Multi-venue stablecoin/WETH MEV arbitrage on Ethereum mainnet

1. Incident Overview TL;DR

On Ethereum mainnet block 0x17261d2 (number 24273362), adversary-controlled routing contract 0x935bfb495e33f74d2e9735df1da66ace442ede48 executes a single self-call transaction:

• Tx: 0x569733b8016ef9418f0b6bde8c14224d9e759e79301499908ecbcd956a0651f5
• From/To: 0x935bfb495e33f74d2e9735df1da66ace442ede48 (router contract)
• Block miner/coinbase: 0xa6c248384c5ddd934b83d0926d2e2a1ddf008387

The router orchestrates a multi-venue route across:

• CurveStableSwapNG pool at 0x32e616f4f17d43f9a5cd9be0e294727187064cb3
• Curve 3pool at 0xbebc44782c7db0a1a60cb6fe97d0b483032ff1c7
• Uniswap V3 USDC/WETH pool at 0x8ad599c3a0ff1de082011efddc58f1908eb6e6d8 (via router 0xe592427a0aece92de3edee1f18e0157c05861564)
• MagicInternetMoneyV1 (MIM) at 0x99d8a9c45b2eca8864373a26d1459e3dff1e17f3
• MachineShare at 0x1e33e98af620f1d563fcd3cfd3c75ace841204ef
• WETH9 at 0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2

Using only permissionless ERC20 tokens (USDC and stablecoins) and standard DEX/lending interfaces, the transaction converts a price dislocation across these venues into a strictly positive ETH profit for the adversary-related cluster {0x935bfb495e33f74d2e9735df1da66ace442ede48, 0xa6c248384c5ddd934b83d0926d2e2a1ddf008387}.

From the prestate tracer balance diffs, the cluster’s native ETH balances change as:

{
  "native_balance_deltas": [
    {
      "address": "0xa6c248384c5ddd934b83d0926d2e2a1ddf008387",
      "delta_wei": "1299049904387646996005"
    },
    {
      "address": "0x935bfb495e33f74d2e9735df1da66ace442ede48",
      "delta_wei": "129918477180922775"
    }
  ]
}

Summing these deltas yields:

• ΔETH_cluster = 1,299,179,822,864,827,918,780 wei ≈ 1299.17982286482791878 ETH

There is no evidence of protocol insolvency or logic failure. This is a pure MEV / arbitrage ACT opportunity: standard Curve, Uniswap, MIM, MachineShare, and WETH9 contracts behave as designed and preserve their local invariants, while the router exploits cross-venue price differences to realize a large ETH P&L in a single transaction from a publicly reconstructible pre-state.

2. Key Background

The incident involves several well-known Ethereum mainnet protocols and tokens:

• CurveStableSwapNG (0x32e6…) and Curve 3pool (0xbebc…)
  These are stableswap AMMs whose pricing follows a stableswap invariant. They expose functions such as add_liquidity, exchange, and remove_liquidity_one_coin, allowing users to adjust pool reserves while preserving the pool’s internal invariant. In this incident they provide stablecoin routing and liquidity rather than exhibiting faulty behavior.

• Uniswap V3 USDC/WETH pool (0x8ad599c3a0ff1de082011efddc58f1908eb6e6d8) via router 0xe592427a0aece92de3edee1f18e0157c05861564
  This is a concentrated-liquidity constant-product AMM enabling USDC↔WETH swaps at prices determined by on-chain liquidity and ticks. The router call encodes a route that trades USDC for WETH at a momentary price which, combined with the Curve legs, yields net profit.

• FiatTokenV2_2 / USDC (0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48)
  A standard FiatToken implementation whose transfers and approvals underpin the stablecoin legs of the route.

• MagicInternetMoneyV1 (0x99d8a9c45b2eca8864373a26d1459e3dff1e17f3) and MachineShare (0x1e33e98af620f1d563fcd3cfd3c75ace841204ef)
  Verified or seed-cloned contracts used as auxiliary components in the route. Their interfaces and code match widely used implementations (e.g., MIM’s BoringCrypto-based vault logic). They behave according to spec and are not the source of any logic bug.

• WETH9 (0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2)
  A standard wrapped ETH implementation whose deposit and withdraw map between ERC20 WETH balances and native ETH. The cloned source under the seed artifacts matches the canonical WETH9:

contract WETH9 {
    event  Deposit(address indexed dst, uint wad);
    event  Withdrawal(address indexed src, uint wad);

    mapping (address => uint) public  balanceOf;

    function deposit() public payable {
        balanceOf[msg.sender] += msg.value;
        Deposit(msg.sender, msg.value);
    }
    function withdraw(uint wad) public {
        require(balanceOf[msg.sender] >= wad);
        balanceOf[msg.sender] -= wad;
        msg.sender.transfer(wad);
        Withdrawal(msg.sender, wad);
    }
}

• Pre-state and data model
  The analysis defines a pre-state σ_B at block 24273361 (parent of the incident block 0x17261d2) reconstructed from:

  • Standard RPC (eth_getBlockByNumber, eth_getBalance, ERC20 balance slots)
  • debug_traceTransaction.prestateTracer for the seed transaction

  This pre-state and the single transaction b fully determine the post-state balances used in the profit computation.

