# Jared From Subway MEV Bot Drained In Honeypot

> Blockaid flagged a honeypot that tricked the jaredsmev MEV bot into token approvals later used to drain its funds, per a forensic breakdown by banteg.

**Published by:** [ETH Daily](https://ethdaily.io/)
**Published on:** 2026-06-21
**Categories:** security, mev, defi
**URL:** https://ethdaily.io/jared-from-subway-mev-bot-drained-in-honeypot

## Content

Blockchain security firm Blockaid disclosed a coordinated honeypot scheme that baited and drained the jaredsmev automated arbitrage bot on Ethereum, after attacker-controlled contracts tricked the bot into granting token approvals later used to withdraw its funds. Blockaid's Exploit Detection system flagged the incident on June 20, and developer banteg published a detailed forensic breakdown of the contract family and drain mechanics. The scheme ran across mainnet blocks 25360599 to 25360696 and routed proceeds to a single attacker recipient at 0x3e37f4a10d771ba9de44b6d301410b1bedea65d0. The attack operated in two modes. Setup transactions, labeled as bait, transferred genuine USDC, USDT, and WETH to the bot contract while creating ERC-20 approvals against attacker-controlled spenders. Small unarmed batches consumed their approvals within the same transaction and returned a token profit, building the appearance of a profitable opportunity. Large armed batches paid similar profits, roughly 37 USDC and 37 USDT per setup, but left approvals live. Immediately before the drain at block 25360695, the bot held 20 USDC allowances of 143,528 each, 20 USDT allowances of 149,488 each, and 16 WETH allowances of 92.16 each, exposing the full balances to withdrawal. According to banteg's analysis, the infrastructure spanned several roles. A 2,537-byte coordinator at 0xb84db016324e8f2bfdd8dd9c260338aee0a8df52 armed each target block, held scratch state, and ran the final drain loop, calling a child contract's withdraw function for every supplied child. A separate trigger contract handled same-block fake-market setup, while child, hub, and fake intermediate tokens posed as ERC-20s branded fCAP and settled the real-token payouts. UniswapV2-style pair contracts branded Ring V2 completed the illusion of a tradeable path. Calldata selectors encoded which token family each transaction targeted, with distinct prefixes for USDC, USDT, and WETH. The coordinator also forwarded 0.025 ETH to block.coinbase on each arming transaction, paying the block builder to land the bait and the drain in the same block and deny the bot any window to revoke approvals. The pattern is a warning for searchers and arbitrage operators, whose automated approval logic can be turned against them when profit signals are fabricated on-chain. Advertise The trusted Ethereum news briefing since 2022, reaching 6,000+ audio subscribers, 4,000+ newsletter subscribers, and 26k+ combined social followers. Want to reach the ETH Daily audience? Learn more at ethdaily.io/ads. Disclaimer: Content is for informational and educational purposes only and does not constitute financial, investment, legal, or other professional advice. No representations or warranties are made as to accuracy, completeness, or timeliness. Use of this content is at your own risk, and you should consult a qualified professional before making decisions. No fiduciary or advisory relationship is created

## Publication Information

- [ETH Daily](https://ethdaily.io/): Publication homepage
- [All Posts](https://ethdaily.io/): More posts from this publication
- [RSS Feed](https://api.paragraph.com/blogs/rss/@ethdaily): Subscribe to updates
- [Twitter](https://twitter.com/intent/follow?screen_name=ethdaily): Follow on Twitter