$25M MEV Exploit Teaches a Valuable Lesson About Relay Providers

Sometimes less is more, at least when it comes to relay providers

article-image

Fer Gregory/Shutterstock modified by Blockworks

share

It’s like an episode of the long-running TV crime drama series, CSI. 

Gathered in a research facility – usually set to an energetic rock anthem that belies the boredom of lab work — a forensics team busily fills test tubes and draws samples from the latest victim of some horrific event. The researchers gather to share complicated theories and argue about how the perpetrators must have performed this episode’s terrible deed.

Constructing a complex story, they work their way back through the evidence and continue debating possibilities. But soon, in a span of about 40 minutes plus commercials, following some investigative work, a few plot twists – and perhaps a car chase – the team arrives at a dramatic conclusion and solves the crime, learning a valuable lesson in the process.

No car chases came to fruition during a recent episode of Bell Curve. Nevertheless, Hasu, strategy lead at Flashbots, and Matt Cutler, CEO and co-founder of Blocknative, had their hands full with an investigation into the forensics of an MEV exploit that seized $25 million in funds from bots on the Ethereum network. 

In this particular case, the evidence pointed squarely at the exploitation of a flaw in the MEV relay mechanism – and punctuated the fact that only one little bug in the relay system can potentially put the entire system at risk.

Hasu broke down the details of the exploit. The way it was supposed to work, he says, “is that the relay shows the block header to the proposer. And then the proposer selects the highest block header and signs it.” After receiving the signature, “the relay reveals the block body to the proposer and the proposer can then publish the full block.”

“In this case,” Hasu explains, there was a bug “that caused the relay not to check whether a particular part of the validator signature was actually valid.”

The validator sent an invalid signature, failing to make a full block, “so the relay couldn’t publish the block to the network.”

The inevitable plot twist

When the relay released information about the MEV transactions to the proposer, “the proposer had all of the transactions,” Hasu says, so “they could construct their own block and steal the MEV.”

This heist alone, however, would have only resulted in a trivial amount of funds being stolen, Hasu explained. What takes this scheme to the epic level is the next step in the story arc.

The exploiters placed “very specifically parameterized traits,” Hasu says, “in very low liquidity Uniswap pools that baited very specific sandwich bots to make very risky trades.” They then re-sandwiched these particular trades to drain the sandwich spots of a fortune.

“You had this explosive cocktail where four sandwich bots lost, collectively, around 20 million dollars in that transaction.”

“Clearly, whoever did this,” Cutler comments, “it was well-orchestrated. It required some time to set up and test. And they had a very deep understanding of how this stuff actually worked and where there were gaps.”

Case closed?

Upon solving the mystery, the pair then discussed the lesson to be learned from this exploit episode.

Cutler points out that the centralization of relay providers is partly at fault for the incident. “These are the sorts of things that happen when you have a small number of actors who are responsible for large sets of the network, handling lots of value, and you have very clever adversarial actors out there who are looking to gain an advantage, right?”

Because of the need for searchers to trust relay providers, Cutler argues, “they can sometimes maybe not be as careful as they should be.”

“And that trust, when it gets pierced,” he says, “there can be significant economic consequences of that, which is why we all go for trustless, permissionless systems.” 

“That reduces the likelihood of any of these sorts of situations happening.”

Hasu counters Cutler’s argument saying that a larger number of relay providers does not, in fact, reduce risk. 

The validator, he explains, is free to choose from any available relay provider, so it only takes one faulty relay to successfully attack the entire system. Adding more relay providers could do the opposite, he says, actually increasing the probability of vulnerabilities.

A social layer must be considered, Cutler retorts. In an “alternate timeline” of many relay code producers, Cutler suggests, “perhaps one of those code producers says, ‘Hey, I noticed that we’re not checking everything here.’” 

“Hey, everybody, this strikes me as something that’s vulnerable.” 

“And we all go, ‘Oh, good catch. Thanks.’”

It’s a case of getting more eyes on the subject, Cutler says. “The more people who are thinking about it, the more likely gaps are to be spotted.”

Or, Cutler jokes, “Just write code that doesn’t have bugs. We’ve been saying that for 60 years now, right?” 

But it’s never as simple as it seems in any forensic drama. “The reality is, Cutler concludes, “this stuff is complicated.”


Get the news in your inbox. Explore Blockworks newsletters:

Tags

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Hilton Park Lane

Tues - Wed, November 10 - 11, 2026

DAS London is a two-day summit at the Hilton Park Lane in London featuring conversations between the builders, allocators, and policy makers who are shaping the trajectory of the digital asset ecosystem in the UK, Europe, and North America.

Marina Bay Sands Singapore

Wednesday, October 07, 2026

DAS Asia is a a single-day summit at Marina Bay Sands Singapore featuring conversations between the builders, investors, and global leaders are shaping the trajectory of the digital asset ecosystem in Asia & North America.

recent research

Sponsored Article Template - Button (1).png

Research

Button is productizing the synthesis stack for discretionary traders. As market data becomes cheap and ubiquitous, the edge is shifting from access to synthesis: who can turn feeds, research, positions, and market context into a decision fastest. This report explores why AI is better suited to augmenting traders than replacing them, and how Button is building the workspace for that new market structure.

Newsletter

The Breakdown

Decoding crypto and the markets. Daily, with Byron Gilliam.

Blockworks Research

Unlock crypto's most powerful research platform.

Our research packs a punch and gives you actionable takeaways for each topic.

SubscribeGet in touch

Blockworks Inc.

133 W 19th St., New York, NY 10011

Blockworks Network

NewsPodcastsNewslettersEventsRoundtablesAnalytics