Loss Exceeds $7.5 Million: Analysis of the Honeypot Attack Targeting MEV Bot and Tracking of Stolen Funds

marsbitPublished on 2026-06-22Last updated on 2026-06-22

Abstract

On June 21, Jaredfromsubway.eth, one of Ethereum's most active MEV bots, suffered a sophisticated honeypot attack, losing over $7.5 million in crypto assets. Attackers deployed a complex contract system, including a coordinator, trigger, and fake token/pair contracts, to exploit the bot's arbitrage logic. The core attack trick involved baiting the bot with transactions: small trades appeared normal and consumed token approvals, while larger trades preserved these approvals by using fake swaps. This left the bot with large, unused approvals for assets like USDC, USDT, and WETH. The attacker then drained these approvals in a final step. The stolen funds—$2.87M USDC, $2.04M USDT, and 1,474 WETH—were consolidated and partially laundered through Tornado Cash. This incident highlights that MEV bots must not rely solely on simulated profits for security. Extra caution is required with unfamiliar contracts or custom wrappers in arbitrage paths, and post-transaction allowance checks are strongly recommended.

On June 21, Jaredfromsubway.eth, one of the most active MEV Bots on the Ethereum network, fell victim to a meticulously orchestrated "honeypot attack," resulting in the loss of over $7.5 million worth of crypto assets. The following is Beosin Security Team's analysis of this attack and tracking of the stolen fund flow.

Attack Process Analysis

Attack Contract Family

- Coordinator Contract (0xb84db016324e8f2bfdd8dd9c260338aee0a8df52): Responsible for recording whether the current block is in an 'armed' state and, in the final stage, cyclically calling sub-contracts to drain funds.
- Trigger Contract (0x4de8c729a064ff6087cc84a4152969349e4feb98): Responsible for setting the state of fake trading pairs within the same block, making the arbitrage path appear executable.
- Sub-contract / Fake Token Contract: Disguised as a normal ERC-20 token, used to obtain genuine approvals.
- Hub Contract: Responsible for paying out a small amount of real profit, making the MEV Bot believe the opportunity is profitable.
- Ring V2 Pair: Fake Uniswap v2 trading pair.
- Fake Intermediate Token Contract: Used to construct multi-hop arbitrage paths, such as fCAP, fUSDC.

The Key to the Attack: Deceiving Approvals

By analyzing on-chain transactions, the attacker constructed multiple sets of bait transactions:

- Large USDC: The bot profited about 36.997120 USDC, but left behind an approval for 20 USDC.
- Large USDT: The bot profited about 37.053440 USDT, but left behind an approval for 20 USDT.
- Large WETH: The bot profited about 0.0179 WETH, but left behind an approval for 16 WETH.
- Small transactions behaved normally, with the approval consumed within the same transaction to reduce suspicion.

In small transactions, after the bot authorized a real token allowance, the sub-contract would immediately transfer the real tokens away. The approval was consumed, appearing completely normal.

In large transactions, however, the sub-contract would not call `transferFrom` to move the real tokens. Instead, it would directly mint fake tokens via the fake trading pair. The bot thought it had completed the normal pre-swap steps, but the real token approval remained intact.

This is the core of the entire attack: small transactions normally consume approvals, while large transactions preserve them.

Attack Procedure

Taking the attack transaction targeting USDC as an example:

(1) The attacker calls the coordinator to set the current block as 'armed'.
(2) The attacker calls the trigger to update the state of multiple fake Ring V2 pairs.
(3) The MEV Bot detects the arbitrage opportunity and executes the transaction.

The internal process of the MEV Bot transaction is roughly as follows:

(1) The MEV Bot contract approves a large USDC allowance to a specific sub-contract.
(2) The MEV Bot calls the `wrapTo`/`wrap` function of the sub-contract.
(3) Because the current state is 'armed', the sub-contract does not consume real USDC. Instead, it mints fake tokens to the pair, and the USDC approval is preserved.
(4) The MEV Bot continues by calling the `swap` function on the fake pair.
(5) The second-hop pair sends the tokens to the MEV Bot.
(6) The hub contract pays a small amount of real USDC profit to the MEV Bot.

approval example

tx hash: 0x0121e07a916c06eea3e7daf11893f3f0b95b9e1684124545ae14c32aee6029bb

The result seen by the MEV Bot: A successful arbitrage transaction yielding real USDC profit. However, the USDC approval was retained by the sub-contract.
This process was repeated for USDC, USDT, and WETH, ultimately accumulating numerous approvals.

