🥪 MEV Monitor: Solana Sandwich Attacks
fknmarqu
0x7c85
April 30th, 2025

Table of Contents

  1. Introduction

  2. tl;dr

  3. The Financial Impact: Quantifying the Drain & Costs

    3.1 Overall Scale of Value Extraction

    3.2 Attacker Economics: Costs vs. Profitability

    3.3 User Costs: Direct Losses and Transaction Fees

    3.4 Temporal Impact Trends

    3.5 Summary of Financial Implications

  4. Who & How: The Attacker Landscape & Strategies

    4.1 The Dual Challenge: Attribution & Ecosystem Complexity

    4.2 Attacker Economics as a Behavioral Proxy

    4.3 Diverse Execution Methods & Infrastructure Insights

    4.4 Inferred Competition & Ecosystem Dynamics

    4.5 Implications for Understanding & Mitigation

  5. Where & When: Attack Patterns & Hotspots

    5.1 Temporal Patterns: When Do Attacks Occur?

    5.2 DEX Hotspots: Which Platforms Are Targeted Most?

    5.3 Token Pair Hotspots: Which Assets Are Targeted Most?

    5.4 Connecting Targets and Timing

    5.5 Summary of Patterns and Implications

  6. The Role of Network Infrastructure: Validator Incentives

    6.1 Overall Validator Revenue from Measured Sandwich Activity

    6.2 Per-Validator Revenue Distribution & Concentration

    6.3 Financial Incentives from Measured Sources

    6.4 Implications: Validator Role & Ecosystem Health

  7. Methodology, Data Interpretation & Limitations

    7.1 Data Source and Scope

    7.2 Key Definitions and Metrics Used

    7.3 Analysis Methodology

    7.4 Limitations and Caveats

  8. Conclusion & Implications

    8.1 Summary of Key Findings

    8.2 Implications for Stakeholders

    8.3 Relevance to Ecosystem Goals

    8.4 Areas for Further Research & Mitigation Context

    8.5 Final Concluding Statement

1. Introduction

Maximal Extractable Value (MEV) presents a complex challenge within blockchain ecosystems. On the Solana network, certain MEV practices, particularly malicious sandwich attacks, pose a significant threat to user confidence and network fairness. These attacks exploit transaction ordering by placing bids before (front-running) and after (back-running) a user's trade, manipulating prices to the attacker's advantage. This typically results in unfavorable execution prices and a diminished experience for the targeted user, effectively siphoning value from ordinary participants to sophisticated exploiters. While the existence of such activities is known, their precise scale, the actors involved, and the specific ecosystem vulnerabilities they exploit often remain obscured.

In response to the Helius "[REDACTED]" Hackathon's call for greater transparency regarding malicious MEV, the "MEV Monitor: Solana Sandwich Attacks" dashboard was developed. It serves as a public, open-source tool designed to surface and quantify this specific type of MEV activity on Solana.

This report leverages data captured by the MEV Monitor over a recent 7-day period to provide an overview of current sandwich attack dynamics. The primary objective is to analyze this recent activity and discuss its tangible implications for users, decentralized protocols (particularly DEXs), and the overall health and integrity of the Solana network. The analysis examines the financial impact of these attacks, the observable behaviors and methods of attackers, the specific platforms and assets most frequently targeted, and the role of validator incentives in this ecosystem. By exploring these facets, the report aims to foster a deeper understanding of the current state of sandwich MEV on Solana and inform ongoing discussions about network fairness and potential mitigation strategies.

2. tl;dr

This report analyzes recent sandwich attack activity on the Solana network using data from the MEV Monitor dashboard over a 7-day period. The analysis reveals that sandwich attacks remain a notable factor in the Solana DeFi ecosystem, imposing tangible costs on users and highlighting specific areas of vulnerability, with activity peaking during hours corresponding to US and European market overlap.

Over the observed week, 87,061 identified sandwich attacks resulted in over $620k USD in directly measurable extracted value from users. Critically, this figure significantly underestimates the true financial impact, as reliable price data is often unavailable for the newly launched and illiquid tokens frequently targeted. While attackers incurred estimated costs of ~$52,656 USD (primarily via Jito tips), the activity appears highly profitable based on the measured data (estimated net profit ~$570k USD), providing clear financial incentives. Users affected face direct value loss and potentially higher transaction fees.

