web3 blockchain intelligence Dashboards: Alerts for Drains, Sandwiching, and Oracle Anomalies

A Practical Guide for Building On-Chain Security Dashboards in 2025

If you're looking to create security dashboards that genuinely help prevent losses, you’ve come to the right place. This guide has everything you need to detect wallet drainers (including EIP‑7702 flows), flag MEV sandwiching in real-time, and catch oracle anomalies before they lead to unwanted liquidations. It’s crafted for both startup and enterprise leaders who are focused on shipping on-chain products across EVM and Solana.

What You’ll Learn

Detecting Wallet Drainers: We’ll dive into how to identify those sneaky wallet drainers using EIP‑7702 flows.
Real-Time MEV Sandwiching Alerts: Get the lowdown on identifying and flagging MEV sandwiching as it happens.
Catching Oracle Anomalies Early: Learn the tricks to spot potential oracle anomalies before they spiral into major liquidations.

Why It Matters

As the landscape of blockchain technology evolves, so do the threats. By setting up these dashboards, not only can you stop losses, but you can also build trust with your users, ensuring they feel secure using your platform.

Getting Started

Tools and Technologies: Familiarize yourself with the essential tools and frameworks you’ll need for building these dashboards.
Integration Tips: We’ll cover how to seamlessly integrate these solutions into your existing workflows.
Proactive Monitoring: Understand the importance of continuous monitoring and how it can protect your on-chain assets.

With this practical guide, you’ll be well-equipped to enhance your on-chain security measures and create a safer environment for everyone involved. Let’s get started!

Why this matters now

Ethereum’s Pectra upgrade on May 7, 2025, rolled out EIP‑7702, which allows externally owned accounts (EOAs) to temporarily delegate execution to contract code. This is fantastic for user experience, but it does open up a new risk for “single-signature” drains if you’re not on top of your monitoring game. (theblock.co)
The dynamics of MEV have shifted quite a bit: Flashbots pointed out that spam and MEV bots are now able to gobble up the additional throughput from new setups like Base. It turns out that congestion is becoming more of an economic issue rather than just a technical one. Even as extraction declines, we’re still seeing a high number of MEV-driven sandwich attacks. (theblock.co)
On the oracle front, risks have ramped up with more multi-provider setups and changing heartbeats/deviation thresholds. Several incidents in 2025 have demonstrated that even a “stale by seconds” situation or discrepancies between feeds can lead to shutdowns and a chain reaction of liquidations. (docs.chain.link)

In this post, we'll break down what you should keep an eye on, the thresholds you need to establish, and how to set everything up in dashboards that will alert PagerDuty or Slack before any actual money changes hands.

Scope

Let's dive into the three main pillars of alerts. We'll break down the specific rules, set some clear thresholds, and share a few sample signals for you to check out:

Drains (watch out for permit/approval phishing and those 7702‑enabled drains)
Sandwiching (keep an eye on front‑run/back‑run patterns in EVM and Solana)
Oracle anomalies (be mindful of stale, deviant, or conflicting prices)

We’re going to throw in an implementation blueprint as well, covering everything from data and tools to the rollout plan.

Pillar 1 -- Drains: approvals, permits, and EIP‑7702

Attackers don’t always rely on protocol bugs to drain wallets. Instead, they often depend on:

ERC‑20 approvals: This refers to those sneaky approval events that allow malicious spenders to take advantage of your tokens.
Permit signatures (EIP‑2612/EIP‑712) can be captured off-chain and submitted later on. You can check out more about this here.
EIP‑7702 introduces “programmable EOAs.” Unfortunately, some drainer kits are now taking advantage of this by batching multiple transfers from a single signature, slipping past incomplete simulators. For more details, take a look at this LinkedIn article.

Drainer activity is still a big issue: in 2024, around $494 million was drained according to Scam Sniffer data. Moving into 2025, vendors are noticing fresh waves of attacks and some upgrades to the tools being used, like the new Angelferno and Angel Drainer variants. (bleepingcomputer.com)

What to alert on (minimum viable rules)

Abnormal approvals
- You’ve got an ERC‑20 approval to an unknown or new spender that's more than 95% of the owner's token balance, or over 1.1 times the owner's biggest single spend in the last 7 days.
- If there’s a burst of 3 or more different token approvals to the same spender within just 15 minutes, that’s a red flag.
- When an allowance is set using Permit, and then a spend happens in the same block or within 2 blocks--watch out for this common draining pattern. You can use EIP‑712 typed-data decoding to figure out who the off-chain signer is. (eips.ethereum.org)
7702 patterns (post‑Pectra)
- Keep an eye out for transactions of type 0x04 (Set Code) that authorize a list pointing to some unknown code, especially if there are immediate calls to transfer ERC‑20/721/1155 tokens. If the authorized code is new or unverified (less than 24 hours old), that’s a cause for concern. (eips.ethereum.org)
- Any 7702 transaction that interacts with 3 or more token contracts for the same signer in a single block should raise your alarms. Vendors have noted that attackers are using 7702 to pull off “one-shot” multi-asset drains while many simulators are still catching up. (linkedin.com)
Known drainer infrastructure
- If a spender or destination address pops up on curated lists of drainers or affiliates (like Scam Sniffer or vendor intel), take note. Make sure to refresh these lists every 6 hours. After the toolkit consolidation in 2024-2025, label these as “Angel/Inferno lineage.” (theblock.co)

Tip: Keep an eye on approval monitoring by focusing on “events” and “state.” Make sure to check the post-event allowance, since some drainers might emit Approval but play around with the state using proxies.

