A user paid $700K to transact Ethereum (ETH), white hat hackers try to save the funds

An Ethereum (ETH) transaction incurred a fee of 288 ETH, or $700K. The user produced a zero-value transaction with an extremely high fee, which turned out to be the work of a validator withdrawal exploit. 

A single Ethereum (ETH) transaction came with a fee of 288 ETH, or $700K. Even during periods of peak activity, a fee of this size is an outlier. The initial suspicions of a hack were confirmed later, as on-chain researchers noted the presence of a smart contract that was capable of intercepting ETH withdrawn from validators.

However, this time, the fee does not seem to be entirely lost. The fee went into a block producer wallet, which then sent it to the Stakefish Service. The transaction is more complicated, since the funds were not sent for staking, but sent as a fee, which will have to be processed differently. 

The rogue fee was not due to gas congestion, as the current price conditions on Ethereum are close to the average.

Usually, the Stakefish fee recipient contract receives small amounts of ETH from block builders, especially BeaverBuild. Sending the funds as a fee is seen as a way for the hacker to burn their tracks, after deciding not to withdraw the ETH. 

On-chain research shows potentially compromised ETH withdrawal

On-chain researchers noticed the transaction may not be an accident but the work of a hacker. The MEV Refund account investigated what he sees as a case of a compromised withdrawal wallet. The researcher reached out to Stakefish for the potential to return the funds to the original owner. 

Hi @stakefish , I’m helping whitehat a compromised withdrawal address.

Unfortunately, it seems that if the bad guys can’t have it, nobody can 😢

Any chance you can return those stolen funds to the rightful owner?https://t.co/4TPQ4U6vuG pic.twitter.com/PA5CxbXayH

— MevRefund (@MevRefund) October 8, 2024

Other researchers see the reason as a ‘smart contract from hell’, a flawed redirecting of funds. Since the hacker may have feared tracking and discovery, the fee was sent for staking and may not be recovered immediately. MEV Refund did not disclose more details, but has been working on similar withdrawal issues from validators and potentially recoverable lost ETH. 

Receiving rewards from validators has become a vector of attack 

The original wallet which created the high-fee transaction is also not a naive user. The address looks like a hub to redistribute compromised ETH withdrawals from validators.

The wallet is labeled as ETH Withdrawer and has multiple high-value counterparties, including MEV services, DEX traders, MetaMask traders and power users.

The wallet’s history shows inflows of small amounts of ETH, moving through what looks like a burn address and into the withdrawal address. Before the 288 ETH transfer, the ETH Withdrawer grabbed another 96 ETH. Those funds, however, were secured by the white hat hacker, MEV Refund. 

Setting up an Ethereum validator withdrawal address is an involved process and has the potential to be compromised on some of the steps. Unstaking ETH from the beacon chain may trigger the funds to be sent to a hacker’s address, where they can be moved in multiple ways. Some of the mnemonic phrases created to withdraw from validators can be exposed, leading to the loss of funds. 

Some withdrawal attempts or compromised wallets can be fixed through white-hat bot experts. In cases of a wrong or compromised validator withdrawal address, a transaction can be ordered to front-run the hacker. However, those transactions can be expensive and a fee and tip war may wipe out a large part of the funds. 

One of the potential vectors of withdrawal mistakes are user errors. However, lately, there are also data of block builders being spammed with requests that could redirect some of the transactions. Block builders are supposed to prevent transaction hijacking, but some builders may be allowing rogue transactions into private blocks.

In the past, highly expensive blocks were also produced with significant fees. This was a way to launder ETH, by sending it through a miner’s wallet. The fee route was simply a way to stake ETH, by going through intermediary addresses.  

The current Ethereum landscape is more competitive, with potential pitfalls from smart contracts and transaction hijacking. Private pools being compromised may take another hit against DEX trading. Currently, private pools get spammed with attempts to sandwich some trades, but there may be hidden attempts to sandwich even paid, private transactions.

Cryptopolitan reporting by Hristina Vasileva