JaredFromSubway MEV Bot Contract Hit In Suspected $7.6M Ethereum Drain

JaredFromSubway’s MEV bot contract appears to have been drained for more than 4,400 ETH on Ethereum after a suspected dangling-approval exploit, with the largest single transfer moving 1,423 ETH worth about $2.46 million from 0x3e37f4A10d771Ba9dE44b6d301410b1BEdeA65d0 on June 20.

The possible exploit was first flagged by SpecterAnalyst, who said there may have been a $7 million-plus drain from a victim wallet and pointed to a possible JaredFromSubway MEV connection. Follow-on analyst discussion described the victim as JaredFromSubway’s MEV bot contract and pointed to an approval issue rather than a simple wallet theft.

The address under review, 0x3e37f4A10d771Ba9dE44b6d301410b1BEdeA65d0, sent several large ETH transfers in the same transaction cluster. Alongside the 1,423 ETH move, the account also sent 1,000 ETH, 1,000 ETH, and 1,000 ETH to separate recipient addresses. Those successful large transfers total 4,423 ETH, valued at roughly $7.6 million with ETH trading near $1,725.

Dangling Approval Route Emerges As Early Theory

The early technical read points to a dangling approval. In that pattern, the victim grants token approval to a bait contract, but the approved allowance is not consumed afterward. If the victim contract does not verify that all approvals are cleared before the transaction ends, the leftover allowance can be used as the route for a follow-on drain.

That would fit an MEV-bot target better than a normal retail-wallet compromise. JaredFromSubway is one of Ethereum’s best-known MEV bot identities, with jaredfromsubway.eth tagged by Etherscan as “jaredfromsubway: MEV Bot 2”. The address that sent the large ETH transfers is separate, but the analyst discussion around the transaction cluster points to JaredFromSubway’s bot contract as the victim.

The mechanics also match the kind of transaction-level trap that can hit automated execution systems. MEV bots frequently interact with unfamiliar contracts, route through thin liquidity, and execute under strict timing assumptions. A bait contract that leaves an approval dangling can turn that speed advantage into an execution risk if the bot contract does not fully unwind permissions before the transaction completes.

Delegated Account Raises Execution Questions

The drained address is marked as delegated to MetaMask: EIP-7702 Delegator. EIP-7702 allows externally owned accounts to set code through signed authorization tuples, giving normal Ethereum accounts smart-account-style behavior such as batching and delegated execution.

That delegation does not confirm the exploit path. It does make the execution trail more important because delegated accounts can interact through authorized code rather than only through plain transfers. If the drain came through a dangling approval, investigators will likely focus on the transaction sequence, the bait contract, the approval target, and whether the bot contract failed to clear permissions before the transaction ended.

The case adds another high-value incident to Ethereum’s execution-layer security record, after separate alerts around dormant Ethereum wallets waking up empty and growing demand for wallet-level simulation, threat scanning, and MEV protection.