One of Ethereum’s most notorious MEV bots, known as JaredFromSubway, has reportedly been drained for around $7.5 million after attacker-controlled contracts tricked its automated system into granting token approvals.
TL;DR
- The JaredFromSubway MEV bot was reportedly drained for about $7.5 million.
- Security firm Blockaid said the bot was tricked into approving malicious trading routes.
- The attacker then used those approvals to pull assets from the bot contract.
- The incident appears to target the bot’s own automation, not Ethereum itself.
CoinDesk reported that Blockaid identified the exploit, saying attacker-controlled contracts tricked the bot into approving fake trading routes. Those approvals were later used to drain WETH, USDC and USDT from the bot’s contract. The incident has drawn attention because JaredFromSubway has long been associated with aggressive sandwich trading on Ethereum.
The irony is hard to miss. MEV bots are built to exploit tiny timing and routing advantages in on-chain markets. In this case, the bot’s own automation appears to have become the weakness. Instead of extracting value from other users, it was manipulated into approving contracts that later drained its balances.
What Happened
The reported exploit was not a hack of Ethereum’s base protocol. It was also not a broad failure of a major DeFi application used by ordinary depositors. The target was a specific MEV bot and the logic it used to interact with contracts during automated trading.
That distinction matters. MEV infrastructure moves quickly and often relies on highly automated decision-making. If that automation can be tricked into approving the wrong contract, the risk can be severe because transactions execute with little human review.
According to reports, the attacker prepared the trap by using fake routes or contracts that the bot interpreted as profitable opportunities. Once approvals were granted, the attacker used them to transfer assets out. In DeFi terms, it was a reminder that approvals are powerful permissions, not harmless signatures.
Why Traders Care
The story is bigger than one bot getting drained. It highlights a risk that applies across automated trading systems: speed can become fragility. Bots competing in MEV markets need to act faster than human traders, but that also means they can be vulnerable to carefully designed traps.
For Ethereum users, the incident may feel like poetic justice because sandwich bots are widely disliked. But the technical lesson is broader. Any system that grants token approvals based on automated contract interactions needs strict safeguards, simulation and route verification.
The market impact is unlikely to come from the dollar amount alone. A $7.5 million drain is meaningful, but not systemic. The bigger impact is reputational for MEV infrastructure and possibly operational for bot operators who now need to review their approval logic more aggressively.
For now, this should be treated as a targeted exploit against a trading bot, not a network-wide security event.
This report is based on information from Blockaid.
This article was written by the News Desk and edited by Samuel Rae.
Editorial Process for bitcoinist is centered on delivering thoroughly researched, accurate, and unbiased content. We uphold strict sourcing standards, and each page undergoes diligent review by our team of top technology experts and seasoned editors. This process ensures the integrity, relevance, and value of our content for our readers.