The actors conducting these attacks operate largely anonymously, employing diverse and often complex execution methods that go beyond simple theoretical models. Reliable attribution to specific entities remains challenging due to the use of temporary addresses and varied techniques. Evidence suggests attackers may utilize infrastructure beyond the standard public Jito MEV pathways, exploiting potential alternative mechanisms for transaction ordering and inclusion.

Sandwich activity during this period was highly concentrated. The vast majority of attacks targeted newly launched, low-liquidity tokens, particularly those facilitated by specific launch platforms like Pump.fun and associated DEXs (e.g., pumpswap).

Validators play a crucial role in this ecosystem, earning measurable revenue from the transaction fees and Jito tips associated with including sandwich transactions in blocks they produce. While this analysis only captures revenue from these specific sources, the data indicates that this income stream can be significant for certain validators. This dynamic contributes to broader ecosystem concerns about the potential for MEV-driven stake centralization over time, where validators most active in MEV could disproportionately increase their network influence.

In summary, sandwich attacks, primarily focused on the volatile early moments of new token launches, represent a persistent challenge driven by clear financial incentives. They directly impact user experience and network fairness, highlighting ongoing tensions between MEV capture and ecosystem health on Solana.

3. The Financial Impact: Quantifying the Drain & Costs

Sandwich attacks inflict direct financial costs on users and generate revenue for attackers. This section quantifies these impacts based on data observed over the 7-day period from April 22nd to April 28th, 2025.

3.1 Overall Scale of Value Extraction

During the observed week, a total of 87,061 sandwich attacks were identified. These attacks resulted in approximately $623,647 USD in total reported extracted value (based on summing hourly data). This figure represents the direct financial loss incurred by users due to artificially induced slippage caused by sandwich attacks, based on the available data.

It is crucial to emphasize that this $623k figure significantly underestimates the true scale of value extraction. This underestimation stems from two key factors:

  1. Data Filtering: Filters applied to identify sandwiches accurately (detailed in Section 7.3) inevitably exclude some true sandwich attacks, particularly complex variations.

  2. Pricing Data: The lack of reliable, real-time price feeds for many newly launched/illiquid tokens means profits realized by attackers in these assets are frequently valued at $0 USD in the dataset. The reported USD value primarily reflects profits captured in the paired token (often SOL) and represents only a lower bound of the actual financial drain.

3.2 Attacker Economics: Costs vs. Profitability

Attackers incur costs primarily through transaction fees (FR Tx. Fees, BR Tx. Fees) and Jito tips (Jito Tips) paid for transaction inclusion and ordering. Over the 7-day period, the total measured costs for attackers amounted to approximately 353.73 SOL (~$52,656 USD based on an average SOL price of ~$148.86 for the period), calculated from the dedicated hourly cost data. Jito tips constituted the vast majority of these costs (~352 SOL), with transaction fees being relatively minor (~1.2 SOL).

Comparing costs to the reported extracted value (~$623k USD) yields an estimated Attacker Net Profit of ~$570,991 USD. The direct costs represented only ~8.4% of the reported extracted value, suggesting high profitability on successful, measured attacks. However, this calculation relies on the underestimated extracted value and only accounts for successful, measured attacks; it does not factor in costs from failed attempts or potential losses if attackers themselves become targets of MEV.

3.3 User Costs: Direct Losses and Transaction Fees

The primary cost for users is the direct loss of value through unfavorable execution prices, estimated at ~$623k USD (the underestimated Extracted Value). Additionally, users whose transactions were sandwiched incurred their own transaction fees and potentially Jito tips.

Over the period, victims paid approximately 103 SOL in total fees and tips associated with the sandwiched transactions (~62.69 SOL fees, ~40 SOL tips). Based on the 87,061 identified sandwiches, the average cost per sandwich event paid by victims (~0.00117 SOL) was considerably lower than the average cost paid by attackers (~0.00406 SOL). This is likely because attackers often bundle multiple transactions incurring costs for each, while the victim cost relates to a single swap transaction. Still, these fees represent an additional layer of cost for users caught in these attacks. Furthermore, qualitative impacts like subsequent transaction failures due to squeezed slippage remain an unquantified cost to user experience.

