Ethereum Validator Goes Rogue, Frontruns MEV Bots for $25M

Flashbots developers have rolled out a patch to resolve the vulnerability


Sashkin/ modified by Blockworks


Ethereum validators hellbent on maximizing revenue can employ special bots to extract the most value possible from every single block. Some of those bots were just attacked for $25 million.

A rogue validator used a tool for obtaining the maximum extractable value (MEV) from the Ethereum blockchain and carried out a “sandwich attack.”

But first, understanding sandwich attacks takes unpacking MEV as a concept.

MEV is essentially frontrunning. MEV bots find additional revenue by exploiting knowledge of which transactions are about to be processed. This is done most commonly via arbitrage (taking advantage of price differences between exchanges).

These opportunities are often discovered by other revenue seekers, known as “searchers.” Once searchers identify profitable trades, they will submit them to a public mempool and wait for an Ethereum validator to approve the transaction.

Some searchers have realized they can frontrun those trades by using bots that scan the public mempool, proposing blocks which have replaced the trade with their own transaction to grab another searcher’s MEV. 

Companies such as Flashbots prevent these kinds of events with tools known as MEV boost relays. Relays make sure MEV transactions are not revealed in the public mempool, so MEV hunters can’t frontrun each other.

When there’s a will to frontrun MEV bots…

MEV relays are formed by two parties: proposers and builders. Proposers make bids on transactions, and builders secure the highest bid and generate blocks containing their transactions. They then send the blocks to validators, who will approve the transaction. 

“One of the core ideas behind Proposer-Builder Separation is that proposers cannot be allowed to see the contents of the block they’re signing until they’ve signed the block,” a research analyst at Paradigm who goes by samczsun said in a tweet. “Theoretically, this makes it extremely hard for a malicious proposer to deconstruct bundles.”

As for this weekend’s $25 million sandwich attack: Eighteen days earlier, the exploiter deposited 32 ETH ($57,500) to become a validator. This meant the exploiter was a proposer who could also reorder block transactions. 

It’s likely that once they were able to propose a block as a validator, the attacker included additional transactions that weren’t initially inside the block made by the builder. This enabled the attacker to front-run the front-running MEV bot, a Blockworks research analyst explained in a tweet.

Loading Tweet..

This is considered a sandwich attack — where the victim’s transaction is stuck between two transactions created by the searcher. 

In this case, the sandwich attacker pushed transactions worth $25 million across three main addresses, per PeckShield. Tokens gained include wrapped ETH, wrapped bitcoin, tether, USDC and DAI.

The incident was first identified by pseudonymous Twitter user 3155.eth. Usually, if a validator tampers with a transaction, they are slashed for malicious behavior and they lose some of their ETH stake.

Flashbot developers have rolled out a patch to address the vulnerability.

“Now, mev-boost-relay will refuse to return the transactions if the block was not successfully sent to the network. Then, just for good measure, it delays the response by a second too,” Paradigm’s samczsun said.

Updated April 4, 2023 at 9:52 am ET: Flashbot developers have already rolled out a patch to address the vulnerability.

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

The Lightspeed newsletter is all things Solana, in your inbox, every day. Subscribe to daily Solana news from Jack Kubinec and Jeff Albus.


Upcoming Events

Salt Lake City, UT

MON - TUES, OCT. 7 - 8, 2023

Blockworks and Bankless in collaboration with buidlbox are excited to announce the second installment of the Permissionless Hackathon – taking place October 7-8 in Salt Lake City, Utah. We’ve partnered with buidlbox to bring together the brightest minds in crypto for […]

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Research Report Cover Vertex.jpg


The proliferation of new perp DEXs has led to fragmented liquidity across various DEXs and chains. Vertex, known for its vertically-integrated DEX that includes spot, perpetual, and integrated money markets, is now tackling cross-chain liquidity fragmentation through horizontal integration with the launch of new Edge instances. Vertex's integrated offerings and cross-margined account structure amplify the benefits of new instances: native cross-chain spot trading, optimized cross-chain basis trading, consistent interest rates, reduced bridging friction, and more.


Partnering with EtherFi and Angle, the fully on-chain perp DEX features bespoke collateral



Gavin Wood introduced the next evolutionary step for the Polkadot network: the Join-Accumulate Machine, or JAM


The side events were the places to be at Consensus 2024, according to attendees


Also, who’s come out swinging in the spot ether ETF fee war — and who could undercut them


I know it is not in their nature, but US regulators could learn a lot by researching the digital asset frameworks that overseas regulators have already gotten right


Also, the ETF hype train can count out at least one member