Jaredfromsubway.eth's $7.5 million honeypot.
On June 20, Jaredfromsubway.eth, one of Ethereum's most active trading bots, was drained of $7.5 million. The bot profits by front-running other trades, fully automated.
The attacker planted 66 fake tokens that copied the names and interfaces of real ones like USDC and WETH, with sham pools. The bot read them as live opportunities and did what it was built to do: It granted spending approval to the attacker's contracts.
A spending approval lets another contract move your tokens later, without asking again. Picture handing a valet a key that still works after you leave.
Once enough approvals piled up, the attacker swept the funds. The signatures were valid. What failed was the logic deciding what deserved one.
Related
SciPHR