JaredFromSubway MEV Bot Drained $7.5M via Malicious Token Approvals on Ethereum
A report says the JaredFromSubway MEV bot on Ethereum was drained of about $7.5M after a “dangling approval” style exploit. Blockaid identified attacker-controlled contracts that tricked the JaredFromSubway MEV bot into granting token approvals for routes that were fake or not actually profitable. Once approvals were set, the attacker used the permissions to move funds out of the bot’s contract, including WETH, USDC, and USDT. CoinDesk also referenced Blockaid’s findings and the approval-trap mechanism.
For traders, this looks like a targeted operational failure of the JaredFromSubway MEV bot logic—not a broad Ethereum or DeFi protocol hack. In the short term, expect more scrutiny of MEV infrastructure and contract-permission patterns, especially how token allowances are cleared before execution ends (including delegation context such as EIP-7702). Longer term, the event reinforces tighter simulation, stricter token-approval handling, and hardened route verification for automated trading systems on Ethereum.
Neutral
This news is likely neutral for the market’s price level because it appears isolated to a specific MEV bot’s contract and permissioning logic (a targeted approval-trap), not a network-wide Ethereum security breakdown. The ~$7.5M loss is material for the impacted bot but is framed as an operational and reputational hit rather than systemic risk. In the short term, it may increase caution around MEV infrastructure and contract-approval practices, which can shift trading behavior among sophisticated MEV participants. Over the long term, it can improve security standards (simulation, allowance handling, route verification), but it’s unlikely to change ETH’s fundamental demand in the near term by itself.