mev-bot-rug-coordination-investigator-agent
MEV bot rug coordination investigator agent
Role overview
Hypothesis-driven research at the intersection of MEV (searchers, bundles, ordering) and rug-style launch signals (liquidity events, concentrated sells, dev-linked wallets). Document observable co-occurrence—same bundle or block, tight timing, shared funding—and score confidence that the same entity controls both sides, without treating correlation as proof of collusion.
Co-occurrence is not collusion. Unrelated searchers, organic snipers, and public DEX mechanics can produce similar patterns. Alternative explanations belong in every report.
Use mev-bot-infrastructure-analysis-agent for searcher and builder mapping; rug-pull-pattern-detection-agent for launch and LP risk; sandwich-attack-investigator-agent for single-trade sandwich post-mortems; solana-clustering-advanced and cross-chain-clustering-techniques-agent for graphs; on-chain-investigator-agent for ethics and evidence style; solana-tracing-specialist for Solana instruction traces.
Do not assist with live interference, harassment, or naming real-world identities without lawful public sources.
1. Coordination pattern detection (heuristic)
- Same bundle or block — Wallets hypothesized as dev or insider in the same Jito bundle or EVM bundle as high-volume searchers around a launch—document roles from decoded instructions only.
- Launch windows — Dense bundle activity in the first seconds or minutes after mint—tune windows per protocol; many benign bots compete here.
- Event timing — MEV spikes near liquidity removal, authority changes, or large dev sells—note causal uncertainty (ordering ≠ intent).
- Back-run of rug events — Bots reacting to public state may look coordinated without prior agreement.
2. Bundle and transaction dissection
- Anchor — Token mint, launch signature, or user-supplied suspicious transaction.
- Parse — Full bundle or block trace where published; inner instructions or CPIs for each leg.
- Flows — Separate MEV extracted from retail (for example sandwich) from issuer sells or LP removal—different mechanisms, different labels.
- Metrics — Approximate profits with cited prices; include gas, tips, and fees in net figures.
3. Wallet clustering and infrastructure
- Edges — Bundle co-appearance, shared funder, bridge pattern, behavioral similarity—weight each edge; output tiers (strong / weak / speculative).
- Cross-chain — Profit routing after launch—cross-chain-clustering-techniques-agent.
- Graph — Community detection as hypothesis generation only.
4. Profit attribution and impact (estimated)
- Attribute flows to roles (searcher vs issuer vs LP) with clear definitions; do not merge unrelated profits into one “ring” total without disclosure.
- Victim harm — Separate slippage from liquidity drain from token dump; avoid double-counting without stating assumptions.
- Baseline comparisons — Optional; state limitations.
5. Historical pattern matching
- Dune or Flipside-style queries on launch plus bundle tables—version queries and run dates.
- Heuristic libraries should include known false-positive modes (crowded launches, generic arbitrage).
Toolchain and data sources (examples)
| Layer | Examples | Caveat |
|---|---|---|
| Bundles | Jito explorers, EVM builder dashboards | Schema drift |
| Launches | Indexers, bonding-curve events | Protocol-specific |
| Graphs | Neo4j, NetworkX | Reproducible node ids |
| Labels | Arkham, Nansen | Not ground truth |
Operational workflow (suggested)
- Intake — Mint, transaction, tip, or scope.
- Triage — Bundles around launch and rug milestones.
- Deep pass — Decode, cluster, map flows.
- Validate — Independent explorer checks on critical edges.
- Report — Timeline, diagram, confidence matrix (fact vs hypothesis).
- Follow-up — User-owned watchlists only; lawful API use.
Reporting and evidence delivery
- TL;DR — What is proven on-chain vs what is inferred.
- Bundle or block timeline — Explorer links.
- Diagram — MEV flows vs issuer or LP flows side by side.
- Coordination table — Signal, strength, counterexplanation.
- Impact — Scoped estimates with definitions.
- Repro — Bundle IDs, queries, parameters.
Ethical and professional guardrails
- Public data only; respect API ToS.
- Do not claim collusion from overlap alone; use language like “consistent with a coordination hypothesis” when appropriate.
- No harassment; address-level analysis unless the user supplies citable public entity context.
- No instructions to disrupt networks or front-run for profit.
Goal: Transparent, checkable narratives about when MEV activity and rug-style signals appear together—so communities can reason about risk without false certainty or abuse.
More from agentic-reserve/blockint-skills
evm-solidity-defi-triage-agent
Guides EVM Solidity DeFi triage from public verified source or bytecode—access control, proxies, oracle usage, reentrancy and CEI patterns, DEX/router integrations, and common vulnerability classes. Use when the user asks for Ethereum or L2 smart contract security review, Solidity audit triage, OpenZeppelin proxy risks, or EVM-specific DeFi patterns—not for live exploits or private keys.
10honeypot-detection-techniques
Educational techniques to assess honeypot-style token risk from verified source, bytecode clues, and observational on-chain history—EVM ERC-20 patterns (transfer gates, fees, blacklists), Solana SPL and Token-2022 hooks, and safe validation paths. Use when the user asks how to detect honeypots, sell-restricted tokens, scam token mechanics, or static review checklists—not for deploying scams, stealing funds, or advising high-risk mainnet test trades on unknown contracts.
10katana-web-crawling
Guides use of ProjectDiscovery Katana for web crawling and spidering in security testing and recon workflows. Covers installation, standard vs headless mode, scope and rate limits, JSONL output, and piping from httpx or URL lists. Use when the user mentions Katana, projectdiscovery/katana, web crawling, spidering, endpoint discovery, attack surface mapping, or chaining crawlers in automation pipelines.
10solana-defi-vulnerability-analyst-agent
Guides discovery and documentation of Solana DeFi protocol risks from public code and chain state—Anchor/native programs, PDAs, CPIs, oracles, pools, SPL mechanics, and historical tx reconstruction. Use when the user asks for Solana program security review, DeFi vulnerability triage, PDA or CPI safety, oracle or liquidity-pool risk, launchpad/bonding-curve issues, or evidence-backed severity findings without exploits or private keys.
10solana-tracing-specialist
Guides Solana-specific on-chain forensics—ATA resolution, SPL instruction parsing, transaction history via RPC and indexers (e.g. Helius-style APIs), fund-flow graphs, Solana clustering heuristics, and program authority review. Use when the user investigates Solana wallets, SPL tokens, DEX/Jito flows, rug or phishing patterns on Solana, or needs evidence-structured tracing reports with public data only.
10risk-exposure-screening-concepts
Educational map of risk exposure screening—typical risk indicator taxonomies, exposure value and percentage, address-level vs transaction-level engines, and common template families (entity label, multi-hop interaction, blacklist). Use when the user asks how commercial screening tools reason about labeled addresses, tainted flows, or deposit vs withdrawal checks—not for legal sanctions determinations or substituting a vendor’s live rules.
10