Frontrun MEV bots and you'll get banned.

Tether has blacklisted an address—nicknamed "Sandwich the Ripper"—which holds $3 million in USDT after it was linked to an MEV exploit on April 3.

Blacklisted addresses are frozen from moving Tether funds from their wallet meaning the $3 million USDT is now essentially void.

Don't feel too sorry for the exploiter though as the address still holds $14.3 million in Wrapped Ethereum (WETH) and over $3.6 million in other assets.


This was part of a wider MEV exploit from last week that saw roughly $25 million in total funds stolen mainly located in three addresses. The blacklisted address held the majority of these funds with approximately $20 million.

MEV, which stands for maximal extractible value, refers to the maximum value that can be extracted from block production by including, excluding, or changing the order of transactions within a block.

An example of this is so-called sandwich trading where an MEV extractor will attempt to make profit on a pending transaction—that will affect the price of the traded pair—by buying and selling the pair before and after the pending transaction.

What was the MEV exploit?

During last week’s multi-million-dollar exploit, several bots were attempting to take advantage of a sandwich trade. They were searching the mempool for pending transactions that would affect the price of trading pairs, attempting to make a profit from the transaction.


Mempool—otherwise known as memory pool—is a list of pending transactions waiting for validation.

The bots then buy coins before the pending transaction is validated and then sell those coins after the transaction is processed, selling them for the higher price caused by the previously pending transaction.

In this case, however, someone sent a transaction to bait the bots to attempt a sandwich trade, thinking there was profit to be made.

"However, the attacker had found a bug in mev-boost-relay and the attacker exploited this bug by being the validator of this block," a spokesperson from PeckShield told Decrypt via Telegram. "The attacker replaced the sandwich bot's second transaction with his/her own transaction to make a profit."

The attacker successfully executed the exploit to the tune of roughly $20 million. The mev-boost-relay bug has since been patched.

Still, roughly $3 million of that haul has been lost for as long as Tether's ban remains.

Tether adds another address to its list

This is just the latest in a long line of stablecoin blacklistings, with Tether—the largest stablecoin provider—banning a huge 865 addresses holding a total of 456 million USDT.

"Tether routinely works with law enforcement agencies around the world as part of our commitment to cooperation, transparency, and accountability," a Tether representative told Decrypt. "We respect official requests to temporarily freeze funds and are proud of our role as industry leaders in promoting cooperation between industry and government authorities."

Similarly, Circle has banned 159 wallets from trading its USDC stablecoin, locking 8.6 million USDC.


This issue has only worsened in the last three years, with Tether having only blacklisted 39 addresses as of July 2020—that's an average of 275 banned addresses per year.

"This means that, from a purely code standpoint, the owner of the USDT contract can blacklist any address, effectively freezing that account’s funds," a smart contract engineer at Immunefi Gonçalo told Decrypt via email. "Historically, this function has been used to freeze USDT assets in accounts involved with exploit events."

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.