Full Report
Miner/Maximal Extractable Value (MEV) is the capability of gaining profit by reordering or adding transactions in a block. This leads to arbitrage, frontrunning and sandwich attacks. There is a MEV bot (0xbaDc0dE) that gained a large profit from an arbitrage opportunity. The bot is written in Solidity (starts with 0x60806040) but there is no verified contract code. So, the author uses the Dedaub decompiler to see the contract byte code back to Solidity. The contract is using a delegateCall to call other implementation contracts. Its public functions are flash loan callbacks, which makes sense since it will use these for arbitrage opportunities. The callback for dYdX is interesting to look at. Validating whether a function can be called is complicated to do within this context. The flashloan callback is being called from dYdX, but who initiated it? This is the vulnerability in the MEV bot. The callback function has a bunch of logic. Sadly, the decompilation tools cannot decompile everything. So, the author of the post, trying to reproduce the exploit, used the error messages to help them figure out what was going on. The MEV bot has a mechanism to approve the caller of the contract for spending the functions if the allowance if currently 0. Since we (the attacker) just called it, the code will give our contract now has the ability to transfer funds on behalf of the contract. It's interesting to see a MEV bot get hacked. It is complicated to see how things works, since the decompilation tools for Solidity are not perfect yet. I wonder if we will see more attacks like this in the future!
Analysis Summary
# Incident Report: 0xbaDc0dE MEV Bot Exploitation
## Executive Summary
On September 27, 2022, a high-profile MEV (Maximal Extractable Value) bot known as "0xbaDc0dE" was exploited shortly after performing a record-breaking arbitrage transaction. An attacker leveraged a lack of access control in a flash loan callback function to trick the bot into granting them token allowances. This resulted in the theft of approximately 1,101 WETH, valued at roughly $1.46 million USD.
## Incident Details
- **Discovery Date:** September 27, 2022
- **Incident Date:** September 27, 2022
- **Affected Organization:** 0xbaDc0dE (Private MEV Operator)
- **Sector:** Decentralized Finance (DeFi) / Blockchain
- **Geography:** Global / Ethereum Network
## Timeline of Events
### Initial Access
- **Date/Time:** September 27, 2022 (approx. 30 minutes after bot profit)
- **Vector:** Unauthorized execution of public callback functions.
- **Details:** The attacker identified that the bot’s `callFunction` (the dYdX flash loan callback) did not properly verify the initiator of the call, only that the caller was the dYdX Solo Margin contract.
### Lateral Movement
- **Technique:** Permission Manipulation.
- **Details:** The attacker initiated a "fake" flash loan from dYdX, directing dYdX to call the 0xbaDc0dE bot. Because the bot’s logic included a mechanism to automatically `approve` the caller to spend its tokens (intended to facilitate arbitrage trades), the bot granted the attacker's contract a maximum allowance of WETH.
### Data Exfiltration/Impact
- **Details:** With the WETH allowance granted, the attacker invoked `transferFrom` to drain 1,101 WETH from the 0xbaDc0dE bot contract to their own address.
### Detection & Response
- **Detection:** On-chain monitoring services and the MEV community noticed the sudden drainage of funds following the bot's massive 800+ WETH profit.
- **Response:** The bot was largely defunct post-drain; security researchers (Immunefi, Halborn) performed post-mortem bytecode analysis to identify the cause.
## Attack Methodology
- **Initial Access:** Exploiting an unauthenticated public callback function.
- **Persistence:** Not applicable (one-time execution exploit).
- **Privilege Escalation:** Exploiting logic that auto-approved the "caller" for full token spending permissions.
- **Defense Evasion:** Leveraging the obscurity of unverified bytecode; however, the attacker used decompilation tools (like Dedaub) to reverse-engineer the logic.
- **Discovery:** On-chain reconnaissance of the bot's transaction history and bytecode patterns.
- **Impact:** Direct theft of assets via `transferFrom`.
## Impact Assessment
- **Financial:** Loss of 1,101 WETH (Approx. $1.46M USD).
- **Data Breach:** None (non-custodial smart contract transaction).
- **Operational:** Total loss of operating capital for the MEV bot.
- **Reputational:** High-profile irony in the DeFi community, as the bot was exploited immediately after a predatory (though legal) arbitrage trade.
## Indicators of Compromise
- **Attacker Address:** `0x60...` (Referenced in PoC)
- **Target Contract:** `0xbaDc0dEfAfCF6d4239BDF0b66da4D7Bd36fCF05A`
- **Behavioral Indicators:** Unexpected `approve` transactions followed immediately by large `transferFrom` calls to an unknown contract.
## Response Actions
- **Containment:** None possible once the transaction was confirmed on-chain.
- **Eradication:** The vulnerability resided in the immutable bytecode; the contract must be abandoned or replaced.
- **Recovery:** No fund recovery reported.
## Lessons Learned
- **Obscurity is not Security:** Even though the bot’s Solidity code was not verified on Etherscan, attackers used decompilers to find flaws in the bytecode.
- **Callback Validation:** Always verify not just *who* is calling the function (e.g., dYdX), but *who initiated* the original action that triggered the callback.
- **Automated Approvals:** Code that automatically grants `approve` permissions to any caller is a critical anti-pattern.
## Recommendations
- **Strict Access Control:** Implement `onlyOwner` or specific permission checks for any function that can trigger token movements.
- **Input Validation:** Ensure that the data payload sent to flash loan callbacks is validated against expected internal state.
- **Source Verification:** While MEV bots prefer secrecy to avoid strategy theft, using audited or formally verified templates for standard components (like flash loans) reduces risk.