Abnormal gas-price willingness from attacker wallet

A real-time signals factor in the v1.7.0 rubric. Measured per protocol on a rt cadence.

Methodology how we score #

**What this measures** This real-time signal fires when a wallet submitting transactions to the protocol pays a priority fee at least five times the current exponential moving average baseline — a pattern consistent with an attacker racing against MEV bots or other frontrunners to execute a time-sensitive exploit transaction. The five-times EMA threshold is configurable per protocol tier. The signal is generated by monitoring priority-fee (EIP-1559 tip) values relative to a rolling EMA for each address interacting with the protocol. Category 6 context: abnormal gas-price willingness is an exploit-in-progress signal — by the time this fires, the attacker has already committed capital and is executing.

**Why it matters** Attackers executing flash-loan-based exploits frequently submit high-priority transactions to prevent MEV bots from frontrunning the profit extraction step, or to race governance execution windows. PancakeBunny ($45M) and Euler Finance ($197M) both involved large flash loans with associated high-priority execution. The Sonne Finance exploit involved the attacker frontrunning the market activation window with a high-priority transaction. While high gas prices alone are not exploit indicators — congested networks produce elevated fees legitimately — the combination of an unusually high tip from a fresh or mixer-funded wallet interacting with a protocol in a way consistent with exploit mechanics is a stronger signal.

**Green / Yellow / Red** Green is the baseline when all recent protocol interactions show priority fees within three times the EMA baseline. Yellow fires when a wallet pays three to five times EMA — elevated but potentially explainable by network congestion. Red fires when a wallet pays more than five times EMA while submitting a transaction matching known-exploit-class interaction patterns (flash loan initiation, admin function call, large liquidity position establishment).

**Common gray cases** Gray applies during periods of general network congestion when the EMA baseline is itself elevated and the relative signal is unreliable, or on chains where priority fees are not meaningful (fixed-fee chains).

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Detect whether a wallet pays ≥5× median gas priority fee (indicating MEV race or urgency), interacting with this protocol.

Data & output #

Data source

Mempool stream + EMA gas-price baseline per block

Output format

Green / Yellow / Red

Evidence artifact

Flagged tx hash + priority fee paid + EMA baseline at that block

Confidence signal

green = signal not firing; red = ≥5× EMA priority fee detected; gray = mempool monitoring not configured

Scored protocols 80 carry this factor #

Protocol RD-F-093

Aave v3 ethereum gray Across Protocol ethereum gray Aerodrome Finance base gray Axelar Network ethereum green Babylon Protocol bitcoin gray Balancer (v2 + v3) ethereum gray Beefy Finance ethereum green BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum not_applicable Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum gray Chainlink CCIP ethereum gray Circle USYC binance not_applicable Compound V3 (Comet) ethereum gray Concrete ethereum gray Convex Finance ethereum gray crvUSD (Curve Stablecoin) ethereum gray Curve Finance ethereum not_assessed deBridge ethereum gray Dolomite ethereum gray dYdX v4 (dYdX Chain) dydx not_applicable EigenLayer ethereum gray Ethena ethereum green ether.fi ethereum green Euler V2 ethereum not_assessed Falcon Finance ethereum gray Fluid ethereum not_assessed Frax Finance ethereum gray GMX v2 (GMX Synthetics) arbitrum gray Hyperlane ethereum not_applicable Hyperliquid arbitrum gray Jito solana not_applicable Jupiter solana not_assessed Jupiter Perpetual Exchange solana not_applicable JustLend DAO tron not_applicable Kamino Lend solana gray Kinetiq hyperliquid gray Lido ethereum green Liquid Collective (LsETH) ethereum gray Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc gray Lombard Finance ethereum gray M^0 ethereum not_applicable Maple Finance ethereum gray Marinade Finance solana not_applicable Meteora solana not_applicable mETH Protocol ethereum not_assessed Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum gray Ondo Finance ethereum green OpenEden ethereum gray Orca solana not_applicable PancakeSwap bsc not_assessed Pendle Finance ethereum not_assessed Polymarket polygon not_assessed QuickSwap polygon not_assessed Raydium solana not_assessed Rocket Pool ethereum gray Sanctum solana not_applicable Save (formerly Solend) solana not_applicable Sky Lending (formerly MakerDAO) ethereum gray Spark Protocol ethereum green Spiko stellar not_assessed Stake DAO ethereum gray StakeWise v3 ethereum gray Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron gray Superstate ethereum not_assessed Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum green Symbiotic ethereum green Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum gray USDD (Decentralized USD) tron gray Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum gray Venus Protocol bsc not_assessed Wormhole ethereum green Yearn Finance ethereum gray

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.

rubric_version v1.7.0 factor RD-F-093 category 6 carried 80 critical no