web3 blockchain intelligence Dashboards: Alerts for Drains, Sandwiching, and Oracle Anomalies

A practical, 2025-ready guide for building on-chain security dashboards that actually stop losses: how to detect wallet drainers (incl. EIP‑7702 flows), flag MEV sandwiching in real time, and catch oracle anomalies before they cascade into liquidations. For startup and enterprise leaders shipping on-chain products across EVM and Solana.

Why this matters now

Ethereum’s Pectra upgrade (May 7, 2025) added EIP‑7702, letting EOAs temporarily delegate execution to contract code—great UX, but also a new surface for “single‑signature” drains if your monitoring isn’t updated. (theblock.co)
MEV dynamics shifted: Flashbots highlighted that spam/MEV bots can consume newly added throughput (e.g., Base) and that congestion is increasingly economic, not just technical. MEV‑driven sandwich activity persists—even where extraction declines, attack counts remain high. (theblock.co)
Oracle risks grew with multi‑provider setups and evolving heartbeats/deviation thresholds; several 2025 incidents show that “stale by seconds” or cross‑feed mismatches can trigger shutdowns and cascading liquidations. (docs.chain.link)

This post shows exactly what to track, which thresholds to set, and how to wire it all into dashboards that ping PagerDuty/Slack before real money moves.

Scope

We’ll cover three alert pillars, with concrete rules, thresholds, and sample signals:

Drains (permit/approval phishing and 7702‑enabled drains)
Sandwiching (front‑run/back‑run patterns across EVM and Solana)
Oracle anomalies (stale, deviant, or conflicting prices)

We’ll also include an implementation blueprint (data, tools, and rollout plan).

Pillar 1 — Drains: approvals, permits, and EIP‑7702

Attackers don’t need protocol bugs to empty wallets. They lean on:

ERC‑20 approvals (Approval events to malicious spenders).
Permit signatures (EIP‑2612/EIP‑712) captured off‑chain and submitted later. (eips.ethereum.org)
EIP‑7702 “programmable EOAs,” which some drainer kits now exploit to batch multiple transfers from one signature while bypassing incomplete simulators. (linkedin.com)

Drainer activity remains large-scale: 2024 saw ~$494M drained (Scam Sniffer data), and in 2025 vendors reported new waves and tool upgrades (e.g., Angelferno/Angel Drainer variants). (bleepingcomputer.com)

What to alert on (minimum viable rules)

Abnormal approvals
- ERC‑20 Approval to unknown/new spender with allowance > 95% of owner’s token balance or > 1.1× owner’s 7‑day max single spend.
- Burst of ≥3 distinct token approvals to the same spender within 15 minutes.
- Allowance set via Permit followed by spend in the same block or within 2 blocks (common drainer pattern). Use EIP‑712 typed‑data decoding to attribute the off‑chain signer. (eips.ethereum.org)
7702 patterns (post‑Pectra)
- Transactions of type 0x04 (Set Code) with an authorization_list that delegates to unfamiliar code + immediate calls that transfer ERC‑20/721/1155. Flag if the authorized code is unverified or newly deployed (<24h). (eips.ethereum.org)
- Any 7702 transaction that touches ≥3 token contracts for the same signer in a single block. Vendors observed attackers leveraging 7702 for “one‑shot” multi‑asset drains while many simulators lagged support. (linkedin.com)
Known drainer infrastructure
- Spender or destination address appears in curated drainer/affiliate lists (Scam Sniffer, vendor intel). Refresh every 6 hours; label “Angel/Inferno lineage” after 2024–2025 toolkit consolidation. (theblock.co)

Tip: approval monitoring should run on “events” and “state.” Confirm the post‑event allowance; some drainers emit Approval but manipulate state via proxies.

Helpful thresholds you can justify to risk teams

“Unknown spender” = address without verified code, <200 historical txs, first seen <7 days, or not in your allowlist.
“High‑risk tokens” list (stablecoins, LSTs, bluechips): enforce stricter limits (e.g., 80% of balance) because their liquidity makes drains irreversible.

