Clara
All incidents

HANA tax-wallet MEV arbitrage on Uniswap V2

Share
Sep 25, 2024 11:51 UTCMEVGain: 0.1 ETHManually checked1 exploit txWindow: Atomic
Estimated Impact
0.1 ETH
Label
MEV
Exploit Tx
1
Addresses
2
Attack Window
Atomic
Sep 25, 2024 11:51 UTC → Sep 25, 2024 11:51 UTC

Exploit Transactions

TX 1Ethereum
0xe8cee3450545a865b4a8fffd93938ae93429574dc8e01b02bc6a02f2f4490e4e
Sep 25, 2024 11:51 UTCExplorer

Victim Addresses

0x147c7a8c5d68019495ccb17093cf8c901603efacEthereum
0xe7b4e528308c84fd6698906b6224615e9e30d236Ethereum

Loss Breakdown

0.099442ETH

Similar Incidents

DOGGO/WETH cross-pool arbitrage MEV extracts WETH spread

41%
Sep 20, 2024 22:32 UTC·21.33 WETH

SASHA cross-DEX MEV arbitrage extracts ETH pricing spread

39%
Oct 05, 2024 19:25 UTC·249 ETH

Multi-venue stablecoin/WETH MEV arbitrage on Ethereum mainnet

37%
Jan 20, 2026 03:40 UTC·1,299.18 ETH

SorbettoFragola Aave/Uniswap route arbitrage extracts USDC via fee collection

36%
Aug 03, 2021 22:53 UTC·5,414,085.45 USDC

VOW/VSC usdRate-DEX divergence arbitrage drains Uniswap V2 liquidity

35%
Aug 13, 2024 11:09 UTC·175.47 ETH

MachineShare CurveStableSwapNG mispricing arbitrage extracts ETH-side liquidity

32%
Jan 20, 2026 03:40 UTC·5,108,973.34 USDC

Root Cause Analysis

HANA tax-wallet MEV arbitrage on Uniswap V2

1. Incident Overview TL;DR

An MEV searcher uses an orchestrator and helper around the HANA/WETH Uniswap V2 pool to execute a single Ethereum mainnet transaction that routes HANA through the AMM, triggers HANA's tax-swap to send 7.206502753487157557 ETH to its tax wallet, and realizes 0.099442024478767458 ETH net profit in ETH after gas and builder payment. This is a pure MEV ACT opportunity arising from public HANA tax-token mechanics and Uniswap V2 constant-product pricing with transparent reserves; no code-level invariant in HANA or the Uniswap pair is violated, and the profit is obtained by adversarial transaction ordering and routing under standard protocol rules.

2. Key Background

  • HANA (0xb3912b20b3abc78c15e85e13ec0bf334fbb924f7) is an ERC20 tax token whose verified source defines a payable _taxWallet, buy/sell tax parameters, and an internal swapTokensForEth function that calls UniswapV2Router02.swapExactTokensForETHSupportingFeeOnTransferTokens to convert accumulated HANA tax balances into ETH and forward the ETH to _taxWallet via sendETHToFee.
  • The HANA/WETH pool at 0xe7b4e528308c84fd6698906b6224615e9e30d236 is a standard Uniswap V2 pair contract implementing the x*y=k invariant with a 0.3% liquidity provider fee and no custom hooks, so all price movements and reserve updates follow the usual AMM formulas.
  • The adversary controls EOA 0x7248939f65bdd23aab9eaab1bc4a4f909567486e and contracts 0xbdb0bc0941ba81672593cd8b3f9281789f2754d1 (orchestrator) and 0xf3cb07a3e57bf69301c3a51d8ac87427c53aa357 (helper), which forward tokens to the Uniswap router, perform swaps, and withdraw WETH to ETH before distributing ETH to the builder and the EOA.
  • The HANA tax wallet 0x147c7a8c5d68019495ccb17093cf8c901603efac is defined in HANA's source as _taxWallet and receives ETH from sendETHToFee immediately after HANA executes swapTokensForEth, which is directly observable in the call trace for the incident transaction.

3. Vulnerability Analysis & Root Cause Summary

Root cause category: MEV The MEV opportunity is created by the predictable interaction between HANA's tax-swap mechanism and the HANA/WETH Uniswap V2 pool: the adversary can route HANA through the pool in a way that triggers HANA's swapTokensForEth and sendETHToFee, adjusts reserves, and then realize a risk-free ETH profit in the same transaction, all while respecting HANA and Uniswap invariants.

