What to do if you have a sweeper bot on your account
Does this article need to be translated?
Have assets suddenly moved out of your account, without your permission or knowledge? Have you noticed that every time you transfer something into your account, it gets automatically forwarded somewhere else?
If so, you might be dealing with a sweeper. This article will give some explanation as to what sweepers are, and provides further guidance on dealing with having one attached to your account.
You should immediately stop using accounts associated with your current Secret Recovery Phrase. Any funds deposited may end up being stolen. Continue reading the article for next steps.
What is a sweeper?
Also known as a sweeper bot, a sweeper is an automated bit of code (also called a script) that can be assigned to a blockchain address, to perform actions relating to that account automatically, such as automatically sweeping assets deposited into the account to another address.
If you want to learn more about what sweeper bots are, how they work, and how they can get installed, take a look at our explainer on sweeper bots.
What to do if I have a sweeper bot on my account?
Analyze recently installed applications and browser extensions, especially those from untrusted third parties. Ensure your operating system, security software, web browsers, and other applications are fully updated. Perform a virus/malware scan on any device you have MetaMask installed.
If you have the suspicion that you may have a sweeper bot on your account, there are a couple things you should and should not do.
Do not deposit more funds
Depositing more funds to your account will likely result in losing more funds. When the sweeper bot detects that you've deposited additional funds, it can immediately send these out to another address, resulting in you no longer having access to these funds. These funds are irretrievable, meaning that you will lose them forever.
Report the scam
Report the scam on a blockchain explorer and to your local authorities. Then, report the scam to Chainabuse using the Chainabuse Report Form.
Educate yourself on how sweeper bots work
To avoid this happening again in the future, educate yourself on how these kinds of attacks can happen. Learn more about how sweeper bots work.
Never share your Secret Recovery Phrase with others. It will grant them access to all of your accounts and funds.
Migrate to a new Secret Recovery Phrase
Do not create additional accounts in your now-compromised Secret Recovery Phrase; any newly-created accounts will also be compromised, and you're likely to lose funds deposited into them.
Instead, generate a brand new Secret Recovery Phrase. Read more about migrating your accounts.
Consider using Flashbots
Any remaining assets in your wallet can potentially be recovered by using Flashbots. You can also open a case with the Flashbots Whitehat team here, if you don't wish to attempt this yourself. Please note that their recovery team requires a $1,000 asset recovery minimum, and they take a 5-10% cut of the recovered assets.
Bringing a bot to a bot fight
In this context—fighting against an automated opponent who takes your ETH from you before you can use it—things can look pretty hopeless. Enter Flashbots, who have developed a project called Flashbots/searcher-sponsored-tx. This allows you, essentially, to pay for the transaction on the compromised address from another account. Or, as they put it: “This is accomplished by submitting a Flashbots transaction bundle, with the first "sponsor" transaction paying the "executor" wallet in ETH, followed by a series of executor transactions that spend this newly received ETH on gas fees.”
This strategy requires two accounts — the compromised account (the executor) and another to pay for the transaction (the sponsor). Success using Flashbots will require significant technical know-how and research. The following instructions are provided as a general guide only.
- Make sure the compromised account has no ETH in it; we highly recommend you use a burner bot first.
- We generally advise running this burner bot on more than one machine, using a different endpoint on each. For example, run a burner locally using Infura, and a burner on a remote server with another provider such as Quiknode. This is so that you have a redundancy plan in case we have high network latency or node issues (rate limits, syncing issues). The code in Flashbots/searcher-sponsored-tx will need to be altered for your specific needs, but the engine is there for you to rescue your tokens from a compromised address. The Flashbots engine is flexible enough to support a single transfer() call, or unstake() and transfer().
Using a self-destructing smart contract�
Another method of getting ETH into the account without it being publicly broadcast in the transaction pool is by sending it through an internal transaction, using a smart contract deployed by a new, clean, safe address.
pragma solidity >=0.7.0 <0.9.0;
contract MoveETH {
constructor(address sendToAddress) payable {
address payable addr = payable(address(sendToAddress));
selfdestruct(addr);
}
}
By deploying this contract, we can send ETH and the compromised address string in the constructor argument. This contract works by creating the contract and self-destructing in the same transaction. The use of selfdestruct() means we clear the blockchain state (since it's a one time use contract) and forward the ETH to the compromised address in 1 transaction.
Example: https://goerli.etherscan.io/tx/0x82ccb222eae55aaea73dd0efee1ea6ed7320f880889f280d4a343b8823f86692
While effective, this method uses a notably higher amount of gas (about 70,000), as it is much more complex than a simple transfer from one account to another (normally 22,000).
From here, we would broadcast pre-signed transactions ensuring we are using all the ETH in the account so that a sweeper cannot frontrun us - or at least make it unlikely to be frontrun, as a sweeper would need to send more ETH to the account to pay a higher gas price.
Conclusion
Remember, the best way to beat a sweeper is… to not have to in the first place! Follow our recommendations here, and stay safe out there. Never share your Secret Recovery Phrase with others.
This is an updated version of an article originally published on MyCrypto's blog.