The attack transaction hash is:

0x2be8704f5a59b69e0b71f64aefdb99eb0e8ae9fb3926147c581910d71bcf3e65

The attacker calls the `drain loop` function of the coordinator contract. The calldata contains 66 sub-contract addresses and the MEV Bot contract address. For any sub-contract to which the MEV Bot contract had previously left an allowance, that sub-contract could directly transfer the corresponding real tokens to the attacker.

Final Result:

- The entire 20 USDC large allowance was drained.
- The entire 16 WETH large allowance was drained.
- Part of the USDT allowance still exists, but the USDT balance is insufficient.

Fund Flow Analysis

After succeeding, the attacker's address (0x3e37f4A10d771Ba9dE44b6d301410b1BEdeA65d0) received $2.87M USDC, $2.04M USDT, and 1,474 WETH. Subsequently, the attacker exchanged the stablecoins for ETH and transferred it to the following 4 addresses:

- 0xe3Da36E4bd1a5738fa5D6Ef4F0e4dF40bDeB5f17 (approx. 1,000 ETH)
- 0x74Dc5b93586D248D5Aec64b3586736FF0A0D0e65 (1,001 ETH)
- 0xd8C125efCBc99408eC8723E9BBd81d1E8D39D845 (1,001 ETH)
- 0x71d4416A7A85e08a5Fe7227Ca3B44Fc639e94e97 (1,423 ETH)

Among these, 0xe3Da3 has transferred 1,000 ETH to Tornado Cash. The ETH at the other three addresses has not seen further movement. The fund flow chart is shown below:

Conclusion

This attack demonstrates a highly sophisticated method: instead of directly attacking contract code, the attacker, based on the business logic of MEV Bots, constructed corresponding arbitrage scenarios to mislead the MEV Bot into making seemingly harmless approvals, and then transferred its assets. For arbitrage bots and MEV Bots, relying solely on simulated profits to judge the safety of a route is insufficient. Especially when an arbitrage path involves unfamiliar contracts, fake tokens, or custom wrappers, caution is essential. Consider enforcing checks on allowance changes after transactions.

View Original Article

Trending Cryptos

ctr
CitreaCTR
wstusdt
wrapped stUSDTWSTUSDT
apr
aPrioriAPR
ctx
Cryptex FinanceCTX
audio
AudiusAUDIO
comp
CompoundCOMP
mantra
MantraMANTRA
xvs
VenusXVS
waxl
AxelarWAXL
bill
Billions NetworkBILL
pyth
PYTH (Pyth)PYTH
rune
THORChainRUNE
velodrome
Velodrome FinanceVELODROME
brev
BrevisBREV
zrx
ZRX(0X)ZRX

Related Questions

QWhat was the total loss suffered by the MEV bot Jaredfromsubway.eth in the honeypot attack on June 21st?

AThe total loss exceeded 7.5 million US dollars worth of crypto assets.

QWhat was the core mechanism used in the honeypot attack to exploit the MEV bot?

AThe core mechanism was deceiving the bot into granting excessive token approvals (allowances). Small, normal-looking trades consumed the approval, while larger trades left the approval intact. The attacker later exploited these retained approvals to drain the bot's funds.

QWhich specific real-world assets (tokens) did the MEV bot lose in this attack?

AThe bot lost USDC, USDT, and WETH. Specifically, it lost $2.87M USDC, $2.04M USDT, and 1,474 WETH (which was later converted to more ETH).

QWhat was one of the final destination addresses for the stolen ETH, as mentioned in the fund flow analysis?

AOne of the final destinations was the privacy mixer Tornado Cash, where 1,000 ETH from address 0xe3Da36E4bd1a5738fa5D6Ef4F0e4dF40bDeB5f17 was sent.

QWhat key security recommendation does the article provide for MEV bots and arbitrage robots to prevent similar attacks?