3.4 Temporal Impact Trends

The financial impact of sandwich attacks is not uniform throughout the day. Analysis of hourly data reveals that the Total Reported Extracted Value (USD) shows a distinct peak between 14:00 and 20:00 UTC, with a particularly notable spike around 19:00 UTC. This pattern closely mirrors the peak hours observed for both the frequency of sandwich attacks (Section 5.1) and the total attacker costs paid (fees and tips). This indicates that the period corresponding to US and European market overlap experiences not only the highest volume of attacks but also the most significant financial drain from users.

3.5 Summary of Financial Implications

In summary, sandwich attacks represent a significant drain of value on the Solana ecosystem over the observed week, even based on significantly underestimated figures (~$623k USD reported). While attackers incur measurable costs (~$53k USD), the activity appears highly profitable based on reported data. Users bear the brunt of this through direct value extraction and associated transaction costs. The concentration of this financial impact during specific peak hours further highlights periods of heightened risk for DeFi participants.

4. Who & How: The Attacker Landscape & Strategies

Understanding the actors behind sandwich attacks and the methods they employ is crucial, yet challenging due to the nature of on-chain activity and the complexity of MEV strategies. This section explores the observable characteristics of attackers and their execution techniques, acknowledging the inherent difficulties in attribution and the potentially diverse infrastructure involved.

4.1 The Dual Challenge: Attribution & Ecosystem Complexity

Reliably attributing sandwich attacks to specific, persistent actors remains a significant hurdle. While the signing addresses for frontrun and backrun transactions are visible, analysis indicates these are often ephemeral 'burner' wallets, changed frequently to obscure the larger picture of an individual attacker's operations. While identifying custom on-chain programs consistently used by an attacker could offer a more reliable attribution method, many sandwich attacks are executed without unique program IDs, using varied techniques that further complicate tracking. This inherent anonymity makes it difficult to definitively assess market structure (i.e., dominance by a few large players versus many smaller ones) or track the evolution of sophisticated actors. Furthermore, the complexity and variability of execution methods add another layer to the analytical challenge.

4.2 Attacker Economics as a Behavioral Proxy

While direct identification is difficult, analyzing the costs attackers incur provides insights into their behavior. Attackers primarily spend SOL on transaction fees and Jito tips. While attackers would likely pay necessary base fees regardless, the significant expenditure on Jito tips (~352 SOL vs ~1.2 SOL in base fees over the 7 days) highlights a preference driven by mechanism, not just cost. Tips enable attackers to use Jito bundles, which guarantee atomic execution and sequential ordering for their frontrun, victim interaction (implicitly), and backrun transactions. This greatly increases the probability of successfully landing the full sandwich strategy, a guarantee that priority fees alone do not offer. The high total value of tips paid reflects the value attackers place on this execution certainty, especially during peak activity hours (14:00-20:00 UTC). However, precise cost-per-sandwich analysis remains complicated by factors like split backruns where full costs may not be captured, and the third-party tipping issue discussed below.

4.3 Diverse Execution Methods & Infrastructure Insights

Real-world sandwich attacks often deviate from simple theoretical models, employing a variety of techniques:

  • 4.3.1 Beyond the Basic Sandwich: Some attacks involve initial setup transactions to prepare conditions, adding steps beyond the core frontrun-victim-backrun sequence.

  • 4.3.2 The Split Backrun Case: A notable technique involves the attacker splitting their backrun swap into two (or more) separate, successive transactions within the same block. The current dashboard methodology struggles to capture the full profit/loss and associated costs (especially tips paid after the second part) of these multi-part backruns. To mitigate resulting data noise, sandwiches appearing significantly unprofitable (< -0.05 SOL extracted value, based on the median) were filtered from certain value analyses, meaning a subset of these complex attacks are excluded from those specific results.

  • 4.3.3 Jito Tip Placement Strategies & Risks: Attackers exhibit strategic choices in how they pay Jito tips – including them with the frontrun, with the backrun, or as a separate transaction within the bundle. The risk associated with placing the tip later (e.g., on the backrun) relates primarily to the possibility of the original block becoming uncled. If this happens, the atomicity guarantee of the bundle relative to the canonical chain state can be compromised. Transactions from the original bundle (excluding the one with the tip) might be executed individually or re-bundled by other searchers in the new context, potentially exposing the initial attacker to losses. Analysis of known bot strategies (e.g., the previously studied vpeN...and E6Yo... bots) has illustrated this specific risk trade-off.

