Loss Exceeds $7.5 Million: Analysis of the Honeypot Attack Targeting MEV Bot and Tracking of Stolen Funds

marsbitPublished on 2026-06-22Last updated on 2026-06-22

Abstract

On June 21, Jaredfromsubway.eth, one of Ethereum's most active MEV bots, suffered a sophisticated honeypot attack, losing over $7.5 million in crypto assets. Attackers deployed a complex contract system, including a coordinator, trigger, and fake token/pair contracts, to exploit the bot's arbitrage logic. The core attack trick involved baiting the bot with transactions: small trades appeared normal and consumed token approvals, while larger trades preserved these approvals by using fake swaps. This left the bot with large, unused approvals for assets like USDC, USDT, and WETH. The attacker then drained these approvals in a final step. The stolen funds—$2.87M USDC, $2.04M USDT, and 1,474 WETH—were consolidated and partially laundered through Tornado Cash. This incident highlights that MEV bots must not rely solely on simulated profits for security. Extra caution is required with unfamiliar contracts or custom wrappers in arbitrage paths, and post-transaction allowance checks are strongly recommended.

On June 21, Jaredfromsubway.eth, one of the most active MEV Bots on the Ethereum network, fell victim to a meticulously orchestrated "honeypot attack," resulting in the loss of over $7.5 million worth of crypto assets. The following is Beosin Security Team's analysis of this attack and tracking of the stolen fund flow.

Attack Process Analysis

Attack Contract Family

- Coordinator Contract (0xb84db016324e8f2bfdd8dd9c260338aee0a8df52): Responsible for recording whether the current block is in an 'armed' state and, in the final stage, cyclically calling sub-contracts to drain funds.
- Trigger Contract (0x4de8c729a064ff6087cc84a4152969349e4feb98): Responsible for setting the state of fake trading pairs within the same block, making the arbitrage path appear executable.
- Sub-contract / Fake Token Contract: Disguised as a normal ERC-20 token, used to obtain genuine approvals.
- Hub Contract: Responsible for paying out a small amount of real profit, making the MEV Bot believe the opportunity is profitable.
- Ring V2 Pair: Fake Uniswap v2 trading pair.
- Fake Intermediate Token Contract: Used to construct multi-hop arbitrage paths, such as fCAP, fUSDC.

The Key to the Attack: Deceiving Approvals

By analyzing on-chain transactions, the attacker constructed multiple sets of bait transactions:

- Large USDC: The bot profited about 36.997120 USDC, but left behind an approval for 20 USDC.
- Large USDT: The bot profited about 37.053440 USDT, but left behind an approval for 20 USDT.
- Large WETH: The bot profited about 0.0179 WETH, but left behind an approval for 16 WETH.
- Small transactions behaved normally, with the approval consumed within the same transaction to reduce suspicion.

In small transactions, after the bot authorized a real token allowance, the sub-contract would immediately transfer the real tokens away. The approval was consumed, appearing completely normal.

In large transactions, however, the sub-contract would not call `transferFrom` to move the real tokens. Instead, it would directly mint fake tokens via the fake trading pair. The bot thought it had completed the normal pre-swap steps, but the real token approval remained intact.

This is the core of the entire attack: small transactions normally consume approvals, while large transactions preserve them.

Attack Procedure

Taking the attack transaction targeting USDC as an example:

(1) The attacker calls the coordinator to set the current block as 'armed'.
(2) The attacker calls the trigger to update the state of multiple fake Ring V2 pairs.
(3) The MEV Bot detects the arbitrage opportunity and executes the transaction.

The internal process of the MEV Bot transaction is roughly as follows:

(1) The MEV Bot contract approves a large USDC allowance to a specific sub-contract.
(2) The MEV Bot calls the `wrapTo`/`wrap` function of the sub-contract.
(3) Because the current state is 'armed', the sub-contract does not consume real USDC. Instead, it mints fake tokens to the pair, and the USDC approval is preserved.
(4) The MEV Bot continues by calling the `swap` function on the fake pair.
(5) The second-hop pair sends the tokens to the MEV Bot.
(6) The hub contract pays a small amount of real USDC profit to the MEV Bot.

approval example

tx hash: 0x0121e07a916c06eea3e7daf11893f3f0b95b9e1684124545ae14c32aee6029bb

The result seen by the MEV Bot: A successful arbitrage transaction yielding real USDC profit. However, the USDC approval was retained by the sub-contract.
This process was repeated for USDC, USDT, and WETH, ultimately accumulating numerous approvals.

