In 2 months, earning 30 million dollars, why "sandwich attacks" on Solana persist despite repeated bans

Author: Frank, PANews

The world has long suffered from MEV.

Despite the widespread complaints, MEV bots have not been restricted; instead, they continue to accumulate wealth through "sandwich attacks."

On June 16, a researcher named Ben exposed a sandwich attack bot with an address starting with arsc, which earned over $30 million in just two months. PANews conducted an in-depth analysis of this MEV bot's behavior and operations to uncover how it achieved tens of millions in wealth.

Accumulating Wealth Through Indiscriminate Attacks

A "sandwich attack" is a market manipulation strategy where the attacker inserts their transactions before and after a victim's transaction on the blockchain, aiming to profit from the price changes caused by the victim's transaction.

Since the Solana explorer can only view the last 1,000 transactions of the day, we could initially capture transactions from arsc between 15:38 and 16:00 on April 21, a period of nearly 20 minutes. During this time, the bot executed 494 transactions, starting with an initial SOL balance of 449, which increased to 465 after 20 minutes. In just about 20 minutes, the arsc address earned 16 SOL through sandwich attacks, which translates to an estimated daily income of about 1,152 SOL. With SOL priced at around $150 at that time, the daily income could reach $172,800.

PANews found that in the last 100 transactions of arsc, the average amount invested per transaction was approximately $6,990, with an average profit of about $38 per transaction, resulting in an average return rate of about 3.44%. Orders ranged from as low as $43 to as high as $160,000, with higher-value orders yielding higher profits. For instance, a single transaction targeting a $160,000 order generated a profit of $1,200. This can be described as an indiscriminate attack.

(Caption: Some transaction records and profits of arsc)

As the principal amount of arsc increased, its profit rate also steadily rose. On April 22, during a half-hour period, the bot executed 492 attacks, earning 63 SOL, with daily profits reaching around 3,000 SOL, doubling from the previous day. In fact, over the recorded two months, arsc profited a total of 209,500 SOL, averaging 3,800 SOL per day, with daily income around $570,000. This earning capacity even surpassed that of the recently popular MEME coin issuance platform Pump.fun (on June 19, Pump.fun's 24-hour income was about $557,000).

The Attacker is a Major Staker of Super Validators

After profiting from sandwich attacks, this address transferred a total of 209,500 SOL to the address 9973hWbcumZNeKd4UxW1wT892rcdHQNwjfnz8KwzyWp6 (hereinafter referred to as 9973), valued at approximately $31.425 million (based on a $150 price). Subsequently, the 9973 address transferred 124,400 SOL to the address Ai4zqY7gjyAPhtUsGnCfabM5oHcZLt3htjpSoUKvxkkt (hereinafter Ai4z), which then sold these SOL tokens for USDC through a decentralized exchange.

In addition, the Ai4z address staked its SOL with several Solana validators, including 11,001 SOL with Laine, 8,579 SOL with Jito, 4,908 SOL with Pumpkin, and 2,467 SOL with Jupiter, along with approximately 800 SOL each with Marinade and Blaze.

Among these, the total staked tokens on laineSOL amounted to 190,000, with the Ai4z address being the largest individual staker for Laine, accounting for 5.73%, second only to the largest holding address of a certain exchange. laineSOL is a staking token issued by validators, allowing users to stake and vote while earning DeFi rewards. However, there is currently no evidence to suggest that this staking behavior indicates any additional relationship between Laine and the attacker, but to some extent, there is a certain degree of interest binding between the two. Laine is one of the main validators on the Solana chain and was previously a major supporter of Solana's initiative to allocate 100% of priority fees to validators. (Related reading: Solana's vote to allocate 100% of priority fee rewards to validators highlights governance issues amid community controversy)

Why Sandwich Attacks on Solana Persist

At its core, MEV on Solana can be considered a new business. Before the issuance of the MEV reward protocol Jito, MEV data on Solana was almost negligible. After Jito introduced the MEV reward scheme, over 66% of validators are now running the Jito-Solana client. This client allows users to pay additional fees (tips) to validators to prioritize their bundled transactions. Additionally, Jito operates a mempool that can be used by sandwich attackers to monitor user-initiated transaction content. In March, Jito announced a temporary closure of the mempool to reduce sandwich attacks, but MEV bots can still listen to transactions by running an RPC node.

Essentially, MEV is not a design without merit. By using priority fees, it can prevent a significant amount of spam attacks and plays a role in maintaining the health of the blockchain network. However, the current ability to monitor user transactions and the model allowing tip payers to bundle transactions still leaves vulnerabilities for "sandwich attacks."

The Solana Foundation previously announced on June 10 that it had removed over 30 validators involved in sandwich attacks. However, this governance measure has not proven to be very effective. PANews' investigation into arsc's transaction process shows that many of the validators chosen for its "sandwich attacks" are large validators like Laine, Jito, and Jupiter. Moreover, the address's attacking behavior continued until June 14, seemingly unaffected by the Solana Foundation's punitive governance. (Related reading: Solana Foundation takes action against MEV validators, but the community remains skeptical and criticizes centralized governance)

"Sandwich Attacks" Can Also Face Judicial Sanctions

Is conducting a "sandwich attack" truly a risk-free arbitrage? The answer is no; there are already cases indicating that such predatory behavior may carry legal risks.

In May of this year, the U.S. Department of Justice announced the arrest of brothers Anton Pepaire-Bueno and James Pepaire-Bueno for allegedly stealing $25 million in cryptocurrency through complex arbitrage bot exploits on Ethereum.

Perhaps considering the judicial risks, the arsc address seems to have paused its sandwich attacks and is attempting to hide evidence of its previous attacks by utilizing thousands of small transactions to refresh the Solana explorer records. However, the related assets of this address remain on-chain and have not been transferred to any centralized exchanges.

Currently, the actions of arsc have sparked public outrage, with hundreds of tweets on Twitter offering bounties to track down the individuals behind this address. Perhaps, in the near future, the moment when this mysterious attacker "reveals their true identity" will also be when they face serious judicial penalties.