Attacker drains Ethereum MEV bot JaredFromSubway using fake-token honeypot
An attacker drained the well-known Ethereum trading bot JaredFromSubway by patiently baiting it into a trap rather than exploiting a software bug. Over several weeks, the attacker deployed 66 fake token contracts and sham liquidity pools mimicking WETH, USDC, and USDT, structured so the bot's automated logic treated them as profitable opportunities and granted token-spending approvals to attacker-controlled contracts. Later trades left those approvals active, and a single transaction then swept the bot's real funds. Security firms estimate the loss near $7.5 million, while the operator claims around $15 million. It is a reminder that standing token approvals in automated systems are dangerous even when the underlying contracts are sound.
- Check
- If you run automated trading or other systems that grant token or spending permissions, review where standing approvals exist, whether they are scoped, and whether they are revoked after each use.
- Affected
- Operators of automated on-chain trading bots and similar systems that grant token-spending approvals based on automated logic; attackers can manipulate that logic with fake but convincing opportunities to win lasting permissions.
- Fix
- Scope and time-limit token approvals, revoke them immediately after use, validate counterparties beyond surface-level profitability signals, and monitor for unusual approval grants so automated systems cannot be tricked into arming attackers.