3. Vulnerability Analysis & Root Cause Summary

This incident is not a protocol bug or exploit in the traditional sense. The root cause is an economic ACT opportunity:

• At block 0x17261d2, there exists a publicly observable price dislocation between:
  • CurveStableSwapNG 0x32e6…
  • Curve 3pool 0xbebc…
  • Uniswap V3 USDC/WETH pool 0x8ad5…
  • Related venues (MIM, MachineShare)
• No cross-venue invariant enforces a single ETH/USDC price across these pools. Each venue is locally sound but globally inconsistent with the others.
• An unprivileged searcher-controlled router contract finds a routing of USDC and related stablecoins through these venues such that, from the publicly reconstructible pre-state σ_B, a single transaction b yields strictly positive ETH P&L for the adversary cluster after accounting for gas.

Formally, the analysis defines the economic invariant:

• Let C = {0x935bfb495e33f74d2e9735df1da66ace442ede48, 0xa6c248384c5ddd934b83d0926d2e2a1ddf008387} be the adversary cluster.
• Starting from σ_B, the transaction b is profitable if:
  • ΔETH_cluster = (ETH_after(C) − ETH_before(C)) = +1,299,179,822,864,827,918,780 wei > 0

This invariant is satisfied in the actual trace. All key protocols (Curve pools, Uniswap V3, MIM, MachineShare, WETH9) behave exactly according to their published code and invariants. The root cause is therefore the combination of:

• Cross-venue price dislocations at a specific block, and
• The absence of any protocol-level mechanism enforcing cross-market price consistency,

which together create a permissionless MEV/arbitrage opportunity that any searcher can realize with the same calldata and sufficient gas.

4. Detailed Root Cause Analysis

4.1 Transaction b and call structure

The incident centers on transaction b:

{
  "hash": "0x569733b8016ef9418f0b6bde8c14224d9e759e79301499908ecbcd956a0651f5",
  "from": "0x935bfb495e33f74d2e9735df1da66ace442ede48",
  "to": "0x935bfb495e33f74d2e9735df1da66ace442ede48",
  "input": "0x34030d9e…",
  "transactionIndex": "0x0",
  "blockHash": "0x3361a14f82b3d0d713ffbeeba62f0a3e4e181d61bba67e1fe4e66813d2376455",
  "blockNumber": "0x17261d2"
}

0x34030d9e is a router function selector; the call tracer shows it orchestrating approvals, stablecoin liquidity operations, swaps, and a final WETH9 withdraw. Early in the trace, USDC approvals from the router to multiple targets are visible:

{
  "from": "0x935bfb495e33f74d2e9735df1da66ace442ede48",
  "to": "0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48",
  "type": "CALL",
  "input": "0x095ea7b3…00000000000000000000000032e616f4f17d43f9a5cd9be0e294727187064cb3ffffffff…",
  "gasUsed": "0x72b2"
}

This matches USDC’s approve(address,uint256) and sets allowances for:

• CurveStableSwapNG pool 0x32e616f4f17d43f9a5cd9be0e294727187064cb3
• Curve 3pool 0xbebc44782c7db0a1a60cb6fe97d0b483032ff1c7
• Additional routing contracts used in the stablecoin leg

Subsequent calls move stablecoins into and out of Curve pools, MIM, and MachineShare, followed by a Uniswap V3 swap that converts USDC into WETH, and finally a WETH9 withdraw.

4.2 Invariant and breakpoint realization

The invariant is defined as:

Starting from publicly reconstructible pre-state σ_B at block 24273361, there exists a single adversary-crafted transaction b such that the aggregated native ETH balance of the cluster {0x935bfb…, 0xa6c2…} strictly increases:
ΔETH_cluster = +1,299,179,822,864,827,918,780 wei > 0 after execution, as computed from balance_diff_prestateTracer.json.

The breakpoint where this predicate is realized is the concrete sequence of on-chain operations inside tx b’s trace:

1. USDC approvals and transfers into Curve pools
   The router approves and transfers USDC to CurveStableSwapNG 0x32e6… and Curve 3pool 0xbebc…, as well as to auxiliary contracts, preparing the capital for stableswap operations.

