Myth Buster #8: Bad Sandwich Can Be Combined with Token Scams

Witness the Thickest Sandwich Ever Having Triple Evil Receipes

🦄 Myth

Malicious MEV and Scams Are Separate Risks.

Some people think MEVs like frontrunning are more tech-prone risks, while scam tokens and rug-pulls belong to a whole different category: social engineering.

​​But what if the same actor controls both? This triple-evil sandwich would show you the damning ramifications, making it the thickest sandwich we have ever observed.

---

🧠 What Happened

Block 19784594 (May 2024)—the same entity deployed, baited, and rugged a malicious token called YIELD Stone:

1. Turned on the switch in the contract (TX 0), activating:

   1. A 35% transfer tax that auto-redirects skimmed tokens to the attacker

   2. The supply minting logic that rug-pulls buyers

2. Front-ran with its own MEV bot (TX 1) to seed liquidity.

3. Sandwiched 74 victims in a 94-layer mega-bundle—each buy taxed, each sell back-ran.

4. Rug-pulled (transactions like TX 5): minted 2 million YIELD into the pool, dumped YIELD at inflated prices, and drained the WETH side.

In 95 scripted transactions, the attacker pocketed 2.9 ETH, proving that MEV can be engineered directly into a scam when the same actor controls the token, the pool, and the bot.

---

🔬Microstructure 🧬 Key Steps Breakdown

The 35% Taxing

This transaction illustrates how the malicious actor charges a 35% tax on every trade.

• A user sent 0.0239 ETH into Uniswap V2, which is marked red, meaning trades in this pool got sandwiched.

• They received 985K YIELD tokens.

• Meanwhile, 530K YIELD was skimmed off—automatically redirected to the attacker’s wallet.

The Sandwiching

The transaction on position 1 swapped 0.0234 WETH for 994.8K YIELD in the Uniswap V2 pool to raise the price, acting as the front-run of this 94-layer sandwich.

Now let’s look at the victim transaction on position 2.

While paying 35% tax, the victim only received 985.3K YIELD for 0.0239 WETH, suffering from the distorted exchange rate.

The Rug-Pull

At position 5, the malicious actor performed three actions.

• It back-ran previous buyers, dumping YIELD tokens at elevated prices.

• It minted 2 million YIELD into the pool, inflating supply.

• It drained the WETH side of the Uniswap pool—a rug pull.

---

🧑‍🤝‍🧑Key Entities

By digging on Etherscan, we can find that the issuer of the YIELD STONE token is connected to the sandwich bot.

All the times below are UTC.

1. 2024-05-02 12:31:35: Kraken wallet 0x267b sends 0.05 ETH to 0xAA38.

2. 2024-05-02 12:37:23: Address 0xAA38 forwards 0.05 ETH to 0x018d (the future frontrunner).

3. 2024-05-02 17:52:23: YieldStone Deployer receives 0.03 ETH from Kraken wallet 0x267b.

4. 2024-05-02 18:36:35: YieldStone Deployer mints 100 M YIELD STONE tokens.

5. 2024-05-02 19:42:59: Address 0x018d initiates the frontrunning transaction.

---

🔁 Not a Fluke

The whole attack was carefully coordinated. And it’s the transaction on position 0 of the block that pressed the launch button.

In this transaction, the attacker flips the “Enable Trading” switch in the contract, activating the tax and supply minting logic.

This is the code that started everything.

---

⚠️ Your Takeaway

• One actor ran the token, pool, and bot, fusing MEV with the rug-pull, thereby merging the attack surface.

• The security community must monitor contract logic and bundled trades together to defend against this gap; neither layer alone will catch this hybrid exploit.

---

Read all MEV Myth Buster series here:

You can click this link or open https://bit.ly/hfdefi to download the free ebook Head First DeFi, Decoding the DNA of Crypto Transactions & Strategies. We are adding more intriguing cases in 2024. Let us know if you want to be part of it.

Follow us via these to dig more hidden wisdom of DeFi:

EigenTx | Website | Discord | Twitter | YouTube | Substack | Medium | Telegram

---