What is a sweeper bot? | MetaMask Help Center 🦊♥️ (2024)

Sweeper bots, or "sweepers," are automated scripts that malicious actors deploy to monitor and interact with blockchain transactions. These bots are designed to automatically transfer assets from a compromised account to another address controlled by the attacker. This process, also known as sweeping or scavenging, can happen in the blink of an eye, due to the bot's ability to monitor the mempool or txpool—where pending transactions are stored before being confirmed on the blockchain.

Your wallet can only be affected by a sweeper script if you share your secret recovery phrase with a bad actor.

Sweeper bots are particularly troublesome for two reasons:

• The code can react far quicker than a human ever can. Racing to move your funds through your wallet faster than the script will always result in you coming out second best.
• It is subtle. It is not immediately apparent to the user that they've been hacked, as the script works out of sight. If you perform a significant transaction and you or the recipient do not receive the funds, you may at first assume the transaction is stuck or pending, or that MetaMask has misfunctioned.

How do sweeper bots get installed?​

The first and crucial step for a scammer is to obtain your secret recovery phrase. To do so, they may deploy a phishing attack. They may also pose as a friendly helpdesk engineer offering to help you resolve your issue or attempt to disguise themselves as an official MetaMask support account. Another potential avenue is to set up a seemingly trustworthy dapp—or mimic an established one—and require the user to input their private key or secret recovery phrase to use it.

If they are successful, they will be able to access your wallet, obtain your private key, and write it into the sweeper script. Possession of your private key allows the script to sign transactions without your knowledge, allowing it total and unrestrained control over wallet activity. The script will then proceed to monitor transactions coming to and from your account and sweep out any tokens you transfer in before you could possibly react.

Sweeper scripts are a nuisance to dispose of once they have infiltrated your wallet, and require you to employ very complex methods or even recruit whitehat hackers. For example, there are highly specific approaches you can take if you are attempting to get NFTs out of a compromised wallet.

On a deeper level​

In order to understand how sweepers, and other bots that act on public blockchain networks, operate, a little bit of technical understanding as to how these networks work is necessary. At a high level, then: A public blockchain network is composed of any number of nodes, each of which is communicating with the rest of the network's nodes, continually maintaining consensus regarding the state of a common ledger. That ledger keeps track of any number of different assets, depending on how the blockchain was designed.

Users on the network send transactions from their addresses to other addresses. These transactions are broadcast to the closest node(s), which then forward the proposed transaction on to the rest of the network. The user's transaction remains pending for a time, with other recent transactions, in what's known as the transaction pool (txpool) or memory pool (mempool). Meanwhile, the nodes do the work of checking that the address requesting the transfer, in fact, has the funds available for transfer, and reach consensus with the rest of the network that the transaction is thus valid. At this point, a group of validated transactions is grouped together and encrypted, and proposed to the network as a block of transactions; when it is accepted, it is included in the chain.

Sweeper bots, most often, are scanning that pool of transactions for transfers of tokens to the compromised address; as soon as a bot sees an incoming transfer of value or tokens that would be of interest, it initiates a second transaction, transferring those assets to another, third-party address.

Because this is all automated via code and actions are taken almost simultaneously with the funds being transferred to the account, it might happen faster than the time it takes to refresh the block explorer. You certainly won 't be able to manually transfer assets out of your account faster than a bot.

Consider some of these details observed about sweeper behavior:

• A sweeper might favor the asset that is highest in USD value, even if that means spending more in transaction fees to sweep it.
• The sweeper may use all available ETH to maximize the value swept out of the account, while also having a high likelihood of being the “winning” transaction, in cases where there is a battle between two parties to remove assets from an account
• Even if there is no ETH in the account, an attacker may fund an account temporarily in order to cover the gas fees to extract other desirable assets from the account (NFTs, Liquidity Pool tokens, etc.)
• If the USD value of assets in the account is below a certain level, the bot may not sweep out the assets, meaning you may not realize that you have a sweeper on your account.

How can I stay safe?​

Keeping your secret recovery phrase secure is the best and most dependable way to avoid falling victim to sweeper scripts. Without it, malicious actors cannot access your private key and sign transactions that steal your funds.

Consider buying a hardware wallet. Popular options include Ledger and Trezor. Hardware wallets are termed "cold" wallets as they store your private keys completely offline, a considerable obstacle to hackers.

As with most things web3, you should also stay sceptical. That is to say, whenever you interact with Dapps, do not assume they are reputable and trustworthy. Always do your research and make sure you are comfortable with the risks.

See also: What to do if you have a sweeper bot on your account