2. Stablecoin liquidity and swap operations
   The router invokes stableswap-style functions (add liquidity, exchange, remove as a single coin) on the Curve pools, plus interactions with MachineShare 0x1e33… and MIM 0x99d8…, to traverse a multi-leg stablecoin route that reshapes USDC and other stablecoin balances without breaking any local invariants.

3. USDC → WETH conversion on Uniswap V3
   The router calls Uniswap V3 router 0xe592… to swap USDC through the USDC/WETH pool 0x8ad5…, acquiring WETH at a cross-venue price which, when combined with the entry and exit prices on Curve, yields more WETH than the initial ETH-equivalent value.

4. WETH9 withdraw to native ETH
   Finally, the router invokes WETH9.withdraw on 0xc02a…, burning the acquired WETH and releasing a large quantity of native ETH. The prestate tracer shows:

{
  "native_balance_deltas": [
    {
      "address": "0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2",
      "delta_wei": "-1299179984426144193670"
    },
    {
      "address": "0xa6c248384c5ddd934b83d0926d2e2a1ddf008387",
      "delta_wei": "1299049904387646996005"
    },
    {
      "address": "0x935bfb495e33f74d2e9735df1da66ace442ede48",
      "delta_wei": "129918477180922775"
    }
  ]
}

Summing the positive deltas for the cluster addresses yields exactly the ΔETH_cluster quoted in the invariant. This is the concrete breakpoint where the economic predicate “cluster ETH after b > cluster ETH before b” becomes true.

4.3 Venue behavior and absence of code-level bugs

To confirm that the opportunity is economic rather than a protocol bug:

• USDC conservation across venues
  The erc20_balance_deltas for USDC in balance_diff_prestateTracer.json show that USDC is conserved across key pools and intermediaries. For example:

{
  "token": "0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48",
  "holder": "0x32e616f4f17d43f9a5cd9be0e294727187064cb3",
  "delta": "-5108973342628"
},
{
  "token": "0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48",
  "holder": "0xbebc44782c7db0a1a60cb6fe97d0b483032ff1c7",
  "delta": "804957003830"
},
{
  "token": "0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48",
  "holder": "0x8ad599c3a0ff1de082011efddc58f1908eb6e6d8",
  "delta": "4244311798972"
}

The net effect is consistent with normal AMM accounting; there is no unexplained minting or burning.

• Standard WETH9 behavior
  The cloned WETH9 source matches the canonical implementation. The large negative delta on WETH9’s native balance simply reflects a legitimate withdrawal of ETH corresponding to the router’s WETH holdings.

• MIM and MachineShare code
  Seed-cloned sources for MIM and MachineShare show standard vault/borrowing and share logic using BoringMath safety checks. Trace evidence indicates that they are used to route value but do not mis-account balances or bypass access control.

Taken together, the evidence supports the conclusion that:

• Each venue’s internal safety properties (e.g., stableswap invariants, ERC20 balance accounting, WETH deposit/withdraw semantics) remain intact.
• The adversary’s profit arises solely from cross-venue price differences and ordering in a single block, not from any contract vulnerability.

5. Adversary Flow Analysis

5.1 Adversary-related accounts

The analysis identifies an adversary cluster:

• Router contract: 0x935bfb495e33f74d2e9735df1da66ace442ede48

  • Sender and callee of tx 0x5697..651f5.
  • Call trace shows it orchestrating approvals and multi-venue swaps.
  • Native ETH balance increases by 129,918,477,180,922,775 wei in the seed transaction.
  • Cluster portfolio snapshots treat it as part of the {0x935bfb…, 0xa6c2…} cluster.

• EOA / block builder / profit recipient: 0xa6c248384c5ddd934b83d0926d2e2a1ddf008387

  • Miner/coinbase address of block 0x17261d2 (from block header in block_txs_with_logs_and_highlights.json).
  • Native ETH balance increases by 1,299,049,904,387,646,996,005 wei in this transaction.
  • Cluster portfolio snapshots treat it as the other address in the adversary-related cluster.

5.2 Lifecycle stage: single-tx MEV execution

The adversary flow is a single lifecycle stage:

• Stage: Adversary MEV execution (single-tx route b)
  • Chain: Ethereum mainnet (chainid = 1)
  • Tx: 0x569733b8016ef9418f0b6bde8c14224d9e759e79301499908ecbcd956a0651f5
  • Block: 24273362 (hash 0x3361a1…)
  • Mechanism: Other (complex multi-venue routing)

Effect:
Starting from σ_B, the router:

1. Approves and moves USDC/stablecoins into CurveStableSwapNG and Curve 3pool.
2. Traverses several Curve and auxiliary legs (MIM, MachineShare) to reshape stablecoin positions.
3. Swaps USDC for WETH on the Uniswap V3 USDC/WETH pool 0x8ad5… via router 0xe592….
4. Calls WETH9.withdraw on 0xc02a…, converting WETH to native ETH.
5. Routes ETH such that the adversary cluster {0x935bfb…, 0xa6c2…} ends the transaction with a net increase of 1,299,179,822,864,827,918,780 wei.

