A recent presale for Solana’s Wet (WET) token faced severe complications as a bot farm reportedly leveraged over 1,000 wallets to snipe from the sale in mere seconds.

The presale, conducted via the decentralized exchange aggregator Jupiter, sold out almost instantaneously, leaving real participants without a chance to engage due to one entity’s monopoly over the event, as confirmed by the organizers.

HumidiFi, the automated market maker behind the WET presale, acknowledged the attack and decided to cancel the launch entirely. They announced plans for a new token and a forthcoming airdrop for legitimate participants while explicitly excluding the sniper from any benefits.

“We are creating a new token. All Wetlist and JUP staker buyers will receive a pro-rata airdrop. The sniper is not getting shit,” HumidiFi confirmed. “We will do a new public sale on Monday.”

Bubblemaps Traces Suspected Sniper

On Friday, blockchain analytics firm Bubblemaps reported it had successfully identified the perpetrator behind the presale attack, having observed unusual patterns in wallet activities during the token launch.

In an analysis shared via their platform, they noted that at least 1,100 of the 1,530 wallets participating were connected by similar funding and activity patterns, suggesting a singular actor was in control.

CEO Nick Vaiman relayed how their analysis highlighted new wallets with no preceding on-chain activity, all being funded from a limited number of wallets close together in time, with matching amounts of Solana (SOL).

“Despite some of the clusters not being connected on-chain, the behavioral similarities in size, time, and funding all point to a single entity,” said Vaiman.

Bubblemaps revealed that the sniper had funded thousands of new wallets from exchanges, each receiving 1,000 USDC shortly before the presale.

Interestingly, one of the clusters “slipped,” allowing them to link the attack to a handle on Twitter, “Ramarxyz,” who subsequently sought a refund through X.

Addressing the Rising Threat of Sybil Attacks

This incident follows other Sybil attacks where single entities have managed to monopolize token supplies. In one such case from November, a single actor laid claim to 60% of aPriori’s APR token airdrop.

According to Vaiman, Sybil attacks are becoming increasingly common in token presales and airdrops, although every case exhibits its own unique patterns. To safeguard against such incidents, he recommends implementing Know Your Customer (KYC) processes or utilizing algorithms to detect these malicious actors.

Furthermore, he suggests conducting manual reviews of participants before tokens are allocated.

“Sybil activity needs to be treated as a critical security threat to token launches,” Vaiman emphasized. “Projects should either have dedicated teams or outsource Sybil detection to expert professionals.”