AThe article recommends that MEV bots should not rely solely on simulated profits to judge the safety of a route. They should be cautious with unfamiliar contracts, fake tokens, or custom wrappers in an arbitrage path. Furthermore, they should consider implementing mandatory checks for allowance changes after a transaction.

Related Reads

Infamous MEV Bot JaredFromSubway Drained For $7.5 Million

The notorious Ethereum MEV bot "JaredFromSubway" has been drained of approximately $7.5 million after attackers tricked its automated system. Security firm Blockaid reported that the bot was deceived into approving malicious trading routes by attacker-controlled contracts. These approvals were then used to siphon WETH, USDC, and USDT from the bot's contract. The incident is ironic as MEV bots are designed to exploit minute market advantages, but in this case, its own automation became the vulnerability. The attack specifically targeted the bot's trading logic, not the Ethereum protocol or a broader DeFi application. It underscores a critical risk in automated trading: the pursuit of speed can create fragility, making systems susceptible to carefully crafted traps. While the financial loss is significant, the broader impact is reputational for MEV infrastructure. It serves as a warning that automated systems granting token approvals require stringent safeguards, simulation, and route verification. The event is considered a targeted exploit on a trading bot, not a network-wide security issue.

bitcoinist1h ago

Infamous MEV Bot JaredFromSubway Drained For $7.5 Million

bitcoinist1h ago

Report Interpretation: J.P. Morgan Details Micron's Pre-Earnings Sentiment, Current Hardware Sector Dynamics

Morgan Stanley analyst Joshua Meyers' report (June 21, 2026) highlights key trends in the hardware and semiconductor sector ahead of Micron's earnings. The core takeaways are: 1. **Micron & Memory:** Memory remains a high-conviction long theme, driven by strong AI demand and rising ASPs. However, investor focus is shifting to the sustainability of Micron's >80% gross margins and the specifics of potential new long-term supply agreements (SCAs). 2. **Hardware Supply Chain:** AI-related demand for servers, networking, and storage remains robust, but company performance is diverging. Celestica (CLS) shows improved margin confidence, Western Digital and Seagate benefit from pricing, Fabrinet (FN) sees predictable AI optics growth, and Teradyne (TER) anticipates a new Google customer. 3. **AI Capex & WFE Forecasts:** JPMorgan increased its Wafer Fab Equipment (WFE) market growth forecasts to 28% in 2026 and 29% in 2027. AI infrastructure financing is evolving, with higher project-level debt reducing constraints on capex expansion. The report signals that while the AI-driven hardware cycle is strong, the market is entering a phase focused on execution verification (e.g., Micron's SCA details, Fabrinet's ramp with Amazon) and valuation sustainability. Key near-term signals include Micron's guidance, Arista Networks' outlook, and the pace of demand normalization post potential tariff-related pull-ins.

marsbit2h ago

Report Interpretation: J.P. Morgan Details Micron's Pre-Earnings Sentiment, Current Hardware Sector Dynamics

marsbit2h ago

Research Report Analysis: The Fed's New Chair's Debut – New Leader, But Same Script?

Report Analysis: Federal Reserve's New Chair Debut – A New Captain, But the Same Script? Morgan Stanley's chief global economist Seth B. Carpenter analyzes the first FOMC meeting under new Fed Chair Kevin Warsh in a June 21 report. Warsh deliberately avoided providing forward guidance on interest rates, aligning with his philosophy. However, market expectations for a rate hike this year were reinforced. Key signals lie elsewhere: inflation may fall more than expected, and quantitative tightening (QT) could be more aggressive than anticipated. The FOMC's "dot plot" suggests only one rate hike in 2026. Carpenter argues that if inflation undershoots forecasts, the logic for even a single hike weakens, especially as projections indicate potential rate cuts in 2027. On QT, Warsh's stance is clear. Carpenter notes that measures like halving the Treasury's account balance could shrink the Fed's balance sheet by around $500 billion with minimal market impact. Combined with adjustments to reserve interest and liquidity rules, the ultimate QT scale may exceed expectations, though its market effect might be less disruptive unless the Fed actively sells Mortgage-Backed Securities (MBS). While Warsh initiated a review of the Fed's policy framework, the 2% inflation target remains intact for now. The report concludes that the market may be overestimating the significance of reduced forward guidance and the near-term rate hike risk, while potentially underestimating the scope and manageable nature of the coming balance sheet reduction. The key debates will hinge on upcoming core PCE data, the specifics of the QT path, and the framework review's findings.