Response playbook

Auto‑DM the wallet via your app’s notifications with a 1‑click revoke flow (deep‑link to Etherscan’s Token Approval Checker or your embedded revoke UI). (support.opensea.io)
If user is in‑app, block subsequent swaps until revokes confirmed on‑chain.
Push a Web3 Action to pre‑fund revocation gas rebates (you’ll eat cents to save thousands).
If the spender is a known drainer, broadcast to a shared abuse feed for faster ecosystem response.

Tools that shorten time‑to‑value

Tenderly Alerts: event‑parameter rules on Approval(owner, spender, value) with thresholds + webhooks to PagerDuty. Works cross‑chain, supports tags for grouping VIP wallets. (docs.tenderly.co)
Forta “Attack Detector” as a high‑precision overlay that correlates funding/prep/exploitation stages across bots. Pipe into your SIEM for incident stitching. (docs.forta.network)

Pillar 2 — Sandwiching: detection and mitigation

Reality check in late 2025:

EigenPhi‑fed analysis showed Ethereum sandwich extraction fell to ≈$2.5M/month by Oct 2025, but attack counts stayed high (60–90k/month), concentrated in a few entities (e.g., “Jared”). Lower per‑attack PnL makes bots spam more broadly. (cointelegraph.com)
Flashbots and others found economic congestion patterns: on Base, two bots dominated spam; on Solana, blockspace shares for MEV are very high. Your dashboards should watch not just PnL, but user harm and latency. (theblock.co)
On Solana, community data suggests hundreds of millions extracted via sandwiching over 16 months, with validator behaviors and blacklist governance affecting exposure. You likely have cross‑chain users; match protections accordingly. (solanacompass.com)

What to alert on (pattern signals)

Triplet pattern in the same block: Attacker A buys token X before victim swap, victim swap executes, Attacker A sells X after; identical pools/paths; gas price deltas ± competitor norms.
Multi‑victim variation: same searcher bracketing ≥2 victims within N blocks with center‑tx liquidity tricks (e.g., add/remove liquidity on Uniswap V3 between legs). EigenPhi reported such “new recipes.” (unchainedcrypto.com)
User‑harm metric: realized slippage > user‑set max by ≥50% OR final execution price outside your protected quote band when user came through your router.

Operationalize with:

Sliding window per pool: if >3 sandwiches in last 50 swaps, clamp router slippage to 0.1–0.3% and recommend MEV‑protected routing.
Wallet‑side MEV protection defaults: route swaps via private orderflow (Flashbots Protect or MEV Blocker RPC) for high‑value trades; expose a toggle for “max refund vs. max privacy.” (docs.flashbots.net)

Mitigation you can deploy this quarter

Private RPCs by default for high‑risk flows:
- Flashbots Protect: private mempool; optional MEV refunds; configurable hinting.
- MEV Blocker: multiple endpoints including /fullprivacy, rebates on backruns, OFA model; simple “swap RPC URL” integration for wallets/routers. (docs.flashbots.net)
Batch/intents for swaps: CoW Protocol or similar to remove FCFS ordering; pair with protected submission to avoid revealing orderflow. (cow-swap.com)
Transparency dashboards:
- Top searchers touching your users, attack counts by pool, average user slippage delta vs. protected routing, refunds captured.
- Use public datasets (e.g., Eden’s MEV‑Share BigQuery mirror) to enrich your internal metrics without running your own collectors. (docs.edennetwork.io)

Pillar 3 — Oracle anomalies: stale, deviant, conflicting

The most expensive incidents in DeFi still come from oracle misuse, stale reads, or feed method changes. Classic cases (e.g., Mango) and 2025 “edge” failures show how seconds and thresholds matter. (cftc.gov)

What to alert on (three tiers)