The attack transaction hash is:

0x2be8704f5a59b69e0b71f64aefdb99eb0e8ae9fb3926147c581910d71bcf3e65

The attacker calls the `drain loop` function of the coordinator contract. The calldata contains 66 sub-contract addresses and the MEV Bot contract address. For any sub-contract to which the MEV Bot contract had previously left an allowance, that sub-contract could directly transfer the corresponding real tokens to the attacker.

Final Result:

- The entire 20 USDC large allowance was drained.
- The entire 16 WETH large allowance was drained.
- Part of the USDT allowance still exists, but the USDT balance is insufficient.

Fund Flow Analysis

After succeeding, the attacker's address (0x3e37f4A10d771Ba9dE44b6d301410b1BEdeA65d0) received $2.87M USDC, $2.04M USDT, and 1,474 WETH. Subsequently, the attacker exchanged the stablecoins for ETH and transferred it to the following 4 addresses:

- 0xe3Da36E4bd1a5738fa5D6Ef4F0e4dF40bDeB5f17 (approx. 1,000 ETH)
- 0x74Dc5b93586D248D5Aec64b3586736FF0A0D0e65 (1,001 ETH)
- 0xd8C125efCBc99408eC8723E9BBd81d1E8D39D845 (1,001 ETH)
- 0x71d4416A7A85e08a5Fe7227Ca3B44Fc639e94e97 (1,423 ETH)

Among these, 0xe3Da3 has transferred 1,000 ETH to Tornado Cash. The ETH at the other three addresses has not seen further movement. The fund flow chart is shown below:

Conclusion

This attack demonstrates a highly sophisticated method: instead of directly attacking contract code, the attacker, based on the business logic of MEV Bots, constructed corresponding arbitrage scenarios to mislead the MEV Bot into making seemingly harmless approvals, and then transferred its assets. For arbitrage bots and MEV Bots, relying solely on simulated profits to judge the safety of a route is insufficient. Especially when an arbitrage path involves unfamiliar contracts, fake tokens, or custom wrappers, caution is essential. Consider enforcing checks on allowance changes after transactions.

View Original Article

Trending Cryptos

Related Questions

QWhat was the total loss suffered by the MEV bot Jaredfromsubway.eth in the honeypot attack on June 21st?

AThe total loss exceeded 7.5 million US dollars worth of crypto assets.

QWhat was the core mechanism used in the honeypot attack to exploit the MEV bot?

AThe core mechanism was deceiving the bot into granting excessive token approvals (allowances). Small, normal-looking trades consumed the approval, while larger trades left the approval intact. The attacker later exploited these retained approvals to drain the bot's funds.

QWhich specific real-world assets (tokens) did the MEV bot lose in this attack?

AThe bot lost USDC, USDT, and WETH. Specifically, it lost $2.87M USDC, $2.04M USDT, and 1,474 WETH (which was later converted to more ETH).

QWhat was one of the final destination addresses for the stolen ETH, as mentioned in the fund flow analysis?

AOne of the final destinations was the privacy mixer Tornado Cash, where 1,000 ETH from address 0xe3Da36E4bd1a5738fa5D6Ef4F0e4dF40bDeB5f17 was sent.

QWhat key security recommendation does the article provide for MEV bots and arbitrage robots to prevent similar attacks?

AThe article recommends that MEV bots should not rely solely on simulated profits to judge the safety of a route. They should be cautious with unfamiliar contracts, fake tokens, or custom wrappers in an arbitrage path. Furthermore, they should consider implementing mandatory checks for allowance changes after a transaction.

Related Reads

2026 Altcoin Season Guide: Current Values & Market Signals, Is It Time to Prepare for Altcoin Season?

Altcoin Season Guide 2026: Signals & Timing Analysis This guide explores the dynamics of an "altcoin season," defined as a 90-day period where at least 75% of the top 50 cryptocurrencies outperform Bitcoin (BTC). Historically signaling capital rotation from BTC to alternative assets ("alts"), these periods have evolved. Key differences for the 2026 market cycle include the "ETF Wall," where institutional capital via spot Bitcoin ETFs may remain concentrated in BTC, potentially slowing a broad altseason. A genuine, sustainable altseason now likely requires BTC profit-taking combined with new retail and on-chain liquidity entering the wider market. Analysts use tools like the Altseason Index (values >75 indicate an altseason) but also monitor key pairs like ETH/BTC and SOL/BTC for confirmation. Additional signals include a declining Bitcoin Dominance rate (ideally below 40-50%), accelerating altcoin total market cap growth, and surges in trading volume and social sentiment for alts. Modern altseasons are increasingly narrative-driven and selective, not uniform across all coins. Capital typically rotates in stages: from BTC to major altcoins (like ETH), then into leading narratives (e.g., AI, RWA, DePIN), and finally into mid/small-cap projects and meme coins. The peak phase is often marked by extreme greed, parabolic rises, and high leverage, serving as a cautionary signal. For preparation, investors are advised to build a quality watchlist based on fundamentals, product traction, and team strength. Strategies should include portfolio diversification, disciplined risk management (position sizing, stop-losses, stablecoin reserves), and capitalizing on sector rotations rather than chasing past winners. While precise timing is uncertain, historical patterns suggest strong altcoin rallies often follow Bitcoin halvings by 12-30 months. For the 2024 halving cycle, 2026-2027 could present favorable conditions if supported by macro liquidity, technological narratives, and a sustained drop in Bitcoin Dominance. A true, broad altseason is unlikely if Bitcoin experiences a sharp crash (>20%), as capital tends to flee the entire crypto market.

