A well-known Ethereum MEV bot, Jaredfromsubway.eth, lost roughly $7.5 million this week after an attacker exploited a vulnerability in its router contract. On-chain security firm Blockaid detected and flagged the attack on its monitoring channels. The incident shows that even the most active automated trading bots are vulnerable to custom smart contract traps.
The attack method
The attacker used a transaction approval trap, targeting a flaw in Jaredfromsubway.eth's router contract. By deploying custom smart contracts, the attacker forced the bot into executing unprofitable sandwich trades — the very strategy the bot normally profits from. Instead of capturing value, the bot sent it to the attacker.
Who is Jaredfromsubway.eth
Jaredfromsubway.eth is one of the most gas-intensive and active arbitrage bots on Ethereum, regularly competing for MEV opportunities. The name is likely a pseudonym. Its size and activity made it a high-value target. Blockaid spotted the exploit early, but the damage was done before any mitigation could occur.
What this means for MEV bots
The exploit underlines a persistent risk: automated strategies that rely on complex contract interactions can be reverse-engineered and trapped. While MEV bots are designed to front-run or sandwich trades, a determined attacker can flip the script. The bot's router contract, a critical piece of its infrastructure, contained a vulnerability that allowed the approval trap to work.
Next steps
Blockaid has shared its analysis publicly, but Jaredfromsubway.eth has not issued a statement or disclosed whether it plans to refund affected parties. The broader MEV ecosystem is watching closely — if the exploit becomes a blueprint, more copycat attacks could follow. For now, the attacker walks away with $7.5 million, and the bot's operators are left patching a hole that cost them dearly.
