Ethereum Validator Goes Rogue, Frontruns MEV Bots for $25M

Flashbots developers have rolled out a patch to resolve the vulnerability

by Bessie Liu /
article-image

Sashkin/Shutterstock.com modified by Blockworks

share

Ethereum validators hellbent on maximizing revenue can employ special bots to extract the most value possible from every single block. Some of those bots were just attacked for $25 million.

A rogue validator used a tool for obtaining the maximum extractable value (MEV) from the Ethereum blockchain and carried out a “sandwich attack.”

But first, understanding sandwich attacks takes unpacking MEV as a concept.

MEV is essentially frontrunning. MEV bots find additional revenue by exploiting knowledge of which transactions are about to be processed. This is done most commonly via arbitrage (taking advantage of price differences between exchanges).

These opportunities are often discovered by other revenue seekers, known as “searchers.” Once searchers identify profitable trades, they will submit them to a public mempool and wait for an Ethereum validator to approve the transaction.

Newsletter

Subscribe to Blockworks Daily

Some searchers have realized they can frontrun those trades by using bots that scan the public mempool, proposing blocks which have replaced the trade with their own transaction to grab another searcher’s MEV. 

Companies such as Flashbots prevent these kinds of events with tools known as MEV boost relays. Relays make sure MEV transactions are not revealed in the public mempool, so MEV hunters can’t frontrun each other.

When there’s a will to frontrun MEV bots…

MEV relays are formed by two parties: proposers and builders. Proposers make bids on transactions, and builders secure the highest bid and generate blocks containing their transactions. They then send the blocks to validators, who will approve the transaction. 

“One of the core ideas behind Proposer-Builder Separation is that proposers cannot be allowed to see the contents of the block they’re signing until they’ve signed the block,” a research analyst at Paradigm who goes by samczsun said in a tweet. “Theoretically, this makes it extremely hard for a malicious proposer to deconstruct bundles.”

As for this weekend’s $25 million sandwich attack: Eighteen days earlier, the exploiter deposited 32 ETH ($57,500) to become a validator. This meant the exploiter was a proposer who could also reorder block transactions. 

It’s likely that once they were able to propose a block as a validator, the attacker included additional transactions that weren’t initially inside the block made by the builder. This enabled the attacker to front-run the front-running MEV bot, a Blockworks research analyst explained in a tweet.

Loading Tweet..

This is considered a sandwich attack — where the victim’s transaction is stuck between two transactions created by the searcher. 

In this case, the sandwich attacker pushed transactions worth $25 million across three main addresses, per PeckShield. Tokens gained include wrapped ETH, wrapped bitcoin, tether, USDC and DAI.

The incident was first identified by pseudonymous Twitter user 3155.eth. Usually, if a validator tampers with a transaction, they are slashed for malicious behavior and they lose some of their ETH stake.

Flashbot developers have rolled out a patch to address the vulnerability.

“Now, mev-boost-relay will refuse to return the transactions if the block was not successfully sent to the network. Then, just for good measure, it delays the response by a second too,” Paradigm’s samczsun said.

Updated April 4, 2023 at 9:52 am ET: Flashbot developers have already rolled out a patch to address the vulnerability.

Get the news in your inbox. Explore Blockworks newsletters:

  • Blockworks Daily: The newsletter that helps thousands of investors understand crypto and the markets, by Byron Gilliam.
  • Empire: Start your morning with the top news and analysis to inform your day in crypto.
  • Forward Guidance: Reporting and analysis on the growing intersection of crypto and macroeconomics, policy and finance.
  • 0xResearch: Alpha directly in your inbox. Market highlights, data, degen trade ideas, governance updates, token performance and more.
  • Lightspeed: Built for Solana investors, developers and community members. The latest from one of crypto’s hottest networks.
  • The Drop: For crypto collectors and traders, covering apps, games, memes and more.
Tags

Upcoming Events

Permissionless IV

Industry City | Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

buy ticketslearn more

Digital Asset Summit 2025

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

buy ticketslearn more

recent research

Research Report Templates (5).png

Research

Tokenization Today

Outside of stablecoins, the value of tokenized assets sits below $20B, dominated by the following asset classes: private credit, US Treasuries, commodities, institutional alternative funds, stocks, non-US government debt, and corporate bonds. In the coming months, we see the greatest opportunities in the tokenization of illiquid markets, particularly private equity. However, the successful integration of offchain assets into blockchain ecosystems relies heavily on clear and consistent regulatory frameworks, with purpose-built infrastructure to support it.

by Carlos Gonzalez Campo

/

news

article-image

The DropWeb3

Pixels game founder says botters are sending death threats

Luke Barwikowski took to Twitter to raise awareness about the threats against him and his family

by Kate Irwin /
article-image

0xResearch NewsletterDeFi

Crypto’s original sin: Trading decentralization for growth

David Chaum’s ecash in the 90s offers insights into balancing priorities in DeFi today

by Donovan Choy /
article-image

BusinessEmpire Newsletter

BitGo to custody reserves of World Liberty Financial’s USD1 

The forthcoming stablecoin was praised by BitGo’s Mike Bleshe as an advancement in “institutional-ready digital assets”

by Katherine Ross /
article-image

Uncategorized

Chronicle raises $12M from Strobe, Brevan Howard

Chronicle’s Niklas Kunkel talked to Blockworks about the raise and why he’s prioritizing research

by Katherine Ross /
article-image

Sponsored

The investor’s guide to the DESK perps trading airdrop

DESK isn’t just another trading platform — it’s redefining what’s possible in on-chain trading

article-image

DeFiLightspeed Newsletter

Understanding automatic market makers

The real strength of tailored AMMs might lie in their capacity to cultivate deeper loyalty and engagement within niche communities

by Jeff Albus /