  • 4.3.4 Third-Party Tips & Data Gaps: The observation of Jito tips for sandwich bundles sometimes being paid by an address different from the frontrun/backrun signer adds another layer of complexity. Associating these tips correctly is difficult; simply matching based on transaction proximity (e.g., +/- 1 index) can lead to numerous false positives. Accurate attribution would require access to Jito's private bundle data, which is currently unavailable for this analysis, hindering precise cost accounting.

  • 4.3.5 Questioning Jito's Exclusivity: Evidence of Alternative MEV Pathways: While Jito provides the most well-known infrastructure for MEV on Solana, observations suggest it may not be the sole pathway for sandwich attacks.

    • Successful Priority-Fee-Only Sandwiches: The consistent success of some attackers landing sandwiches using only priority fees is noteworthy, as standard priority fees do not guarantee the deterministic atomic ordering typically required, unlike Jito bundles. This strongly suggests these attackers leverage non-standard mechanisms, potentially including private order flow agreements with validators, modified validator clients, or other non-Jito block-building infrastructure.

    • Sandwiching of Jito-Tipped/"Protected" Swaps: Instances where user transactions paying Jito tips (which should receive ordering protection within Jito's system) are still sandwiched, sometimes by attackers paying only priority fees, directly contradict expected Jito behavior. This provides compelling evidence for MEV pathways operating outside or bypassing the standard Jito block engine/relay system.

4.4 Inferred Competition & Ecosystem Dynamics

The significant costs attackers are willing to pay (especially high Jito tips during peak hours for bundle guarantees) and the inherent risks (like exposure during uncled slots) point towards a highly competitive environment where actors vie for profitable opportunities.

4.5 Implications for Understanding & Mitigation

The attacker landscape appears to be characterized by anonymity, strategic diversity, technical sophistication, and the use of infrastructure potentially spanning both public (Jito) and private/alternative pathways. This makes comprehensive monitoring and targeted mitigation difficult. It suggests that effective defenses may need to focus more on protocol-level changes, DEX-specific designs that resist manipulation (discussed further in Section 5), and validator conduct rather than solely attempting to block constantly changing attacker addresses. The analysis presented, while insightful, captures a close approximation based on available data and known limitations, particularly regarding the full extent of non-Jito MEV facilitation.

5. Where & When: Attack Patterns & Hotspots

Analyzing where sandwich attacks concentrate and the timing of their occurrence helps illustrate the dynamics of this MEV activity within the Solana ecosystem. While temporal patterns primarily reflect periods of higher user activity (creating more sandwich opportunities), understanding these patterns alongside the specific platform and asset targets provides valuable context for protocols and observers. This section analyzes these patterns based on the 7-day data snapshot.

5.1 Temporal Patterns: When Do Attacks Occur?

Sandwich attack activity is not evenly distributed throughout the day. Analysis of hourly data (sandwich counts, attacker costs, and extracted value) reveals distinct cyclical patterns, likely influenced by global market activity:

  • Peak Activity Window: A pronounced peak in activity occurs consistently between 14:00 and 20:00 UTC. This period, corresponding to the overlap of US and European market hours, sees the highest frequency of attacks, the largest amount of value extracted, and the highest expenditure by attackers (fees and tips). Variability exists within this window, with particularly notable spikes observed around 19:00 and 22:00 UTC in the dataset.

  • Trough Period: Conversely, activity significantly dips during the early UTC morning hours, roughly between 04:00 and 08:00 UTC.

While knowing these peak times doesn't necessarily allow individual users to perfectly avoid risk (as vulnerable transactions can be targeted anytime), it highlights periods where the overall volume of sandwich activity is highest, potentially informing protocol-level monitoring or adaptive defense mechanisms.

5.2 DEX Hotspots: Which Platforms Are Targeted Most?

Analysis of sandwich activity across different Decentralized Exchange (DEX) programs reveals a strong concentration on platforms associated with new token launches and established high-volume venues:

  • Dominant Platforms: Based on the latest 7-day data, platforms associated with Pump.fun dominate. This includes both the initial launchpad (pump.fun, ID: 6EF8...) and its associated swap platform (pumpswap, ID: pAMM...), which handles tokens after they graduate from the initial bonding curve. Together, they rank highest in both the sheer number of sandwich attacks: pumpswap saw the highest count (~56k sandwiches) while pump.fun saw the highest reported extracted value (~$241k USD). This highlights the intense focus of sandwich bots on the volatile environment surrounding memecoin launches facilitated by this ecosystem.

