Solana sandwich attack is back: Priority fees become 'protection fees', 'dark pool' on-chain upgraded again

Author: Frank, PANews

When the Solana ecosystem is experiencing a decline in trading volume due to the decline of MEME, a more hidden crisis is spreading. Recently, many users in the community have complained that even if they pay priority fees (Tips), they still frequently encounter sandwich attacks on-chain, and some validator nodes have even been accused of participating. This phenomenon has exposed the deep-seated contradictions in the Solana ecosystem—MEV (Maximal Extractable Value) has evolved from a technical vulnerability to a systemic harvesting tool.

Data shows that the revenue of a sandwich attacker has surged from $30 million in 2 months to $287 million in 6 months, forcing users to struggle between ‘being squeezed’ and ‘paying higher protection fees.’ Behind this crisis lies the triple strangulation of validators’ interest entanglement, the alienation of priority fee mechanism, and the collapse of user trust.

Sandwich attack industrialization - from guerrilla warfare to assembly line harvesting

Previously, PANews conducted an in-depth investigation into the MEV situation on the Solana chain and exposed the most notorious sandwich attack robot with the prefix arsc at the time, which made a profit of over 30 million USD within 2 months. (Related reading: Making $30 million in 2 months, Solana’s largest sandwich attacker earns $570,000 a day and angers the public)

Months later, what is the current status of the sandwich attack on the Solana chain?

First of all, it is very regrettable that the sandwich attack on the Solana chain has not subsided due to the community’s condemnation and media exposure. Instead, it has changed to a new method and adopted a larger-scale attack matrix.

Taking the previously dug address Ai4zqY7gjyAPhtUsGnCfabM5oHcZLt3htjpSoUKvxkkt as an example, the address was ultimately used on November 15, 2024. According to PANews statistics, the address made a total profit value of approximately $287 million in the six months from May to November.

And in terms of attack methods, there have also been new changes. In order to avoid being tracked, the sandwich attack robots on the Solana chain have switched to using more batch new addresses. And through establishing programs to execute attacks in batches.

Taking this attacking program as an example, the program has 77 addresses, and as of March 12, a total of 429,000 transactions have been made (since it is specifically used for sandwich attacks, all transactions can be considered as attacks). Since one attack requires two transactions to calculate, the program has carried out a total of 215,000 attacks.

Another address 4vJfp62jEzcYFnQ11oBJDgj6ZFrdEwcBBpoadNTpEWys, in the past month, a total of 210,000 attacks were conducted, with approximately $1.6 million transferred to exchanges, averaging a profit of $7.6 per transaction.

In fact, the program that conducts a large number of sandwich attacks every day is much more than half a year ago. It’s just that we can’t get accurate numbers because we can’t do data statistics.

Solana sandwich attack strikes back: Priority fee becomes “protection fee”, on-chain “dark cycle” upgraded

( The embarrassment of priority fees: from “acceleration fees” to “protection fees”

In the face of increasingly frequent attacks, users, although trying to evade risks by using trading bots or increasing priority fees, the priority fee mechanism has been completely alienated - from a tool to improve trading efficiency, it has degenerated into a disguised “on-chain tax”, further burdening users.

The profit goes to the validator nodes that make profits from MEV revenue.

The recently discussed proposal SIMD-0228 attempts to reduce the staking yield of nodes, on the condition that the proposer believes the current MEV revenue is sufficient to cover the costs of these nodes.

Returning to the topic of MEV, people will find a strange Möbius loop. Sandwich attacks drive users to pay priority fees, which can increase node revenue, and some nodes participate in sandwich attacks. When several links are connected, the left and right harvesting strategies of sandwich attackers become the most lucrative profit model on the Solana chain.

But users can only choose between “being squeezed to lose principal” and “paying a higher priority fee”.

Of course, this set of dark gameplay was not taken seriously during the bull market, but because users pay more attention to the wealth effect and major hacker incidents during the bull market. For sandwich attacks or small RUG incidents, the parties involved can only admit that they are unlucky in most cases. Attackers wait to collect money.

) Trading volume collapse leads to a change in clamp mode: from “bundling” to “cutting in line”

But this logic is also changing in the midst of market downturns. According to discussions on social media and PANews’ investigation, a cost-effective sandwich attack is not cheap.

