The JaredFromSubway MEV bot, a well-known Ethereum sandwich-trading automated system, got hit for roughly $7.5 million this week. Attackers tricked the bot into granting token approvals for fake trading routes, then drained the funds. Security firm Blockaid identified the exploit, which targeted the bot's own automation rather than Ethereum's base protocol.
How the exploit worked
The attacker set up contracts that looked like legitimate trading routes. The bot, designed to spot and front-run trades, approved those contracts — effectively giving the attacker permission to pull assets. It wasn't a bug in Ethereum; it was a flaw in the bot's trust model. Speed turned into fragility.
What was taken
Blockaid says the drained assets include WETH, USDC, and USDT. The total sits at roughly $7.5 million. JaredFromSubway is known for aggressive sandwich trading on Ethereum, so the wallet held a decent war chest. Now it's a lot lighter.
What this means for MEV bots
This isn't just another DeFi hack. It's a reminder that automation — especially the kind that tries to be faster than everyone else — creates its own attack surface. The bot's whole edge was speed, and the attacker used that speed against it. If a bot blindly approves token allowances for every new route it sees, it's only a matter of time before someone sends a fake one.
Blockaid hasn't released a full post-mortem yet. The bigger question: how many other MEV bots have the same blind spot?