  • Established DEX Activity: Raydium Liquidity Pool V4 (ID: 675k...) also features prominently, ranking high in sandwich count (~13.5k) and reported extracted value (~$175k USD). This reflects its position as a major DEX on Solana, likely seeing attacks targeted at pairs with established volume and liquidity. Raydium's other programs, like the constant product market maker (ID: CPMM...) and concentrated liquidity (ID: CAMM...), also experience sandwich activity, albeit at lower levels.

  • The Underestimation Caveat: It is crucial to remember that the reported USD values significantly underestimate the true value extracted, especially on platforms like pumpswap and pump.fun where many targeted tokens lack reliable pricing data.

  • Why Aren't All DEXs Targeted Equally? The lower prevalence of sandwich attacks on certain other DEXs or specific pool types might stem from several factors. These can include different AMM designs (e.g., Request-for-Quote systems, more complex order book logic, or liquidity management strategies in CLMMs), lower trading volumes in susceptible pairs, or the implementation of specific MEV mitigation techniques by the DEX protocol itself.

5.3 Token Pair Hotspots: Which Assets Are Targeted Most?

The concentration of attacks becomes even starker when examining individual token pairs:

  • Dominance of New Launches: The top pairs by both sandwich count and reported extracted value overwhelmingly involve newly launched tokens paired against SOL. These are often identifiable by platform-specific suffixes in their addresses, such as ...pump for tokens originating from the Pump.fun platform or ...bonk for those associated with the Letsbonk.Fun platform (which utilizes Raydium's Launch Lab). Illustrating this, pairs like 6RLih...Npump-SOL (~2.3k count), CoXB4...mpump-SOL (~1.5k count), and Dfwxy...Ypump-SOL (~1.3k count) were among the most frequently sandwiched based on the latest data. In terms of reported extracted value, the top ranks featured pairs involving the newly launched LETSBONK token (LETSBONK-SOL, ~$13k reported extracted value) and other tokens with the .bonk suffix like 93a1t...Sbonk-SOL (~$9k). The consistent targeting of tokens launched via different platforms indicates that new platforms replicating similar launch mechanics inherit these MEV vulnerabilities.

  • Target Characteristics: This data strongly confirms that attackers focus intensely on the initial moments of a token's lifecycle, exploiting the characteristic low liquidity and high speculative volume/volatility common to memecoin launches.

  • Value Underestimation (Critical): For these newly launched pairs, the reported EXTRACTED_VALUE_USD is particularly unreliable and represents a bare minimum. The value attackers gain in the new token itself is often unpriced (reported as $0 USD), meaning the true profit and corresponding user loss could be substantially higher depending on the token's subsequent price movement.

5.4 Connecting Targets and Timing

The concentration of attacks on new token launches suggests that peaks in activity likely correlate not just with general market hours but potentially also with periods of intense community focus or specific launch windows for highly anticipated memecoins, occurring predominantly within the broader 14:00-20:00 UTC peak window.

5.5 Summary of Patterns and Implications

Sandwich attack activity in the observed period was heavily concentrated, targeting specific asset types (newly launched, low-liquidity tokens) on particular platforms (launchpads like Pump.fun/pumpswap, high-volume DEXs like Raydium V4) during distinct peak hours (14:00-20:00 UTC). This concentration creates periods and locations of significantly heightened risk. While providing opportunities for attackers, it simultaneously degrades the user experience on these platforms and underscores the challenge for DEXs in balancing open access with manipulation resistance, especially for highly volatile assets. The reported financial figures, while substantial, likely only scratch the surface of the true value extracted due to data limitations.

6. The Role of Network Infrastructure: Validator Incentives

Validators, as the producers of blocks on the Solana network, play an essential role in the transaction supply chain, including the processing of MEV-related transactions like sandwiches. Their actions are significantly influenced by economic incentives, which this section explores based on the measured revenue streams associated with sandwich attack facilitation.

6.1 Overall Validator Revenue from Measured Sandwich Activity

Including sandwich transactions in blocks generates direct revenue for validators through native transaction fees and Jito tips paid by attackers. For Jito tips, it's understood that validators receive the amount net of a fee retained by the Jito infrastructure (reportedly 6%). Applying this standard 6% fee to the total Jito tips paid by attackers (calculated at ~352.5 SOL from dedicated cost data) and adding the associated transaction fees (~1.2 SOL) yields an estimated ~333 SOL in total revenue received collectively by validators from facilitating sandwich attacks over the 7-day period.