Invariant: For the HANA/WETH pair 0xe7b4e528308c84fd6698906b6224615e9e30d236, the constant-product invariant x*y=k with a 0.3% LP fee holds for every swap, and HANA's ERC20 logic preserves total supply while routing a configurable fraction of each taxed transfer into an internal tax balance that can be swapped for ETH and forwarded to _taxWallet via sendETHToFee; these contracts are intended to maintain consistent accounting and AMM pricing under arbitrary user trades. Breakpoint: In block 20827437, the adversary-crafted transaction 0xe8cee3450545a865b4a8fffd93938ae93429574dc8e01b02bc6a02f2f4490e4e calls the orchestrator and helper to execute swapExactTokensForTokensSupportingFeeOnTransferTokens from HANA to WETH through the HANA/WETH pair, which in turn triggers HANA.swapTokensForEth and sendETHToFee to swap accumulated HANA tax into WETH and then ETH and send exactly 7.206502753487157557 ETH from HANA to the _taxWallet 0x147c7a8c5d68019495ccb17093cf8c901603efac; this is the first concrete state transition in sequence b that sets up the final WETH.withdraw and ETH distribution yielding a net 0.099442024478767458 ETH profit for the adversary while all contract-level accounting and AMM invariants remain satisfied.

4. Detailed Root Cause Analysis

The incident is a single-transaction MEV arbitrage that leverages HANA's tax-token design rather than a bug. From pre-state c_B, the adversary knows the public HANA/WETH reserves, HANA's tax parameters, and the presence of accumulated HANA tax tokens within the contract. By calling an orchestrator function on 0xbdb0bc0941ba81672593cd8b3f9281789f2754d1, the adversary routes a specific HANA amount from helper 0xf3cb07a3e57bf69301c3a51d8ac87427c53aa357 through UniswapV2Router02.swapExactTokensForTokensSupportingFeeOnTransferTokens into the HANA/WETH pair. This trade is structured so that HANA's internal tax accounting accumulates additional HANA in the contract, then invokes swapTokensForEth to sell those HANA tokens for ETH via UniswapV2Router02.swapExactTokensForETHSupportingFeeOnTransferTokens and immediately calls sendETHToFee, which transfers 7.206502753487157557 ETH from HANA to the configured _taxWallet 0x147c7a8c5d68019495ccb17093cf8c901603efac. After this tax-swap, the orchestrator converts WETH back to ETH using WETH.withdraw and sends 0.00412387008942168 ETH to the block producer and 0.108334790875911824 ETH to the EOA 0x7248939f65bdd23aab9eaab1bc4a4f909567486e. Gas usage from the receipt confirms a cost of 0.008892766397143976 ETH, so the EOA's net portfolio gain is 0.099442024478767458 ETH. At every step, HANA's ERC20 transfer and tax logic and the Uniswap V2 pair's x*y=k pricing remain internally consistent; the profit arises from adversarial routing and timing of publicly known tax and AMM mechanics, not from any invariant violation.

Vulnerable Components

  • HANA ERC20 tax token contract 0xb3912b20b3abc78c15e85e13ec0bf334fbb924f7, specifically its tax parameters, swapTokensForEth, and sendETHToFee implementation using UniswapV2Router02.swapExactTokensForETHSupportingFeeOnTransferTokens.
  • Uniswap V2 HANA/WETH pair 0xe7b4e528308c84fd6698906b6224615e9e30d236, whose public reserves and constant-product pricing enable deterministic MEV opportunities around HANA tax-swap events.
  • Adversary-owned orchestrator 0xbdb0bc0941ba81672593cd8b3f9281789f2754d1 and helper 0xf3cb07a3e57bf69301c3a51d8ac87427c53aa357, which are used to source HANA, configure router calls, and distribute ETH proceeds but do not introduce any privileged access to HANA or the HANA/WETH pair.

ACT Exploit Conditions

  • HANA trading is enabled and the HANA/WETH Uniswap V2 pool 0xe7b4e528308c84fd6698906b6224615e9e30d236 has sufficient liquidity and tax accumulation in HANA's internal balance to support the tax-swap and subsequent arbitrage steps.
  • An unprivileged EOA can deploy or reuse orchestrator and helper contracts that call standard Uniswap V2 router functions, HANA, and WETH, and can submit transactions with competitive gas prices to be included in block 20827437 or an equivalent future block.
  • The adversary can observe on-chain state (including pool reserves and HANA configuration) and construct calldata so that the HANA0WETH swap plus HANA's swapTokensForEth and sendETHToFee sequence yields a deterministic positive ETH P/L after accounting for gas and explicit builder payment.