Staleness

updatedAt vs. heartbeat: if now − updatedAt > heartbeat − ε, alert. Chainlink’s own docs urge monitoring updatedAt/round freshness; heartbeats differ across assets and chains. (docs.chain.link)
Per‑asset heartbeats: don’t hardcode one hour; some assets have 60s or 10‑minute limits. Stale checks must be per‑feed. A 2025 incident shows how an off‑by‑seconds logic mismatch can wrongly trip shutdowns. (reports.zellic.io)

Deviation

Deviation threshold breaches: price change > configured deviation% since last round—alert and, for lending/liquidations, require TWAP or pause. Chainlink/Scribe/Binance Oracle all document deviation+heartbeat models; your monitors should mirror them. (docs.chain.link)
Confidence‑aware reads (Pyth): if confidence interval/price > α (e.g., >0.5%), degrade leverage or widen liquidation thresholds; many protocols underuse confidence bands. (docs.pyth.network)

Cross‑feed conflicts

Divergence between primary and secondary (e.g., Chainlink vs. Pyth vs. Chronicle) > β for >N blocks. Chronicle exposes readWithAge() for freshness; wire that into the same dashboard so operators don’t eyeball Etherscan. (docs.chroniclelabs.org)
During planned method updates, increase sensitivity. Several outages and attacks exploit the window around parameter/method changes; announce narrower guardrails for those windows. (odaily.news)

Automatic circuit breakers (recommended)

On breach, pause sensitive functions (mints/borrows) via automation; Chainlink explicitly recommends circuit breakers via Automation. Chronicle/Scribe and Binance Oracle publish their deviation/heartbeat models; reflect these in your guards. (docs.chain.link)
If primary stale and secondary fresh, flip to secondary for reads; never blend without confidence weights.

Emerging practice: OEV capture and private updates

Push oracle updates via private orderflow (OEV capture) so arbitrage happens in a controlled auction and value returns to your protocol/users instead of bots. MEV Blocker documents OEV workflows for oracle integrators. (docs.cow.fi)

Research you can pilot

LLM‑assisted oracle manipulation detection (AiRacleX) shows improved recall on historical incidents; treat as a triage/analyst co‑pilot feeding your anomaly queues. (arxiv.org)

Architecture: what we deploy for clients

Data plane
- Node access: archive + mempool (Txpool + tracing where available).
- Event streams: Approval/Permit events; swaps; oracle RoundData updates; 7702 tx type logs.
- Indexing: push to Kafka/PubSub; OLAP store (BigQuery/ClickHouse/Snowflake).
- Enrichment: labelers (Scam Sniffer, your own drainer/MEV lists), Eden MEV‑Share public datasets. (docs.edennetwork.io)
Analytics + alerting
- Rules engine: Tenderly Alerts for event/param triggers; Forta bots for correlated phases; custom stream processors for cross‑feed windows. (docs.tenderly.co)
- Playbooks: Slack + PagerDuty with runbooks per pillar (revoke → lock UI; sandwich → route via private RPC; oracle → pause + switch feed).
Prevention by default
- Wallet/router RPCs default to Protect/MEV‑Blocker for high‑value swaps; allow “max privacy” and “max refund” modes in settings. (docs.flashbots.net)

Practical examples: rules you can paste into tickets

Drains (EVM)
- If Approval.value ≥ 0.95 × ERC20.balanceOf(owner) AND spender not in allowlist → Alert High, attach “Revoke now” deep‑link.
- If tx.type == 0x04 AND authorization_list.length ≥ 1 AND codeHash(authorized) unverified → Alert Critical; if ≥3 token transfers in call tree → block UI actions for that user pending review. (eips.ethereum.org)
Sandwich (EVM)
- Within a block, detect A→Buy, VictimSwap, A→Sell on same pool with net positive Δ for A and >x bps price impact to victim; log searcher label; increment pool risk score.
- If pool risk score > threshold over last 50 swaps → route all flows from your app via private RPC for that pool for 60 minutes. (docs.flashbots.net)
Oracle
- If now − updatedAt > heartbeat − 10s → Alert Warning; > heartbeat → Alert Critical + pause sensitive ops.
- If |primary − secondary|/mid > 0.5% for 3 consecutive rounds → Alert High + degrade LTVs until convergence. (docs.chain.link)