Crucially, this revenue figure solely reflects native transaction fees and net Jito tips. It does not account for potential earnings validators might derive from facilitating MEV through alternative or private pathways (as discussed in Section 4.3.5), representing only a lower bound of the total financial incentive potentially available to validators from measured MEV sources. Analysis of hourly data indicates validator earnings peak concurrently with overall sandwich activity (14:00-20:00 UTC).

6.2 Per-Validator Revenue Distribution & Concentration

While the overall revenue attributed to sandwich facilitation is significant, its distribution among validators is uneven. The analysis below is based on the reported net revenue (fees + net tips received) directly attributed to individual validators in the leaderboard data (summing to ~333 SOL across all validators).

  • Activity Concentration: A notable portion of the ~87,061 sandwich attacks occurred in blocks produced by a relatively small subset of validators. The top validator (6dwKX2BK..., listed as 'private') included nearly 2,500 blocks containing sandwiches, substantially more than other highly active validators in the top 5 by this metric, which included large operations like Binance Staking (DRpbCBMx...), Helius (HEL1USMZ...), Galaxy (DtdSSG8Z...), and Ledger by Figment (q9XWcZ7T...).

  • Revenue Concentration: The measured revenue received is similarly concentrated. The same top validator (6dwKX2BK...) also received the highest reported net revenue (~21.3 SOL), more than double the next highest (7bLCyBuF..., ~9.9 SOL).

  • Reliance on Sandwich Revenue: The proportion of a validator's total measured fee/tip revenue derived from sandwiches (Sw. Fees & Tips Pct.) varies dramatically. While for many large validators this percentage is very low (< 0.5%), several smaller or potentially MEV-focused validators show a much higher reliance based on the reported data. The top 5 by this metric derived between ~7.5% and ~11.9% (led by 4BevYSu... / 'MV 0feeMEV' at ~11.86%) of their measured income from sandwich fees and tips during this period, indicating a significant reliance for some operators.

6.3 Financial Incentives from Measured Sources

The estimated ~333 SOL earned collectively, and the high reliance demonstrated by certain validators based on reported figures, highlights a clear financial incentive derived from including sandwich transactions via standard fees and Jito tips. This incentive structure influences validator behavior regarding transaction inclusion.

6.4 Implications: Validator Role & Ecosystem Health

The financial incentives associated with MEV create a complex dynamic for the Solana network. The mechanism by which validators earning disproportionately high rewards (including MEV revenue) can potentially compound their stake faster than others is a recognized concern regarding long-term network decentralization. While the revenue measured here is limited in scope, it represents a tangible factor contributing to these incentive structures and potential centralization pressures. The observed variation in validator reliance on this income underscores diverse operational strategies. Addressing the potential negative externalities of user-harming MEV while maintaining robust validator economics remains an ongoing challenge, reflected in ecosystem discussions around validator conduct, application-layer defenses, and potential protocol-level changes.

7. Methodology, Data Interpretation & Limitations

This section outlines the methodology employed in this report, including data sources, key definitions, analysis techniques, and known limitations, to provide context for the findings presented.

7.1 Data Source and Scope

The primary data source for this analysis is the "🥪 MEV Monitor: Solana Sandwich Attacks" dashboard, a public tool developed for the Helius "[REDACTED]" Hackathon to monitor sandwich MEV activity. The analysis covers a 7-day period from 2025-04-22 to 2025-04-28, reflecting a recent snapshot of activity based on the data available at the time of report generation. Data regarding victim transaction costs (fees and tips) was sourced separately but corresponds to the same period and sandwich events identified by the dashboard. All data processing and analysis beyond the dashboard's visualizations were conducted using standard data analysis libraries.

7.2 Key Definitions and Metrics Used

  • Sandwich Attack: Defined based on the dashboard's identification methodology, typically involving the detection of an attacker's front-run and back-run transactions executed immediately before and after a victim's swap transaction within the same block slot, targeting the same token pair.

  • Extracted Value (USD): This core metric, as reported by the dashboard (e.g., in hourly sums or per-pair aggregations), is interpreted throughout this report as representing the attacker's gross profit before their own costs. It is assumed to be equivalent to the additional loss (slippage) incurred by the victim due to the price manipulation caused by the attack. (Caveat: See Section 7.4 regarding significant underestimation).