Security Principles Violated

  • Economic fairness for ordinary traders and tax-wallet recipients interacting with public AMM pools: transparent tax-token and AMM mechanics allow unprivileged searchers to extract deterministic MEV profits by optimally routing and ordering trades without violating any protocol-level safety invariant.

HANA tax token code excerpt (_taxWallet and sendETHToFee)

address payable private _taxWallet;
function sendETHToFee(uint256 amount) private {
    _taxWallet.transfer(amount);
}

Seed transaction trace excerpt: HANA sends ETH to tax wallet

{ "from": "0xb3912b20b3abc78c15e85e13ec0bf334fbb924f7", "to": "0x147c7a8c5d68019495ccb17093cf8c901603efac", "value": "0x6402a4129679f935" }

Balance diffs for key parties in tx 0xe8cee3…0e4e

{"address": "0x7248939f65bdd23aab9eaab1bc4a4f909567486e", "delta_wei": "99442024478767458"}
{"address": "0x95222290dd7278aa3ddd389cc1e1d165cc4bafe5", "delta_wei": "4123870089421680"}
{"address": "0xb3912b20b3abc78c15e85e13ec0bf334fbb924f7", "delta_wei": "-50000000000000000"}
{"address": "0x147c7a8c5d68019495ccb17093cf8c901603efac", "delta_wei": "7206502753487157557"}

5. Adversary Flow Analysis

The adversary runs a reusable MEV strategy from EOA 0x7248939f65bdd23aab9eaab1bc4a4f909567486e through orchestrator 0xbdb0bc0941ba81672593cd8b3f9281789f2754d1 and helper 0xf3cb07a3e57bf69301c3a51d8ac87427c53aa357 to route HANA through the HANA/WETH Uniswap V2 pool, trigger HANA's tax-swap and sendETHToFee, withdraw WETH to ETH, and distribute ETH to the builder and the EOA in a single transaction.

Adversary-Related Accounts

Adversary cluster

  • Ethereum mainnet (chainid 1): 0x7248939f65bdd23aab9eaab1bc4a4f909567486e — Sender of both orchestrator calls 0xabe686a97d769d15e5586055f73e4b60d84758d3df0608cd6b8892b336a804d0 (block 20827405) and 0xe8cee3450545a865b4a8fffd93938ae93429574dc8e01b02bc6a02f2f4490e4e (block 20827437), and direct recipient of the 0.108334790875911824 ETH payout in the incident transaction, as shown in tx.json, receipt.json, txlist_normal.json, and balance_diff.json.
  • Ethereum mainnet (chainid 1): 0xbdb0bc0941ba81672593cd8b3f9281789f2754d1 — Orchestrator contract called by the EOA in both observed transactions; decompiled code and call traces show it forwarding tokens, interacting with Uniswap V2 router 0x7a250d5630b4cf539739df2c5dacb4c659f2488d, calling WETH.withdraw, and distributing ETH to the builder and the EOA without any privileged access beyond ownership by the MEV searcher.
  • Ethereum mainnet (chainid 1): 0xf3cb07a3e57bf69301c3a51d8ac87427c53aa357 — Helper contract that receives HANA from orchestrator 0xbdb0bc0941ba81672593cd8b3f9281789f2754d1 and interacts with HANA, the HANA/WETH pair, and the Uniswap V2 router during the incident transaction; runtime bytecode and decompilation confirm it is controlled by the same adversary cluster and provides routing functionality only. Victim candidates
  • Ethereum mainnet (chainid 1): 0x147c7a8c5d68019495ccb17093cf8c901603efac — HANA tax wallet (_taxWallet) receiving 7.206502753487157557 ETH via sendETHToFee (is_verified=true)
  • Ethereum mainnet (chainid 1): 0xe7b4e528308c84fd6698906b6224615e9e30d236 — HANA/WETH Uniswap V2 liquidity providers at pair 0xe7b4e528308c84fd6698906b6224615e9e30d236 (is_verified=true)

