BSC • Address: 0xAD94…0449
Published on June 12, 2025
Our decompilation analysis of a drained MEV bot revealed two critical security vulnerabilities: unrestricted value transfers via msg.sender.call() and unauthorized token transfers. These flaws enabled attackers to completely drain the contract of both ETH and tokens, demonstrating how poor access control in MEV bots can lead to complete fund loss.
We reverse-engineered a drained MEV bot on BSC using EVMDecompiler and found two fatal flaws hidden in bytecode (no published source):
msg.sender.call{value: amount}("" ) with no validation or recipient checksmsg.sender without authorization checksfunction d3MMSwapCallback(address _token, uint256 _amount, bytes calldata) external {
IERC20(_token).transfer(msg.sender, _amount);
}
function swapX2YCallback(uint256 amountX, uint256, bytes calldata data) external {
require(amountX <= 0 || amountX == 0);
(bool success, bytes memory result) = msg.sender.call{value: amountX}("");
require(success, "SwapX2Y: ERC20 operation did not succeed");
}
function swapCallback(uint256 amount0, uint256 amount1, bytes calldata data) external override {
_swapCallback(msg.sender, amount0, amount1, data);
}msg.sender.call forwards control and value to an arbitrary caller; with no whitelist or invariant checks this enables theft/abuse and traps funds when called by contracts that revert in fallback._amount to the caller without auth enables draining tokens held by the contract.address.call for value; prefer transfer/send with checks or withdrawal patterns.Analysis performed from decompiled bytecode; function names reconstructed for clarity.