More

文章详情

BSC

$--
0
download dymatic logo
image source head

Exit liquidity machine: Revealing the internal sniper arbitrage of Pumpfun token issuance

trendx logo

Reprinted from chaincatcher

06/08/2025·11D

Author: Pine Analytics

Compiled by : GaryMa Wu said blockchain

summary

This report investigates a common and highly coordinated meme token farming model on Solana : Token deployers transfer to SOL to "sniper wallets" to enable these wallets to buy the token in the same block where the token is online. By focusing on the clear and proven capital chain between the deployer and the sniper , we locked in a set of high confidence extraction behaviors.

Our analysis shows that this strategy is neither an occasional nor a marginal behavior—in this way, over 15,000 SOLs of realized profits from over 15,000 token offerings, involving more than 4,600 sniper wallets and more than 10,400 deployers in this way in the past month alone. These wallets show an unusually high success rate (87% of sniping profits), a clean exit method, and a structured operation mode.

Key findings:

  • Deployer-funded snipers are systematic, profitable and often automated, with sniper activities being the most concentrated during working hours in the United States.
  • Multi-purse brushing agricultural structure is very common, and temporary wallets are often used to simulate real needs with collaborative exit.
  • Confusion methods are constantly escalating, such as multi-jumping capital chains and multi-signature sniper transactions to evade detection.
  • Despite its limitations, our one-hop fund filter can still capture the clearest and repeatable large-scale "insider" behavior cases.
  • This report proposes an actionable heuristic approach to help protocol teams and front-ends identify, mark and respond to such activities in real time — including tracking early holding concentrations, tagging deployers’ associated wallets, and issuing front-end warnings to users in high-risk issuances.

Although our analysis covers only a subset of the same block sniping behavior, its size, structure and profitability suggest that Solana token issuance is being actively manipulated by collaborative networks, and existing defenses are far from sufficient.

Methodology

This analysis starts with a clear goal: identifying the behavior of Solana indicating collaborative meme token brushers, especially the deployments that provide funds for sniper wallets when tokens are launched in the same block. We divide the problem into the following stages:

1. Filter the same block sniper

We first filter the wallets that were sniped after deployment. Because: Solana does not have a global mempool; it needs to know the token's address before it appears on the public frontend; and the time between deployment and first DEX interaction is very short. This behavior is almost impossible to occur naturally, so "same-block sniping" becomes a high confidence filter for identifying potential collusion or privileged activities.

2. Identify the wallet associated with the deployer

In order to distinguish between highly skilled snipers and collaborative "insiders", we tracked the SOL transfer between the deployer and the sniper before the token was launched, and only marked wallets that meet the following conditions: receive SOL directly from the deployer; send SOL directly to the deployer. Only wallets that have direct transfers before going online will be included in the final data set.

3. Related sniper with token profits

For each sniper wallet, we map its trading activities on the sniper token, and specifically calculate: the total SOL spent on buying the token; the total SOL earned from selling the DEX; and the net profit (rather than nominal income). This accurately attributes the profits drawn from the deployer for each sniper.

4. Measuring Size and Wallet Behavior

We analyze the scale of such activities from multiple dimensions: the number of independent deployers and sniper wallets; the number of confirmed synergistic block snipers; the distribution of sniper profits; the number of tokens issued by each deployer; and the cross-token reuse of sniper wallets.

5. Traces of machine activity

To understand how these operations are performed, we group sniper activities by UTC hours. The results show that activity is concentrated in a specific time window; it drops significantly during the late night period of UTC; this shows that it is more of a cron task or a human execution window that is aligned with the United States than a globalized, continuous automation.

6. Exit behavior analysis

Finally, we study the behavior of deployer-related wallets when selling snipered tokens: measure the time between the first buy and the final sell (the length of the position); and count the number of independent sell transactions used for each wallet to exit. This tells whether the wallet chooses to clear the stock quickly or sell in progress, and examines the relationship between exit speed and profitability.

picture

Focus on the clearest threat

We first measured the scale of snipers in the pump.fun issue, and the result was shocking: more than 50% of tokens were sniped when creating blocks -snipers in the same block have changed from edge cases to dominant issuance mode.