Trace, log, and balance evidence for this stage is captured in:

artifacts/root_cause/seed/1/0x5697…651f5/metadata.json
artifacts/root_cause/data_collector/iter_1/tx/1/0x5697…651f5/debug_traceTransaction.json
artifacts/root_cause/data_collector/iter_3/tx/1/0x5697…651f5/balance_diff_prestateTracer.json
artifacts/root_cause/data_collector/iter_3/address/1/_cluster_0x935bfb_0xa6c2_portfolio_balances.json

5.3 ACT exploit conditions

The ACT opportunity depends on the following explicit conditions:

• A publicly observable price dislocation between CurveStableSwapNG 0x32e6…, Curve 3pool 0xbebc…, Uniswap V3 USDC/WETH pool 0x8ad5…, and related venues at block 0x17261d2, such that the chosen route yields more WETH (and hence ETH) than the initial ETH-equivalent value.
• Sufficient liquidity in the involved pools to absorb the trade sizes encoded in tx b without reversion or prohibitive slippage.
• Permissionless access to Curve, Uniswap V3, MIM, MachineShare, and WETH9, allowing any unprivileged searcher to construct the same calldata (to this router or an equivalent custom router).
• Transaction ordering and inclusion conditions (typical of MEV searcher environments) that allow tx b to be included as the first transaction in block 0x17261d2 without being front-run or undercut by competitor routes.

Given these conditions, any adversary observing σ_B can deterministically realize the same profit with only canonical on-chain data and publicly available contract metadata.

6. Impact & Losses

This incident does not involve protocol insolvency, treasury drain, or unauthorized state changes. Instead:

• The adversary cluster {0x935bfb…, 0xa6c2…} earns a net profit of:
  • ΔETH_cluster = 1,299,179,822,864,827,918,780 wei
  • ≈ 1299.17982286482791878 ETH after gas and internal transfers
• The economic cost is borne by:
  • Liquidity providers in CurveStableSwapNG and Curve 3pool
  • LPs and counterparties in the Uniswap V3 USDC/WETH pool
  • Users interacting with MIM and MachineShare to the extent they provide the underlying liquidity

All of this occurs via intended protocol functionality (standard swaps, liquidity operations, lending/vault interactions, and WETH withdraws). The “loss” is the opportunity cost and value extracted from LPs and counterparties due to the lack of cross-venue price synchronization, not a breach of any safety invariant in the underlying contracts.

In short, this is a large but expected MEV/arbitrage extraction rather than a code-level exploit.

7. References

• Seed and context

  • Seed index for tx 0x5697..651f5: artifacts/root_cause/seed/index.json
  • Seed metadata for tx 0x5697..651f5: artifacts/root_cause/seed/1/0x5697…651f5/metadata.json

• On-chain traces and balances

  • Full debug trace (callTracer) for tx 0x5697..651f5: artifacts/root_cause/data_collector/iter_1/tx/1/0x5697…651f5/debug_traceTransaction.json
  • Prestate tracer native and ERC20 balance diffs for tx 0x5697..651f5: artifacts/root_cause/data_collector/iter_3/tx/1/0x5697…651f5/balance_diff_prestateTracer.json
  • Cluster portfolio balances for {0x935bfb…, 0xa6c2…}: artifacts/root_cause/data_collector/iter_3/address/1/_cluster_0x935bfb_0xa6c2_portfolio_balances.json
  • Block 0x17261d2 transaction list and highlights: artifacts/root_cause/data_collector/iter_3/tx/1/block_0x17261d2/block_txs_with_logs_and_highlights.json

• Contract source code (seed-cloned / verified)

  • WETH9 (0xc02a…): artifacts/root_cause/seed/1/0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2/src/Contract.sol
  • MagicInternetMoneyV1 (0x99d8…): artifacts/root_cause/seed/1/0x99d8a9c45b2eca8864373a26d1459e3dff1e17f3/src/Contract.sol
  • MachineShare (0x1e33…): artifacts/root_cause/seed/1/0x1e33e98af620f1d563fcd3cfd3c75ace841204ef/
  • FiatTokenV2_2 / USDC implementation (0x4350… layout address for 0xa0b8…): artifacts/root_cause/seed/1/0x43506849d7c04f9138d1a2050bbf3a0c054402dd/

• Primary exploit transaction

  • Ethereum mainnet tx 0x569733b8016ef9418f0b6bde8c14224d9e759e79301499908ecbcd956a0651f5