Solana’s WET Presale Restarts Following Bot Farm Supply Exploits

A Solana presale event faced distribution problems after a bot farm allegedly used over 1,000 wallets to rapidly acquire nearly the entire Wet (WET) token sale within seconds.

Conducted via the decentralized exchange aggregator Jupiter, the presale sold out almost immediately. However, legitimate buyers had little opportunity to participate due to one actor’s overwhelming dominance in the presale, as reported by the organizers.

HumidiFi, the Solana automated market maker (AMM) responsible for the presale, confirmed the attack and canceled the launch entirely. The team stated they would create a new token and conduct an airdrop to legitimate participants while explicitly excluding the sniper.

“We are creating a new token. All Wetlist and JUP staker buyers will receive a pro-rata airdrop. The sniper is not getting anything,” HumidiFi stated. “We will hold a new public sale on Monday.”

Bubblemaps identifies alleged sniper after tracing over 1,000 wallets

On Friday, the blockchain analytics platform Bubblemaps announced that it had pinpointed the entity behind the presale attack, noting unusual wallet clustering during the token sale.

In an X thread, the company revealed that at least 1,100 out of the 1,530 participating wallets exhibited identical funding and activity patterns, indicating that a single actor was controlling them.

Bubblemaps CEO Nick Vaiman informed Cointelegraph that their team analyzed presale participants through their platform and detected patterns, including new wallets with no history of onchain activity, all funded by a select few wallets.

These wallets also received funding within a compressed timeframe, with similar Solana (SOL) token amounts.

“Even if some of the clusters weren’t linked onchain, the behavioral similarities in size, time, and funding strongly indicate a single entity,” Vaiman told Cointelegraph.

Bubblemaps stated that the sniper funded thousands of new wallets from exchanges, which had received 1,000 USDC (USDC) prior to the sale.

The analytics company noted that one of the clusters “slipped,” enabling them to trace the attack back to a Twitter handle, “Ramarxyz,” who later went on X to request a refund.

Related: Pepe memecoin website exploited, redirecting users to malware: Blockaid

Sybil attacks must be treated as a “critical” security threat

This attack follows other Sybil attack incidents from November, where clusters controlled by single entities sniped token supplies.

On Nov. 18, a single entity seized 60% of aPriori’s APR token airdrop. On Nov. 26, wallets linked to Edel Finance reportedly sniped 30% of their own EDEL tokens. The team’s co-founder denied that they had targeted the supply and insisted that the tokens were placed in a vesting contract.

Vaiman told Cointelegraph that Sybil attacks are becoming increasingly prevalent in token presales and airdrops. Nevertheless, he pointed out that the patterns vary each time. He recommended that for security, teams should implement Know Your Customer (KYC) measures or utilize algorithms to detect sybils.

He also suggested conducting manual reviews of presale or airdrop participants before token allocation.

“Sybil activity should be regarded as a serious security threat to token launches,” Vaiman conveyed to Cointelegraph. “Projects ought to have dedicated teams, or outsource Sybil detection to experts who can help.”