The Jaredfromsubway MEV bot, linked to roughly 70% of Ethereum sandwich attacks, lost more than $7.5 million due to a permissions shortage after its automated system approved contracts controlled by the attacker to issue its tokens.
The bot, known as Jaredfromsubway.eth, approved a series of trades that appeared to be part of profitable trading routes. These permissions remained active, allowing the attacker to remove wrapped ether and two major stablecoins from contracts tied to the operation.
The incident essentially caused one of Ethereum’s largest extractive trading systems to approve its own theft. It also highlights a vulnerability faced by automated traders who need to evaluate markets, authorize contracts and execute trades in seconds.
Onchain security company Blockaid said the attacker did not compromise the bot’s private keys or exploit a flaw in a commonly used decentralized finance protocol. Instead, the operation focused on the rules the bot used to identify and pursue potential profits.
How Jaredfromsubway.eth was cleared
According to Blockaid, the attacker had spent several weeks deploying imitation tokens, liquidity pools and supporting contracts that resembled markets the bot would normally trade against.
The fake assets included versions of packaged Ethereum, USDC and USDT, linked via trading routes designed to generate profitable-looking signals. Jaredfromsubway.eth detected these routes and followed the usual process of allowing subsidiary contracts to move tokens as part of the expected transactions.
Some early transactions used the permissions as expected, creating a pattern that the bot’s system continued to accept. The approvals remained unused in subsequent transactions.
That distinction gave the attacker an opening through ERC-20 approvals, allowing another address or smart contract to issue a certain number of tokens associated with the approving account.
The consent may remain available after the original transaction unless exhausted, reduced or revoked.
Once the attacker had collected enough unused allowances, the contracts used the ERC-20 transferFrom feature to move real WETH, USDC and USDT from the bot’s accounts.
Data from the chain shows repeated transfers totaling approximately 92 WETH, $143,000 USDC and $149,000 USDT from a contract linked to the bot. The money was routed to an address controlled by the attacker.
Yearn Finance developer Banteg described the latter operation as a drain of allowances rather than a conventional token exchange. A coordinating contract, called a withdrawal function, across dozens of subcontracts, which checked the bot’s balances and their remaining rights before transferring available tokens.
Some of the proceeds were then sent through Tornado Cash, a crypto-mixing service that can make it harder to trace funds.
A dominant sandwich operator becomes the target
Jaredfromsubway.eth has been active since 2023 and became one of the most prominent participants in the Ethereum maximum extractable value (MEV) market.
MEV refers to revenue generated by changing the order in which blockchain transactions are processed. In a sandwich attack, a bot identifies a pending transaction and buys the asset first, driving up the price. The user’s transaction is then executed at the less favorable price before the bot sells, capturing the difference.
That made Jaredfromsubway.eth one of Ethereum’s most visible sandwich attack bots before the same automation became the route to its own funds.
The loss for any individual trader may be small. However, with tens of thousands of trades, the strategy can generate significant revenue while increasing trading fees and network fees.
According to reports, these attacks cost merchants an estimated $60 million in annual costs, while approximately 70% were linked to a single operator, identified as Jaredfromsubway.eth.