device to make the multisig UI show something different from what was actually signed.
That's how they got the multisig to sign away the funds.
Crazy stuff.
🚨 ALERT: Scammer modifying popular token information like $CAR and embedding fake Kick platform site through Linktree links.
They're using fake Cloudflare captcha verification pages to trick users into executing malicious code.