Adversary Lifecycle Stages

  • Adversary orchestrator usage before incident block: EOA 0x7248939f65bdd23aab9eaab1bc4a4f909567486e calls orchestrator 0xbdb0bc0941ba81672593cd8b3f9281789f2754d1 with function selector 0x3d35e910 against a different token/pool combination, demonstrating that the orchestrator is an adversary-controlled MEV tool used shortly before the incident block.
    • Tx 0xabe686a97d769d15e5586055f73e4b60d84758d3df0608cd6b8892b336a804d0 on Ethereum mainnet (block 20827405)
    • Evidence: artifacts/root_cause/data_collector/iter_1/address/1/0x7248939f65bdd23aab9eaab1bc4a4f909567486e/txlist_normal.json and orchestrator decompilation in artifacts/root_cause/data_collector/iter_1/contract/1/0xbdb0bc0941ba81672593cd8b3f9281789f2754d1/decompile/0xbdb0bc0941ba81672593cd8b3f9281789f2754d1-decompiled.sol.
  • Incident MEV arbitrage and HANA tax-swap execution: The orchestrator and helper route HANA from the helper into the HANA/WETH Uniswap V2 pair via UniswapV2Router02.swapExactTokensForTokensSupportingFeeOnTransferTokens, triggering HANA.swapTokensForEth and sendETHToFee so that HANA sells its accumulated tax balance for ETH and sends exactly 7.206502753487157557 ETH to the tax wallet 0x147c7a8c5d68019495ccb17093cf8c901603efac, then convert WETH back to ETH and distribute 0.00412387008942168 ETH to the block producer and 0.108334790875911824 ETH to the EOA.
    • Tx 0xe8cee3450545a865b4a8fffd93938ae93429574dc8e01b02bc6a02f2f4490e4e on Ethereum mainnet (block 20827437)
    • Evidence: QuickNode callTracer and prestateTracer for tx 0xe8cee3450545a865b4a8fffd93938ae93429574dc8e01b02bc6a02f2f4490e4e, together with HANA verified source and the Uniswap V2 pair source under artifacts/root_cause/data_collector/iter_1/contract/1.
  • Post-trade state and realized MEV profit: After execution, the EOA's ETH balance has increased by 0.099442024478767458 ETH net of gas and explicit builder payment, HANA's balance has decreased by 0.05 ETH, the tax wallet has gained 7.206502753487157557 ETH, and the HANA/WETH pool reserves have shifted in a manner consistent with the executed swaps and Uniswap V2 x*y=k pricing.
    • Tx 0xe8cee3450545a865b4a8fffd93938ae93429574dc8e01b02bc6a02f2f4490e4e on Ethereum mainnet (block 20827437)
    • Evidence: artifacts/root_cause/seed/1/0xe8cee3450545a865b4a8fffd93938ae93429574dc8e01b02bc6a02f2f4490e4e/balance_diff.json and the final state entries in debug_trace.prestate_tracer.json.

6. Impact & Losses

  • Token: ETH, Amount: 0.099442024478767458 The direct measurable impact of this MEV ACT opportunity is a 0.099442024478767458 ETH profit to the adversary EOA in a single transaction, funded by trading against the HANA/WETH pool and by HANA's tax-swap transferring 7.206502753487157557 ETH to the tax wallet; no protocol invariant or user balance accounting is violated, but HANA traders and liquidity providers are exposed to extractable value whenever similar routing opportunities exist.

7. References

  • [1] Seed tx metadata and receipt for 0xe8cee3...0e4e: artifacts/root_cause/data_collector/iter_1/tx/1/0xe8cee3450545a865b4a8fffd93938ae93429574dc8e01b02bc6a02f2f4490e4e
  • [2] QuickNode debug traces (callTracer and prestateTracer) for 0xe8cee3...0e4e: artifacts/root_cause/data_collector/iter_1/tx/1/0xe8cee3450545a865b4a8fffd93938ae93429574dc8e01b02bc6a02f2f4490e4e
  • [3] HANA verified source and ABI (0xb3912b20b3abc78c15e85e13ec0bf334fbb924f7): artifacts/root_cause/data_collector/iter_1/contract/1/0xb3912b20b3abc78c15e85e13ec0bf334fbb924f7/source/etherscan_getsourcecode.json
  • [4] Uniswap V2 HANA/WETH pair source (0xe7b4e528308c84fd6698906b6224615e9e30d236): artifacts/root_cause/data_collector/iter_1/contract/1/0xe7b4e528308c84fd6698906b6224615e9e30d236/source/src/Contract.sol
  • [5] Adversary EOA tx history around block 20827437: artifacts/root_cause/data_collector/iter_1/address/1/0x7248939f65bdd23aab9eaab1bc4a4f909567486e/txlist_normal.json