Malicious Node Earns 1000 SOL from a Single Transaction, Why Has Solana Become an MEV Hotspot?

By: blockbeats|2025/03/17 14:15:03

The recent crypto market has experienced consecutive "bloodbaths," with Solana not only failing to see a price increase after the meme coin frenzy subsided but also having users flocking to social media to complain about being "sandwiched."

User X @btc_798 claimed that after buying the $GANG token on the Solana blockchain, the token's price surged by 100 times, and they subsequently sold their position. However, due to the routing service selecting the low-liquidity Raydium pool (only 100 SOL) instead of the more optimal Orca pool (4000 SOL), the sell price was much lower than the market price, resulting in the trader earning about 1000 SOL less. "Even Solana's anti-sandwich node has started to act maliciously." @PinkPunkBotCN also suggested that the recent sandwiching phenomenon might be nodes intentionally "liquidating users."

Malicious Node Earns 1000 SOL from a Single Transaction, Why Has Solana Become an MEV Hotspot?

GMGN Co-founder @haze0x also specifically posted a reminder: "Issues have arisen with MEV facilities on SOL's blockchain, and sandwich attacks have begun to run rampant."

In response to these events, crypto analyst @PepeBoost888 pointed out that some Jito validators recently experienced data leaks to sandwichers, allowing sandwichers to obtain data on anti-sandwich transactions in advance. According to @solstatz's data, on just March 15, Raydium reported 10,633 attacks resulting in a total loss of 916.63 SOL, and Pump Fun reported 1770 attacks resulting in a total loss of 314.85 SOL.

Where is the Problem?

In fact, "sandwiching" is not the first time it has occurred on Solana. Sandwiching, or sandwich attack, is a common MEV (Maximal Extractable Value) strategy and a prevalent issue in the AMM market. In this type of attack, bots detect the transaction before it is included in a block, execute a buy order beforehand to drive up the price, and then immediately place a sell order after the transaction completes to profit from the price difference. This forces users to buy tokens at a higher price, while the bots effortlessly make a profit. Although fundamentally MEV is not without value—it can prevent spam attacks through mechanisms like priority fees and help maintain the stability of the blockchain network—Solana appears to have left a vulnerability to sandwich attacks due to its mechanism.

The MEV on Solana was not particularly noticeable until Jito introduced the MEV reward protocol, which brought it into the limelight. Today, over 66% of validators have adopted the Jito-Solana client, which allows users to prioritize their transactions by paying a "tip." Additionally, Jito operates a mempool, which has enabled sandwich attackers to monitor user transactions. Although Jito attempted to reduce such attacks by closing the mempool in March 2024, MEV bots can still continue to monitor transactions by running RPC nodes, and the attacks have not ceased.

In June 2024, Tim Garcia, the Solana Foundation's Validator Relations lead, announced on Discord a decision to take aggressive action to remove over 30 validators participating in sandwich attacks in an attempt to curb the issue. However, this action did not completely solve the problem of frequent attacks. For instance, the notorious "arsc" bot managed to profit over $30 million within two months and continues to earn substantial profits through sandwich attacks even after the Foundation's intervention. Attackers quickly adapt to network changes and may bypass restrictions by running their RPC nodes to continue monitoring and frontrunning user transactions.

Today, sandwich attacks remain a persistent issue on Solana. Users commonly report that even after paying tips, they cannot completely avoid being sandwiched. This situation mirrors past occurrences where attackers exploit Solana's high transaction processing speed and relatively predictable transaction ordering to continuously target transactions.

How Does This Differ from Ethereum's 'Sandwiching'?

In fact, "sandwiching" is not uncommon in the blockchain world, as Ethereum has also suffered from sandwich attacks. The reason why sandwich attacks on Solana have become a persistent issue is closely related to its network design and operational mechanisms, which differ significantly from Ethereum.

On Ethereum, the origin of MEV is mainly related to the visibility of unprocessed transactions. Due to the existence of a shared mempool, anyone can see the transaction information waiting to be included in a block. It's like knowing in advance which goods are about to be bought in a public market. Consequently, savvy traders can leverage this "foresight" to profit through arbitrage or transaction reordering. Attackers might spend more gas fees to front-run transaction sequencing, utilizing fee competition to carry out attacks.

Contrastingly, Solana does not have a Mempool, which means that information about unprocessed transactions is not publicly available as it is on Ethereum, making it much harder to access this information. However, there is still an opportunity for validators. Validators are responsible for processing a specific round of transactions, during which they can clearly see which transactions have not yet been included in a block. At this point, validators have a secret "ace up their sleeve": they can conduct a "sandwich attack" similar to players on Ethereum and profit from it. However, this advantage is private, known only to the "malicious" validator themselves, with other validators being unaware.

When it comes to combating sandwich attacks, Ethereum and Solana have notably different measures. Ethereum outsources transaction ordering to professional builders through the MEV-Boost system, limiting validators' ability to manipulate transaction order and effectively reducing the occurrence of attacks. In contrast, Solana's Jito system attempts a similar mechanism, but attackers can still find loopholes and use private nodes to bypass the restrictions. It could be said that Ethereum's MEV-Boost successfully constrains validator behavior, while Solana's Jito system seems somewhat inadequate in curtailing attacks.

Furthermore, the network structures of Solana and Ethereum also determine the level of difficulty in prevention. Solana has only around 2,000 validators, making its power relatively centralized, where a few malicious nodes could influence transaction ordering, offering attackers an opportunity. On the other hand, Ethereum has over 500,000 validators, with a highly decentralized network, making it difficult for attackers to control enough nodes to carry out an attack, acting as a natural defense barrier.

In summary, Solana is fast but centralized, allowing attackers to exploit private nodes and bypassing the Jito system. Ethereum relies on fee competition and MEV-Boost, coupled with a decentralized structure, for more effective prevention. For Solana to address these issues, optimization of mechanisms and decentralization of power are necessary.

How to Avoid "Sandwich Attacks"?

In the current situation where Solana's mechanism cannot be changed, it is crucial for users to understand how to effectively prevent sandwich attacks in transactions.

Cryptocurrency analyst @PepeBoost888 suggests that to determine if your transaction has been sandwich attacked by a malicious validator, you can check by: first clicking on the block number of the corresponding transaction in the Solscan blockchain explorer, then in the block details page, find the "Leader" field to view the information of the validator node responsible for packing that block. Some malicious validators have already been reported by the community and marked with risk warnings on the Solscan platform. Users can also cross-reference the validator address with the public list of malicious nodes maintained by @0xsucxub to confirm the risk.

For junior Punks, the primary principle when swapping on-chain is to avoid setting a too high slippage tolerance. It is recommended to rationally set a 0.5%-1% reasonable slippage tolerance range based on market volatility. If using an AMM for transactions, one should actively enable MEV protection. This mechanism, through techniques such as transaction path obfuscation and broadcast delay, can significantly reduce the possibility of transactions being front-run by malicious bots.

The "sandwiching" phenomenon has once again sounded the alarm for the Solana ecosystem. This is not a unique issue to Solana but rather a growing pain that most public blockchains may encounter. However, if "sandwiching" becomes the norm, Solana's reputation could be affected. After all, it has always been hailed as an "Ethereum killer" based on its high-speed performance and user experience. If users feel that this high-speed road is plagued by various tolls, packing fees, and protection fees that are rampant, who would still be willing to use it? Especially in key areas like DeFi, trust is the highest cost.