  • Attacker Costs (SOL/USD): Calculated as the sum of native transaction fees and Jito tips paid by the attacker for the front-run and back-run transactions associated with successful sandwiches. USD estimates use an average SOL price for the period.

  • Attacker Net Profit (USD, est.): Calculated as Total Reported Extracted Value (USD) minus Total Attacker Costs (USD, est.).

  • Validator Sandwich Revenue (SOL): Measured as the sum of native transaction fees and net Jito tips received by validators for including sandwich-related transactions in blocks they produced (based primarily on leaderboard data where available, or calculated assuming a standard Jito fee where specified). (Caveat: See Section 7.4 regarding scope limitation).

  • Victim Costs (SOL): Measured as the sum of native transaction fees and Jito tips paid by the victim for their specific swap transaction that was sandwiched.

7.3 Analysis Methodology

  • Data Aggregation: Analysis relies on aggregated data provided by the dashboard (e.g., hourly summaries, per-DEX/pair totals) and supplementary calculations performed on this data (e.g., summing totals, calculating averages, identifying trends).

  • Sandwich Identification Filters: To improve accuracy and reduce potential false positives, specific filters are applied after initial identification:

    • Backrun Amount Filter: Sandwiches where the amount of the primary token sold by the attacker in the back-run exceeds the amount purchased in the front-run are excluded. This targets potential false positives involving attackers selling unrelated tokens but may also exclude some true sandwiches incorporating overflows or external funding.

    • Split Backrun Filtering: To handle data inconsistencies arising from complex split-backrun attacks (where the dashboard might not capture the full sequence accurately), sandwich records showing an apparent extracted value loss greater than 0.05 SOL (i.e., less than -0.05 SOL, a threshold based on the median extracted value observed during development) were filtered out from certain value-based analyses to reduce noise.

  • Attacker Analysis: Due to attribution challenges, attacker analysis focused on behavioral proxies like cost patterns and execution methods rather than tracking specific bot identities.

  • Temporal/Target Analysis: Standard time-series analysis (identifying peaks/troughs in hourly data) and comparative analysis (ranking DEXs/pairs by activity/value) were used.

7.4 Limitations and Caveats

It is essential to consider the following limitations when interpreting the report's findings:

  • Attacker Attribution: Attributing attacks to persistent actors is inherently challenging. While front-run/back-run transaction signers are visible, these addresses are often temporary ('burner wallets'). Identifying custom on-chain programs used consistently by an attacker is potentially more reliable but not always applicable and may not be fully utilized for attribution within this dashboard's scope.

  • Execution Complexity & Incompleteness: Real-world sandwich methods are diverse (split backruns, setup txs, varied tip strategies, third-party tips). The dashboard provides a "close approximation" based on identifiable patterns but cannot capture every nuance, potentially underreporting activity involving highly complex or novel methods.

  • Pricing & USD Valuation Underestimation: This is a major caveat. The lack of reliable, real-time pricing data for many newly launched/illiquid tokens (especially memecoins) means that all reported USD values (Extracted Value, Profits) significantly underestimate the true financial scale. Profits realized in these tokens are often valued at $0, making reported USD figures a conservative lower bound.

  • Validator Revenue Scope: The reported validator revenue only includes native fees and net Jito tips captured by the dashboard/leaderboard data. It omits potential earnings from alternative/private MEV pathways, meaning the true financial incentive might be higher.

  • Split Backrun Filtering Impact: Filtering out complex split-backrun cases based on the profitability threshold might slightly skew aggregated statistics derived from the remaining dataset.

  • Tip Attribution Issues: Precisely attributing all Jito tips can be difficult, particularly with third-party payers, without access to richer off-chain bundle data.

  • Analysis Focus: The report concentrates specifically on sandwich attacks as defined and captured by the dashboard, not the entirety of MEV activity on Solana.

  • Time Window: The 7-day scope provides a valuable snapshot of recent activity, but observed trends, volumes, and dominant actors may differ significantly over longer time horizons or during different market conditions.

8. Conclusion & Implications

8.1 Summary of Key Findings

This analysis of the "MEV Monitor: Solana Sandwich Attacks" dashboard over a 7-day period (approx. April 22-28, 2025) provides a snapshot of the significant role sandwich attacks currently play within the Solana DeFi ecosystem. Key findings include:

  • Substantial Financial Impact: Over 87,000 sandwich attacks resulted in approximately $623k USD in reported extracted value. This figure represents a tangible cost to users but is confirmed to be a significant underestimation due to the inability to accurately price profits gained in newly launched, illiquid tokens.

