Following a cyber attack on the Ethereum blockchain, an unidentified individual was able to steal over $25 million by replacing genuine MEV bot transactions with malicious ones.
Wintermute market maker Joseph Plaza proposed that the hacker used decoy transactions to lure MEV bots before replacing them with harmful ones.
To execute the attack, the perpetrator became a validator by depositing 32 ETH into the Ethereum staking pool 18 days before the incident.
He then waited his turn to propose a block as a validator, which marked the beginning of the attack. After reorganizing the block’s contents, he created a new block containing malicious transactions and proceeded to steal assets.
The “validator hacker” was able to make off with 7,461 WETH ($13.4 million), 5.3 million USDC, 3 million USDT, and 65 WBTC ($1.8 million).
PeckShield experts tracked the stolen assets to three Ethereum addresses combined with eight other addresses.
In response, the Ethereum blockchain core software development team MEV-Boost has implemented emergency fixes to prevent similar incidents from happening again.
One of the new features added to MEV-Boost is an instruction for relays to publish a signed block before transmitting content.
This move will significantly reduce the likelihood of an attacker offering a block in MEV-Boost that differs from what he received from the relay.