JaredFromSubway's bot lost $7.5M to fake tokens. We had already flagged them.

One of the most profitable MEV bots on Ethereum - the one trading as jaredfromsubway.eth - just lost around $7.5M. And the interesting part is how.

It wasn't a contract exploit. No reentrancy, no bug in a DeFi protocol. It wasn't phishing either - no human signed anything. The bot approved its own robbery, because its automation was tricked into thinking it was about to feast on a juicy MEV opportunity.

We traced the whole thing on-chain. And then we noticed something: our own scanner had already flagged the bait tokens as fakes - up to a full day before the money moved.

How the trap works

ERC-20 has a two-step spend model. To let a contract move your tokens you first call approve(spender, amount), which creates an allowance. The spender can then call transferFrom(you, dest, amount) up to that allowance - and the allowance persists until it is used up or revoked. To save gas, bots and routers often approve type(uint256).max: an infinite, standing blank cheque.