Jun 2025 - MEV Bot Fallback Function Arbitrary Call Vulnerability Attack - $2m (Global)
A MEV bot (Miner Extractable Value or Maximal Extractable Value bot) is a program that operates on blockchain networks like Ethereum to profit from the way transactions are ordered within blocks. These bots exploit inefficiencies in the blockchain's transaction execution process by front-running, back-running, or sandwiching other users' transactions. MEV bots scan pending transactions and insert their own in a way that can extract value, often at the expense of regular users. This can include arbitrage between decentralized exchanges or manipulating DeFi protocols.
This particular exploited MEV Bot was created on May 10th, 2025. The MEV bot creator doesn't appear to be published.
Unfortunately a vulnerability existed in the smart contract code.
The exploit involves an arbitrary call vulnerability in the fallback function of contract 0xb5cb...4a87, which allows it to execute unauthorized external calls. The attacker used this vulnerability to call the 0x0243f5a2() function on the victim contract 0xb5cb...e1b0, a function that normally requires strict access control. However, due to a prior transaction that mistakenly granted 0xb5cb...4a87 permission, the attacker was able to bypass access restrictions and exploit the victim contract.
TenArmor reports "an approximately loss of $1.1M" initially, and due to "[a]nother two attack t[ransactio]ns", later revised this to a "total loss [of] about $2M". SlowMist reported "losses of approximately $2 million".
The attack was noticed by both TenArmor and SlowMist. It is unclear what reaction the MEV Bot creator may have had.
It is unclear if anything was done to trace or recover the funds.
There is limited information about whether any investigation is underway.
Further Analysis
A MEV bot, created on May 10, 2025, to exploit transaction ordering on Ethereum, was itself exploited due to a vulnerability in its smart contract. The flaw—an arbitrary call vulnerability in the fallback function of contract 0xb5cb...4a87—allowed an attacker to execute unauthorized calls, specifically to the protected 0x0243f5a2() function on victim contract 0xb5cb...e1b0. This was possible because a prior transaction had mistakenly granted the vulnerable contract access. TenArmor initially reported a $1.1 million loss, later updating it to around $2 million after identifying additional attack transactions. SlowMist also reported a $2 million loss. The MEV bot creator remains unidentified, and there is little public information about any recovery efforts or investigations.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
Silo Finance Silo Labs Pre-Release Leverage Contract Exploit > > < < Rowan Energy Blockchain Closes Amid Fraud Allegations
Sources/Further Reading
Attack Transaction 1 - BSCScan (Dec 31)
Exploiter BSC Address - BSCScan (Dec 31)
Attack Transaction 2 - BSCScan (Dec 31)
Attack Transaction 3 - BSCScan (Dec 31)
Smart Contract Permissions Granted - BSCScan (Dec 31)
TenArmor - "Our system has detected a suspicious attack involving #MEV bot 0xb5cb on #BSC, resulting in an approximately loss of $1.1M." - Twitter/X (Dec 31)
MEV Bot Contract - BSCScan (Dec 31)
MEV Bot Contract Creation - BSCScan (Dec 31)
Ethereum Foundation’s explanation of MEV (Dec 31)
Flashbots (a major MEV research group) Documentation (Dec 31)
What Is MEV and Why It Matters - CoinDesk (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|