The Jaredfromsubway MEV bot was implicated in approximately 70% of Ethereum sandwich attacks and lost more than $7.5 million in the allowance breach after its automated systems allowed the use of tokens in contracts controlled by the attackers.
The bot, known as Jaredfromsubway.eth, approved a series of trades that appeared to be part of a lucrative trading route. These permissions remained active, allowing the attacker to remove wrapped ether and two major stablecoins from the contracts involved in the operation.
This incident effectively caused one of Ethereum’s largest extractive trading systems to acknowledge its own theft. It also highlights vulnerabilities faced by automated traders who must evaluate markets, approve contracts, and execute trades within seconds.
On-chain security firm Blockaid said the attackers did not compromise the bots’ private keys or exploit flaws in widely used decentralized finance protocols. Instead, the operation targeted rules used by bots to identify and pursue potential profits.
How Jaredfromsubway.eth was leaked
According to Blockaid, the attackers spent weeks deploying copycat tokens, liquidity pools, and support contracts similar to the markets bots might typically trade on.
The fake assets included wrapped versions of Ethereum, USDC, and USDT, which were paired together via a trading route designed to generate profitable signals. Jaredfromsubway.eth discovered these routes and followed the normal process of allowing the helper contract to move tokens as part of the anticipated transaction.
Some of the early transactions used permissions as expected and helped establish a pattern that the bot’s system would continue to accept. For subsequent transactions, the authorization remained unused.
This distinction allows an attacker to create an opening through the ERC-20 authorization, allowing another address or smart contract to use a specified amount of tokens belonging to the authorized account.
Privileges remain available after the original transaction unless they are exhausted, reduced, or revoked.
Once the attackers accumulated enough unused allowances, the contract used ERC-20. transferFrom Ability to move real WETH, USDC, USDT from the bot’s account.
On-chain records show repeated transfers totaling approximately 92 WETH, $143,000 USDC, and $149,000 USDT from contracts linked to the bot. The funds were sent to an address controlled by the attacker.
Yearn Finance developer Banteg explained that the final operation is not a traditional token swap, but an allowance outflow. The reconciliation contract called withdrawal functions across dozens of subcontracts, checking the bot’s balance and remaining entitlements before transferring available tokens.
A portion of the proceeds were then transferred through Tornado Cash, a cryptocurrency mixing service that makes it difficult to trace funds.
Dominant sandwich operators will be targeted
Jaredfromsubway.eth has been operating since 2023 and has become one of the most prominent participants in the Ethereum market seeking Maximum Extractable Value (MEV).
MEV refers to the revenue generated by changing the order in which blockchain transactions are processed. In a sandwich attack, a bot identifies a pending trade and first buys the asset, driving up its price. The user’s transaction is executed at the unfavorable price before the bot is sold and the difference is captured.
This made Jaredfromsubway.eth one of the most prominent sandwich attack bots on Ethereum before the same automation became a vector of entry into its own funds.
Losses for individual traders may be small. However, this strategy can generate large amounts of revenue through tens of thousands of trades, while increasing transaction costs and network fees.
According to the report, these attacks cost traders an estimated $60 million annually, with approximately 70% tied to a single operator identified as Jaredfromsubway.eth.
(Tag Translation) Featured