Foresight News52m ago

2026 Altcoin Season Guide: Current Values & Market Signals, Is It Time to Prepare for Altcoin Season?

Foresight News52m ago

This Might Be the Most Stunning Image at This Year's WAIC!

This article introduces Shangtang's newly released multimodal AI model, **SenseNova U1 Pro**, unveiled at WAIC 2026. The model is highlighted for its ability to generate **native 8K-resolution images** with exceptional detail and coherence, even in extremely wide-format compositions. It goes beyond simple image generation by employing a **"图文交错思维" (interleaved image-text reasoning)** workflow, where it can plan, sketch, refine, check, and correct its outputs to achieve a final, deliverable result. Key capabilities demonstrated include generating a long 8K scroll depicting the 9-year history of WAIC, a detailed 24 solar terms illustration, a complex academic poster, a琉璃 (colored glaze)-style landscape, and a ready-to-use movie poster. The model handles intricate prompts involving layout, text clarity, material textures, and stylistic consistency. The article draws a parallel between this evolution in image generation and the progression seen in AI coding—from simple code completion to autonomous project delivery. U1 Pro represents a shift from generating single images to providing **complete content delivery systems** for professional scenarios like infographics, urban planning, and commercial design. While challenges like generation time and professional workflow integration remain, the model signifies a move towards multimodal AI agents that are accountable for producing usable, high-quality outputs.

marsbit2h ago

This Might Be the Most Stunning Image at This Year's WAIC!

marsbit2h ago

How Did This Round of Deleveraging in the Korean Stock Market Occur?

This article details the timeline and mechanisms behind the deleveraging event in the South Korean stock market, focusing on the KOSPI index from late June to mid-July. The core trigger was the market's structure, heavily concentrated in Samsung Electronics and SK Hynix, which comprised over half of the KOSPI. The situation was amplified by the May 27th launch of single-stock double-leveraged ETFs on these two companies, which attracted massive retail investment and concentrated risk. The process unfolded in eight stages: 1. Initial price collapse on June 23rd after regulatory warnings, but without significant debt reduction. 2. A rebound from June 24-25 fueled by retail buying and ETF rebalancing, which actually increased leverage. 3. Foreign and institutional investors selling from June 26-30, with domestic retail investors becoming the marginal buyers, transferring risk to household balance sheets. 4. A shift in global semiconductor sentiment from July 1-3, causing leveraged ETFs to systematically sell during declines. 5. The market failing to rally on strong earnings (July 6-8), signaling a turn from technical correction to concerns over peak profitability. 6. A rise in forced liquidations and the cross-listing of SK Hynix ADRs, spreading leverage risks to US and Hong Kong markets (July 9-10). 7. A cascade of synchronized selling from various players on July 13th, followed by a mechanical, ETF-driven rebound. 8. Institutionalization of deleveraging on July 16th, marked by an interest rate hike and new regulatory restrictions on single-stock leveraged products. The author concludes this was not a simple semiconductor correction but a negative feedback loop involving foreign capital rebalancing, retail margin trading, daily ETF rebalancing, forced liquidations, shifting industry expectations, and tightening monetary and regulatory policy. Leveraged ETFs acted as a critical amplifier, not the initial spark. The price decline (-25%) far exceeded the reduction in margin debt (-11%), indicating the deleveraging was primarily expressed through asset prices rather than immediate balance sheet repair.

marsbit2h ago

How Did This Round of Deleveraging in the Korean Stock Market Occur?

marsbit2h ago

Trading

Spot

Hot Articles

Discussions

Welcome to the HTX Community. Here, you can stay informed about the latest platform developments and gain access to professional market insights. Users' opinions on the price of ETH (ETH) are presented below.

活动图片