$10M Seized by MEV Bot Following Disastrous $50M Token Exchange
Ignoring critical slippage alerts during an Aave token transaction cost a cryptocurrency trader $50 million, as an opportunistic MEV bot exploited the swap to extract $10 million in profits.
Millions of dollars have been forfeited by a cryptocurrency trader during a token exchange on Aave, a decentralized finance platform, while a Maximal Extractable Value, or MEV, bot simultaneously front-ran the operation to capture nearly $10 million in gains.
A wallet that had just received funding from Binance, holding $50.4 million in USDt (USDT), initiated a token exchange through CoW Protocol, a decentralized exchange aggregator, and the SushiSwap DEX platform on Thursday, with the intention of converting the entire balance into Aave (AAVE) tokens.
The wallet ended up receiving merely 327 AAVE tokens with an approximate value of $36,000, based on data from Etherscan.
This outcome represented a nearly complete financial loss, given that the user effectively paid approximately $154,000 for each AAVE token, while its current market value stood at roughly $114.
Compounding the financial damage was a MEV bot that executed a "sandwich attack" against the user. These MEV bots monitor pending transactions on the blockchain, and in this particular instance, identified the substantial incoming AAVE purchase order to artificially inflate the token's price before the order executed, thereby generating profit.
The bot preceded the user's transaction by flash-borrowing $29 million in wrapped Ether (ETH) tokens from Morpho, which it used to push up the price of AAVE prior to the user's transaction through a purchase executed on Bancor. Subsequently, it offloaded the artificially inflated tokens via SushiSwap, securing a $9.9 million profit.
User ignored slippage warnings: Aave
Platforms utilizing automated market makers, including SushiSwap, employ an algorithmic pricing mechanism that calculates slippage, which represents the difference between the expected and actual execution price of a trade, based on factors such as the liquidity pool's size and incoming transaction volume.
Stani Kulechov, the founder of Aave, shared on X that the protocol's interface had alerted the user regarding the "extraordinary slippage" caused by the "unusually large size of the single order."
"The user confirmed the warning on their mobile device and proceeded with the swap, accepting the high slippage, which ultimately resulted in receiving only 324 AAVE in return," he said.
In a statement posted on X, CoW DAO explained that "despite clear warnings that showed the user they would lose nearly all of the value of their transaction, and despite needing to explicitly opt into the trade after seeing the warning, the user chose to proceed with their swap."
"No DEX, DEX aggregator, public liquidity pool, or private liquidity pool (or combination thereof) would have been able to fill this trade at anywhere near a reasonable price."
According to CoW DAO, transactions of this nature "show that DeFi UX still isn't where it needs to be to protect all users," further stating that the organization would reimburse any protocol fees connected with the transaction.
Kulechov from Aave expressed sympathy for the affected user and indicated the protocol would make efforts to establish contact with them in order to return $600,000 in fees it collected from the transaction.
"The key takeaway is that while DeFi should remain open and permissionless, allowing users to perform transactions freely, there are additional guardrails the industry can build to better protect users."