Among these, the largest cost comes from the attackers having to deploy multiple validator nodes globally in order to insert transactions at the earliest opportunity. It is important to note that the logic here does not mean that the attacker’s node must necessarily lead the block to carry out the attack; the key is that when the attacker detects the latest attackable transaction, they need to send the transaction to the node physically closest to the leading block in order to carry out the operation. Typically, deploying a complete set of attack nodes cluster requires millions of dollars in investment.

Such costs also bring certain profit and loss pressure to the sandwich attacker while ensuring a continuous source of income from the attack. As the on-chain transaction volume gradually decreases, the attacker’s income will also decline. Among attackers, stronger competition will also form, with those who can offer higher priority fees potentially occupying a larger market share.

Under this kind of competition, the volume of transactions without priority fees gradually fails to meet the attackers’ goals. Therefore, cases have emerged where multiple transactions paying priority fees as we mentioned earlier are still being attacked.

In this transaction as an example, the victim paid a priority fee of 0.000075 SOL, which seemed not to be attacked in the past. But now the sandwich attacker paid a higher fee, raised to 0.0044 SOL. In this transaction, the user attempted a transaction worth about 5 SOL, with the attacker making off with 0.08 SOL.

Solana sandwich attack strikes back: Priority fee becomes “protection fee”, on-chain “dark loop” upgraded

In fact, according to the investigation of multiple attack transactions, we found that these attacked users generally adopted a priority fee standard of less than 0.001SOL, and therefore were attacked.

In this process, there is also one more point that needs to be explained, that is, the attackers’ tactics have also changed. In the past, sandwich attackers generally used the method of bundling transactions, which is to package those transactions that do not pay the priority fee into a transaction package. In this bundled package, the attackers submitting the transaction can arrange the order arbitrarily. However, now, because most users will pay a certain priority fee, they will not be packaged into other transactions, so it can be observed on the chain. Most of the current sandwich attacks use a non-bundling method, but rather initiate two transactions independently before and after this transaction. Therefore, the amount of priority fee becomes a very critical criterion.

In summary, the evolution of sandwich attacks on the Solana chain has changed from the past, where bundling attacks could be avoided as long as the priority fee was paid, to the possibility of being sandwiched if the priority fee paid is insufficient.

For users, the next choice is no longer whether to pay priority fees, but whether the payment is enough. It seems that we are entering another cycle as described in the previous text.

Only by continuously increasing the priority fee can the node maintain its original profit level when the trading volume shrinks. On the other hand, if users are unwilling to compromise, they can only incur more losses in principal.

The risk of node leakage exacerbates the ecological dilemma

However, there is a prerequisite in this process, which is that the nodes leading the block must cooperate with the sandwich attacker to leak data, so that the attacker can know in advance the transaction that has already paid priority fees. Starting from February 27th, the founder of Pepe boost called on the Solana official on X platform to pay attention to this. In addition, the co-founder of GMGN and PinkPunkBot have publicly raised similar issues on social media. However, as of March 13th, the Solana official has not yet responded to this.

As of March 10th, the daily priority fee on the Solana chain has dropped to around 14,000 SOL, a decrease of over 92% from the peak of 183,000 SOL in January.

![Solana sandwich attack rolls back: priority fee becomes “protection fee”, on-chain “dark loop” upgrades again]###https://img.gateio.im/social/moments-07a31c5dbb9d892ffb99a969e5f2c4e6(

The number of active addresses on the Solana chain has also dropped to 2.14 million, a 75% decrease from the peak of 8.78 million. In an already severely shrinking market environment, continuing to allow sandwich attacks is clearly tantamount to draining the pond and further driving users away from the Solana ecosystem.

The competition of public chains is not only about the arms race of TPS numbers, but also about whether ecosystem participants can establish a sustainable value consensus. In the current situation of plummeting transaction volume and shrinking priority fee income, Solana is facing a difficult dilemma: if the MEV interest groups are allowed to continue devouring user assets, the network activity built on MEME in the past year may be difficult to reappear. Fishing to exhaustion, in the end, there will be no fish.