What changed in 2025 you must reflect in dashboards

EIP‑7702 is live on mainnet (Pectra). Your simulators/monitors must parse 0x04 set‑code transactions and model delegated execution; drainer kits reportedly leverage 7702 to compress multi‑asset drains into one user signature. (theblock.co)
Sandwich extraction on Ethereum dropped, but attacks didn’t; user harm remains. Don’t treat “lower extraction” as “lower risk.” (cointelegraph.com)
Spam/MEV bots consume added throughput, shifting the bottleneck from bandwidth to incentives; watch orderflow paths and migrate users to private RPCs by default for sensitive flows. (theblock.co)
Solana MEV is material; if you’re cross‑chain, mirror sandwich dashboards and validator lists. (solanacompass.com)

30/60/90‑day rollout plan

Days 1–30: Baselines and blocklists
- Integrate Tenderly Alerts for Approval/Permit/7702; import drainer blocklists; ship revoke UX.
- Wire primary oracle freshness checks per‑feed heartbeat and deviation (pull metadata from providers). (docs.chain.link)
Days 31–60: Private orderflow + playbooks
- Default your router/wallet to Flashbots Protect or MEV Blocker; expose “privacy vs. refund” toggle.
- Build circuit breakers: pause/flip‑feed automation via on‑chain executors. (docs.flashbots.net)
Days 61–90: Cross‑feed reconciler and OEV pilot
- Compare Chainlink/Pyth/Chronicle for top 10 assets; institute divergence thresholds and LTV degradation curves.
- Pilot OEV capture/private push‑updates for your price pusher (where applicable). (docs.cow.fi)

KPIs to track weekly

Drains: time‑to‑revoke (median), % auto‑revoked within 10 minutes, number of high‑risk approvals blocked, loss averted (est.).
Sandwich: share of protected routing, average user slippage improvement vs. public mempool route, refunds returned to users. (docs.flashbots.net)
Oracles: stale‑read incidents, divergence events caught pre‑liquidation, time‑to‑pause, false‑positive rate.

Notes on standards and documentation

EIP‑712 (typed‑data) and ERC‑2612 (Permit) underpin many phishing drains; ensure your signing prompts are human‑readable and your backend decodes and logs domainSeparator and nonces to trace replay attempts. (eips.ethereum.org)
Chronicle and Chainlink document deviation/heartbeat patterns; Pyth publishes confidence intervals; design monitors that reflect each model rather than normalizing away important differences. (docs.chroniclelabs.org)

Final takeaway for decision‑makers

Dashboards that merely “visualize” blockspace won’t cut it. You need policy‑backed alerts that trigger automatic user rescues, private orderflow by default for sensitive swaps, and oracle circuit breakers that respect each provider’s model. With the rules and references above—and a 90‑day plan—you can measurably cut losses from drains, slash sandwich harm, and stop oracle incidents before they become headlines.

7Block Labs builds and runs these systems end‑to‑end: data plane, detection, UX, and runbooks. If you want a pilot that shows loss‑aversion ROI in under 30 days, we’re ready.

References and sources:

Pectra/EIP‑7702 status and semantics. (theblock.co)
Drainer scale and 7702‑based attack reports. (bleepingcomputer.com)
Sandwich trends and MEV congestion. (cointelegraph.com)
Solana MEV figures and governance actions. (solanacompass.com)
Oracle monitoring guidance (Chainlink/Pyth/Chronicle/Binance Oracle) and 2025 incident post‑mortems. (docs.chain.link)
Mitigations and tooling (Flashbots Protect, MEV Blocker, Forta, Tenderly). (docs.flashbots.net)