On Solana, participating in the same block usually requires: pre-sign transactions; off-chain coordination; or the deployment and the buyer share the infrastructure.

Not all snipers in the same block are equally malicious, with at least two types of characters: "Testing the Net to Test Luck" robot - Testing heuristics or small speculation; collaborating with insiders - including deployers to provide funds to their buyers.

To reduce false positives and highlight real collaborative behavior, we have added strict filtering to the final indicator: only snipers with direct SOL transfers between the deployer and the sniper wallet before the online launch are counted. This allows us to confidently lock in: wallets directly controlled by the deployer; wallets that act under the command of the deployer; wallets that have internal channels.

picture

Case Study 1: Direct Funding

Deployer Wallet 8qUXz3xyx7dtctmjQnXZDWKsWPWSfFnnfwhVtK2jsELE Send a total of 1.2 SOL to 3 different wallets and then deploy tokens named SOL > BNB. The 3 funded wallets are snapped up in the same block created by the token, before the wider market becomes visible. They then quickly sold for profit, implementing a coordinated lightning exit. This is a textbook example of brushing agricultural tokens through pre-funding sniper wallets, which is directly captured by our capital chain method. Despite its simple technique, it has been staged on a large scale in thousands of releases.

picture

Case Study 2: Multiple Skip Funding

Wallet GQZLghNrW9NjmJf8gy8iQ4xTJFW4ugqNpH3rJTdqY5kA is related to multiple token sniping. Instead of directly injecting funds into the sniper wallet, the entity transferred the SOL through 5–7 layers to the final sniper wallet, thereby completing the sniper in the same block.

Our existing method only detects some initial transfers from the deployer, but fails to capture the entire chain of the omnidirectional final sniper wallet. These relay wallets are usually "one-time" and are only used to pass SOLs, making them difficult to associate with simple queries. This gap is not a design flaw, but is due to a computing resource trade-off - tracking the multi-hop funding path in large-scale data is feasible, but it is expensive. Therefore, the current implementation prioritizes the selection of high confidence, direct links to maintain clarity and reproducibility.

We demonstrated this longer capital chain with Arkham’s visualization tool , graphically showing how funds flow from the initial wallet through the shell wallet to the final deployer wallet. This highlights the complexity of the confusion of fund sources and points out the direction for future improvement of detection methods.

**Why focus on "a wallet that is directly funded and sniped in the same

block"**

In the rest of this article, we only study sniper wallets that directly obtain deployer funds before going online and snipe within the same block. The reasons are as follows: they contribute considerable profits; they confuse the least means of confusion; they represent the most operational subset of maliciousness; and study them provides the clearest heuristic framework for detecting and mitigating more advanced extraction strategies.

Discover

Focusing on the subset of "Same Block Sniper + Direct Capital Chain", we reveal a broad, structured and highly profitable on-chain synergy behavior. All the following data covers March 15 to present:

picture

1. Snipers funded by the same block are very common and systematic

a. In the past month, 15,000 tokens have been directly attacked by the capital wallet when they are confirmed to be online in the block;

b. 4,600+ sniper wallets, 10,400+ deployers involved;

c. accounts for about 1.75% of the pump.fun circulation.

picture

2. This behavior makes a large-scale profit

a. Directly obtained funds to sniper wallet have achieved net profit > 15,000 SOL;

b. The sniping success rate is 87%, and there are very few failed transactions;

c. A typical return of 1–100 SOL for a single wallet, a few more than 500 SOL.

picture

3. Repeated deployment and sniping pointing to the farmer network

a. Many deployers use new wallets to create dozens to hundreds of tokens in batches;

b. Some sniper wallets perform hundreds of snipers in a day;

c. Observe the "center-radiation" structure: one wallet injects capital into multiple sniper wallets, all snipers the same token.

