Solana's biggest sandwich attacker earns $30 million in 2 months, sparks outrage

Author: Frank, PANews

The world has suffered from MEV for a long time.

Although there are complaints, MEV robots have not yet been restricted. Instead, they are still relying on "sandwich attacks" to accumulate endless wealth.

On June 16, a researcher named Ben exposed a sandwich attack bot (hereinafter referred to as arsc) with an address starting with arsc on social media, which made more than 30 million US dollars in 2 months. PANews conducted an in-depth analysis of the behavior and operation of this MEV robot to analyze how “arsc” achieved tens of millions of wealth.

Gathering sand into a tower, attacking indiscriminately

A “sandwich attack” is a market manipulation strategy in which the attacker inserts his own transactions into blockchain transactions in order to profit from price changes caused by the victim’s transactions.

Since the Solana browser can only view the last 1000 transactions of the day, we were only able to capture transactions within a close to 20-minute period from 15:38 to 16:00 on April 21st arsc. During this time, the bot made 494 transactions, and the initial SOL balance was 449, and after 20 minutes, the number of balances increased to 465. That is to say, in just about 20 minutes, the arsc address completed the income of 16 SOLs through the sandwich attack. At this rate, its daily income was about 1152 SOLs. According to the price of SOL at the time, it was about 150 US dollars. Calculated, the daily income can reach 172,800 US dollars.

PANews counted the last 100 transactions of arsc and found that the average investment in arsc per time was about $6,990, the average return on a single transaction was about $38, and the average return on a single transaction was about 3.44%. Orders as small as $43 and as large as $160,000 can be targeted. The higher the regular value of the order, the higher the single income. For an order of US$160,000, the profit from a single order reached US$1,200, which can be described as an indiscriminate attack.

(arsc partial transaction records and income)

As the principal of arsc increases, its profit rate also increases steadily. On April 22, among the 492 attacks within half an hour, the profit amount reached 63 SOL, and the single-day profit level increased to about 3,000 SOL, which was about 2 times that of the previous day. In fact, in the 2 months of record, arsc made a total profit of 209,500 SOL, with an average profit of 3,800 SOL per day, and an average daily income of approximately US$570,000. This revenue capability even exceeds that of the recently popular MEME coin issuance platform Pump.fun (on June 19, Pump.fun’s 24-hour revenue was approximately $557,000).

The attacker is a large staker of the super validator

In total, this address profited from the sandwich attack and subsequently transferred 209,500 SOLs to the address 9973hWbcumZNeKd4UxW1wT892rcdHQNwjfnz8KwzyWp6 (hereinafter referred to as 9973), worth approximately US$31.425 million (at a price of US$150). Subsequently, the 9973 address transferred 124,400 SOLs to the Ai4zqY7gjyAPhtUsGnCfabM5oHcZLt3htjpSoUKvxkkt address (hereinafter referred to as Ai4z), and Ai4z sold these SOL tokens into USDC through a decentralized exchange.

In addition, the Ai4z address also pledged its SOL to several Solana verifiers, including 11,001 SOL to Laine, 8,579 to Jito, 4,908 to Pumpkin's, 2,467 to Jupiter, and Marinade, Blazestake has about 800 each.

Among them, the total number of pledged tokens on laineSOL is 190,000, and the Ai4z address is the largest individual pledge user of Laine, accounting for 5.73%, second only to the largest holding address of an exchange. laineSOL is a pledge equity issued by the verifier. By holding this token, users can stake their votes while also earning DeFi benefits. However, there is currently no evidence to show whether this staking behavior will indicate that Laine has other additional relationships with the attacker, but to some extent the two have certain interests tied together. Laine is one of the main validators on the Solana chain and was previously a major supporter of the push for Solana to issue 100% priority fees to validators. (Related reading: Behind Solana’s vote to award 100% priority fees to validators, community disputes continue to highlight governance issues)

Why sandwich attacks on Solana keep happening

From a fundamental perspective, MEV on Solana is a new business. Prior to the release of Jito, the MEV reward protocol, MEV data on Solana was almost negligible. After Jito launched the MEV reward scheme, more than 66% of validators have now run the Jito-Solana client. The feature of this client is that it allows users to pay extra consumption (Tip) to the verifier to allow the verifier to run the bundled transaction package first. In addition, Jito also runs a mempool, which can be used by sandwich attackers to monitor user-initiated transactions. In March, Jito announced that it would temporarily shut down mempool to reduce sandwich attacks, but MEV robots can still monitor transactions by running RPC nodes.

In essence, MEV is not a useless design. A large number of spam attacks can be avoided through priority fees and other methods, which plays a certain role in maintaining the health of the blockchain network. However, Solana’s current model of monitoring user transactions and allowing tip payers to package transactions still leaves loopholes for “sandwich attacks” to exploit.

The Solana Foundation previously announced on June 10 that it had removed more than 30 validators involved in the sandwich attack. But in terms of effectiveness, this governance plan did not play a big role. By investigating arsc’s transaction process, PANews found that many of the validators it uses when conducting “sandwich attacks” are large validators such as Laine, Jito, and Jupiter. The attacks at this address only stopped on June 14, and it seems that they were not affected by the Solana Foundation’s punishment governance. (Related reading: The Solana Foundation takes action on MEV validators, but the community does not buy it and complains about the centralization of governance)

"Sandwich attacks" can also be punished by law

Is conducting a "sandwich attack" really a risk-free arbitrage? The answer is no. Cases have shown that such grabbing behavior may have legal risks.

In May of this year, the U.S. Department of Justice announced that two brothers, Anton and James Pepaire-Bueno, were arrested for allegedly stealing $25 million in cryptocurrency through a sophisticated arbitrage bot vulnerability on Ethereum.

Perhaps due to judicial risks, the arsc address seems to have suspended the sandwich attack and is trying to hide evidence of previous attacks by using thousands of small transactions to refresh Solana browser records. However, the related assets of this address are still on the chain and have not yet been transferred to any centralized exchange.

Arsc's clamping has so far sparked public outrage, with hundreds of tweets offering bounties to track down the person behind the address. Perhaps, in the near future, the moment this mysterious attacker "reveals his prototype" will also be the time when he faces severe judicial punishment.

(The above content is excerpted and reprinted with the authorization of our partner PANews, original text link)

Statement: The article only represents the author's personal views and opinions, and does not represent the objective views and positions of the blockchain. All contents and opinions are for reference only and do not constitute investment advice. Investors should make their own decisions and transactions, and the author and Blockchain Client will not be held responsible for any direct or indirect losses caused by investors' transactions.

〈Make 30 million US dollars in 2 months, Solana’s biggest sandwich attacker attracts public outrage〉 This article was first published in "Blocker".