marsbit2h ago

Research Report Analysis: The Fed's New Chair's Debut – New Leader, But Same Script?

marsbit2h ago

Critical Game Week: BTC Retracement Confirmation vs. HYPE Support Battle | Guest Analysis

This weekly analysis outlines a critical juncture for BTC and HYPE markets, focusing on key price level confirmations. **BTC Analysis:** BTC is at a pivotal point after a five-wave rally from the June 5th low of $59,100. The price has broken below a short-term rising channel's lower boundary, with the current move seen as a pullback to test this breakdown. Failure to reclaim this level could lead to a retest of the $59,000-$60,000 support zone. The core scenario hinges on this channel retest outcome. * **Key Levels:** Resistance at $64,500-$65,000 (channel boundary) and $69,500-$70,500. Support at $59,000-$60,000 and $55,000. * **Strategy:** A core bearish stance is maintained (20% short from last week), with short-term plans for tactical trades. Three detailed contingency plans (A/B/C) are provided for short positions on resistance tests or breakdowns, emphasizing strict stop-loss discipline. **HYPE Analysis:** HYPE shows strong momentum but is currently in a corrective phase after hitting a new high of $76.94. The price is retesting the crucial $64-$66 support area. * **Key Levels:** Resistance near $77 and $80-$82. Support at $64-$66 and $52-$54. * **Strategy:** The short-term approach is "buy on dips, avoid chasing rallies." A long position is considered only if clear stabilization signals appear at the $64-$66 or deeper $52-$54 support zones, with tight risk controls. **General Risk Management:** A standardized trailing stop-loss protocol is emphasized: set initial stop, breakeven at +1% profit, then trail stops upward to lock in gains. *Disclaimer: All analysis is presented as a personal trading framework, not investment advice. Market conditions are complex and require dynamic adjustment.*

marsbit3h ago

Critical Game Week: BTC Retracement Confirmation vs. HYPE Support Battle | Guest Analysis

marsbit3h ago

Research Report Interpretation: Citi Attends AWS Summit, Bullish on Cloud Business Acceleration but Data Governance Remains Key Variable

Citi analyst Tyler Radke's team attended the AWS New York Summit (June 17-18), engaging with over 10 clients and partners. In a June 19 report, they highlighted the summit's focus on scaling agent AI for enterprise deployment. Citi maintains a "Buy" rating on Amazon, forecasting AWS revenue growth to accelerate to 37% in FY27 from 30% in FY26, noting this estimate may be conservative. Key takeaways: 1. **AWS Strategy Shift:** AWS is moving from proof-of-concepts to scalable deployment. New offerings like AWS Context (building enterprise knowledge graphs), Amazon Quick (cross-application AI assistant), and security tool Continuum address core enterprise pain points for AI adoption. 2. **Data Infrastructure Beneficiaries:** Data infrastructure companies like Snowflake, Elastic, Oracle, and ClickHouse are seen as direct beneficiaries of scaling AI workloads, as evidenced by strong growth and use cases presented. 3. **Critical Role of Data Governance:** As AI agents scale from hundreds to thousands, effective data governance becomes the key variable for deploying AI in core business processes. AWS Context represents AWS's strategic extension from providing compute/models to offering a data governance infrastructure layer. The report emphasizes that without solving data governance, AI will remain confined to pilot projects. The investment thesis focuses on AWS revenue acceleration and data infrastructure vendors' growth, while monitoring signals like AWS's quarterly revenue growth, Bedrock AgentCore task volume, and pricing impacts on companies like Elastic.

marsbit3h ago

Research Report Interpretation: Citi Attends AWS Summit, Bullish on Cloud Business Acceleration but Data Governance Remains Key Variable

marsbit3h ago

Trading

Spot
Futures

Hot Articles

Discussions

Welcome to the HTX Community. Here, you can stay informed about the latest platform developments and gain access to professional market insights. Users' opinions on the price of ETH (ETH) are presented below.

活动图片

Top Questions