picture

4. Sniper presents a human-centered time pattern

a. The peak of activeness is almost shut down at UTC 14:00–23:00; UTC 00:00–08:00;

b. Fits with US working hours, indicating that it is triggered manually/cron timed, rather than 24 hours fully automatic worldwide.

picture

5. Confuse ownership of one-time wallet with multiple sign transactions

a. The deployer injects capital into several wallets at the same time and signs a sniper in the same transaction;

b. These wallets will not sign any transactions thereafter;

c. The deployer disassembles the initial purchase into 2–4 wallets, disguising the real demand.

picture

Exit behavior

To gain insight into how these wallets exit, we disassemble data in two major behavioral dimensions:

1. Exit Timing ———Time from the first purchase to the final sale;

2. Swap Count —— The number of independent selling transactions used to exit.

Data conclusion

1. Exit speed

a. 55% of the snipers were sold out in 1 minute;

b. 85% clearance within 5 minutes;

c. 11 % Completed in 15 seconds.

2. Number of sells

a. More than 90% of sniper wallets will be exited with only 1–2 sell orders;

b. Radical selling is rarely used.

3. Profit Trends

a. The most profitable one is the wallet that exits in 1 minute, followed by < 5 minutes;

b. Although the average single profit is slightly higher when holding or selling longer, the quantity is very small and the contribution to the total profit is limited.

explain

These models show that deployer-slaughtered sniping is not a transactional behavior, but an automated, low-risk extraction strategy:

· Be the first to buy → sell quickly → exit completely.

· Single selling means not caring about price fluctuations and only taking advantage of the initiative to dump.

· The few more complex exit strategies are just exceptions, non-mainstream mode.

Actionable insights

The following suggestions are intended to help protocol teams, front-end developers and researchers identify and deal with decimated or collaborative token issuance models, improve user transparency and reduce risks by converting observed behaviors into heuristics, filters and warnings.

picture

in conclusion

This report reveals a continuous, structured and highly profitable Solana token issuance and extraction strategy: deployer-funded same-block sniping. By tracking the direct SOL transfers from the deployer to the sniper wallet, we locked in a group of insider-style behaviors and used Solana's high-throughput architecture for collaborative extraction.

Although this method captures only a portion of the same block sniper, its scale and pattern show that this is not a fragmented speculation, but an operator with privileged locations, repeatable systems and clear intentions. The importance of this strategy is reflected in:

  1. Distort early market signals and make the token seem more attractive or competitive;
  2. Endangering retail investors – they become exit liquidity without their knowledge;
  3. Weak the trust in open token issuance, especially in platforms such as pump.fun, which pursues speed and ease of use.

To mitigate this problem, it is not just passive defense, but also better heuristics, front-end warning, protocol-level guardrails, and efforts to coordinate behaviors with continuous mapping and monitoring. The detection tool already exists — the question is whether the ecosystem is willing to actually apply it.

This report takes the first step: providing a reliable, reproducible filter to lock in the most obvious synergistic behavior. But this is just the beginning. The real challenge is detecting highly confusing, evolving strategies and creating an on-chain culture that rewards transparency rather than extraction.

Original link

more

22 projects raise $1.2 billion Circle raises $1.1 billion in IPO financing feature image

trendx logojinse11D

22 projects raise $1.2 billion Circle raises $1.1 billion in IPO financing

&quot;Founder of the First Stable Coin Stock&quot;: How did I All in Stable Coin 7 years ago feature image

trendx logochaincatcher11D

&quot;Founder of the First Stable Coin Stock&quot;: How did I All in Stable Coin 7 years ago

Cetus restarts Deutsche Bank today to consider issuing its own crypto stablecoin feature image

trendx logojinse11D

Cetus restarts Deutsche Bank today to consider issuing its own crypto stablecoin

AB is everywhere: Why is Binance Alpha launched? feature image

trendx logochaincatcher12D

AB is everywhere: Why is Binance Alpha launched?