On Oct 22, 2024, an unverified contract, likely intended as a helper utility, was exploited on the Ethereum network by a MEV bot, resulting in the theft of approximately $15,000 USDC from multiple users.

Overview

Mev Bot Attacker: https://etherscan.io/address/0xFDe0d1575Ed8E06FBf36256bcdfA1F359281455A

Vulnerable Contract:

https://etherscan.io/address/0x43dc865e916914fd93540461fde124484fbf8faa#code

Attack Transaction:

https://etherscan.io/tx/0x7f2540af4a1f7b0172a46f5539ebf943dd5418422e4faa8150d3ae5337e92172

Exploit Analysis

The compromised contract was unverified on Etherscan, which made direct source code auditing challenging. However, after decompiling the contract's bytecode, we identified the following critical vulnerability:

This contract appears to serve as a helper utility, requiring users to approve token transfers to leverage certain ecosystem utilities. However, it lacks proper access control within its erc20TransferFrom function.

Due to this lack of access restrictions, any external party could invoke this function to transfer tokens from users who had approved the contract. This includes transferring tokens that are stored within the contract itself to any arbitrary address.

As a result, the MEV bot exploited this vulnerability to transfer approximately $15,000 USDC from the address 0x3dad...c6a5 to its own wallet, subsequently converting the stolen funds into ETH for profit.

Lesson Learned

This incident underscores the dangers of interacting with unverified contracts, which can expose users to significant risks due to their lack of transparency. Users should be cautious when approving tokens for such contracts. Developers must enforce strong access controls, particularly for token transfer functions, to prevent unauthorized exploits. Comprehensive security audits are crucial to identify and mitigate vulnerabilities before deploying or using smart contracts in decentralized environments.