  • Profitable Attack Vector: Despite attackers incurring measurable costs (~$53k USD, primarily via ~352 SOL in fees and Jito tips), the activity appears highly profitable based on the reported data (estimated net profit ~$570,991 USD), driving attacker behavior.

  • Target Concentration: Attacks are overwhelmingly concentrated on newly launched, low-liquidity tokens (often memecoins) primarily accessed via specific platforms like Pump.fun/pumpswap and associated DEXs. Established DEXs like Raydium also face activity, but the financial scale appears highest around token launches.

  • Complex & Opaque Actors: Attackers employ diverse, sometimes complex execution methods, operate largely anonymously using ephemeral wallets, and potentially leverage infrastructure beyond the public Jito MEV system, making attribution difficult.

  • Clear Validator Incentives: Validators collectively received significant revenue (estimated at ~333 SOL, net of an assumed 6% Jito fee on tips plus transaction fees) for including these sandwich transactions. While distributed unevenly, this provides a clear economic incentive, with some validators deriving a notable percentage (~8-12%) of their measured income from this source.

  • Temporal Patterns: Activity demonstrates clear hourly peaks, predominantly between 14:00 and 20:00 UTC, correlating with US and European market hours.

8.2 Implications for Stakeholders

The prevalence and nature of these sandwich attacks carry broad implications:

  • For Users: The direct financial cost via extracted value and transaction fees, combined with a degraded trading experience (worse pricing, potential failures), erodes user trust, especially when interacting with new tokens or specific DEX platforms during peak times.

  • For Protocols & DEXs: Platforms facilitating new token launches are clear hotspots, facing reputational risk and usability challenges. DEXs, in general, must contend with MEV undermining fair market principles, driving innovation in AMM design and integrated mitigation features.

  • For Network Health & Fairness: Sandwich attacks represent a form of "MEV tax" on specific types of DeFi activity. Furthermore, the mechanism by which MEV revenue can compound validator stake contributes to recognized concerns about potential long-term stake centralization, impacting network governance and decentralization ideals. The evidence of potentially non-public MEV pathways also raises questions about transparency and equitable access.

8.3 Relevance to Ecosystem Goals

This analysis, facilitated by the MEV Monitor dashboard developed for the Helius “[REDACTED]” Hackathon, contributes to the goal of increasing transparency around malicious MEV. By quantifying the scale (albeit underestimated), identifying hotspots, and analyzing methods, it provides data-driven context for ecosystem participants grappling with these challenges.

8.4 Areas for Further Research & Mitigation Context

While this report provides a valuable snapshot, further research could deepen understanding. Key areas include developing robust methods to value profit in illiquid tokens, investigating the prevalence and impact of non-Jito MEV infrastructure, and conducting longer-term studies to track trends beyond the 7-day window. The findings underscore the importance of ongoing efforts within the Solana ecosystem to mitigate harmful MEV, ranging from application-layer solutions (e.g., improved swap interfaces, RFQ systems) and validator conduct initiatives (e.g., whitelists) to potential longer-term protocol adjustments (e.g., changes to block production mechanisms).

8.5 Final Conclusion

Sandwich attacks remain a significant and dynamic feature of the Solana DeFi landscape, particularly concentrated around the high-risk, high-reward environment of new token launches. Driven by substantial financial incentives for both attackers and, indirectly, the validators who include their transactions, these attacks impose real costs on users and present ongoing challenges to market fairness and network health. Addressing this requires a multi-faceted approach involving continued transparency efforts, user awareness, protocol innovation, and careful consideration of core network incentives.

Subscribe to fknmarqu
Receive the latest updates directly to your inbox.
Mint this entry as an NFT to add it to your collection.
Verification
This entry has been permanently stored onchain and signed by its creator.
Arweave Transaction
SjSAiQoFSAH5uih…y3ZGg_oC2f9FRH8
Author Address
0x7c855e1bF411Ab5…74E032615073044
Content Digest
mwh7Bkqp_nmsOkW…aRwLQd8zi38HbcY
More from fknmarqu
View All

Skeleton

Skeleton

Skeleton