Helpful thresholds you can justify to risk teams

An “unknown spender” is basically an address that doesn’t have verified code, has fewer than 200 historical transactions, was first spotted less than 7 days ago, or isn’t on your allowlist.
The “high-risk tokens” list includes stablecoins, LSTs, and bluechip tokens. It’s a good idea to set stricter limits for these, like keeping 80% of your balance in check, since their liquidity makes any major withdrawals pretty much irreversible.

Response playbook

Send an auto-DM to the wallet through your app’s notifications with a simple one-click revoke flow (you can deep-link to Etherscan’s Token Approval Checker or use your own revoke UI). (support.opensea.io)
If the user is already in the app, hold off on any further swaps until the revokes are confirmed on-chain.
Kick off a Web3 Action to pre-fund those gas rebates for revocation (a little investment now can save you a lot later).
If you spot a known drainer, share the info on a community abuse feed to help the whole ecosystem respond more quickly.

Tools that shorten time‑to‑value

Tenderly Alerts: Set up event-parameter rules for Approval (owner, spender, value) with those handy thresholds, plus you can integrate webhooks to PagerDuty. It plays nice across different chains and even lets you tag for grouping those VIP wallets. Check out the details here.
Forta “Attack Detector”: Think of it as a super-accurate overlay that connects the dots between funding, prep, and exploitation stages across bots. You can funnel this into your SIEM for some solid incident stitching. Dive into the specifics here.

Pillar 2 -- Sandwiching: detection and mitigation

Reality Check in Late 2025:

As we dive into late 2025, it's time for a little reality check. Things have been pretty wild lately, and we've seen some significant changes in various areas of life. Let’s break it down:

Economic Landscape

Job Market: The job scene is looking a bit different. Remote work has become the norm, and companies are rethinking their office spaces. A lot of folks are still adjusting to the gig economy, which means more flexibility but also more uncertainty.
Inflation: Remember when prices started skyrocketing? While inflation has slowed down a bit, it’s still hanging around. People are feeling the pinch when they go grocery shopping or fill up their gas tanks.

Technology Trends

AI Everywhere: AI is now a part of our everyday lives. From chatbots that help with customer service to advanced algorithms tailoring your social media feeds, it’s hard to escape it. Some people love it, while others are a bit wary about where it's all headed.
Smart Homes: Smart home gadgets have taken over. Most houses are now equipped with voice assistants, smart thermostats, and security systems that can be controlled from your phone. It’s convenient but let’s be real - it can also feel a bit invasive.

Work-Life Balance: With the rise of remote work, finding a balance between work and home life has become more challenging. Many are still figuring out how to set boundaries and avoid burnout.
Mental Health Awareness: Mental health has become a hot topic. More people are opening up about their struggles and seeking help, which is a great shift toward normalization. However, access to mental health resources is still a big issue for many.

Environment and Climate Change

Climate Action: There’s been a push for more green initiatives, and people are becoming more conscious of their environmental impact. Solar panels, electric cars, and sustainable products are trending. It’s encouraging to see communities rallying for change.
Natural Disasters: Unfortunately, extreme weather events are becoming more frequent. Wildfires, hurricanes, and floods have been making headlines, reminding us that climate change is a serious concern.

Health and Wellness

Healthcare Innovations: Telemedicine and digital health tools are now mainstream. Patients are connecting with doctors from the comfort of their homes, which is a game changer for many.
Nutrition Trends: Plant-based diets have gained massive popularity, and more people are trying to eat healthier. You can find vegan options in almost every restaurant now!

In Conclusion

So, as we wrap up 2025, it’s clear that we’re living in a time of rapid change and adaptation. Each area of our lives is evolving, and while there are challenges, there’s also a lot of potential for growth and improvement. Let’s keep our heads up and stay informed as we navigate this ever-shifting landscape!

EigenPhi’s analysis reveals that Ethereum sandwich extraction dropped to about $2.5M a month by October 2025, even though the number of attacks remained pretty high--around 60,000 to 90,000 each month. These attacks are mostly concentrated among a few players, like “Jared.” With lower profits per attack, bots are just spamming more widely. (cointelegraph.com)
Flashbots and others have identified some economic congestion patterns: on Base, it seems two bots are responsible for most of the spam, while on Solana, the share of blockspace for MEV is pretty high. It’s a good idea to keep an eye on not just profits but also the user experience and latency on your dashboards. (theblock.co)
In the Solana community, data indicates that hundreds of millions have been extracted through sandwiching over the past 16 months. Validator behavior and governance regarding blacklists are playing a big role in how exposure is managed. If you’re dealing with cross-chain users, make sure your protections are aligned accordingly. (solanacompass.com)

What to alert on (pattern signals)

Triplet pattern in the same block: Here’s how it goes: Attacker A snags token X before the victim's swap happens, then the victim's swap executes, and finally, Attacker A sells X afterward. We're looking at identical pools and paths, with gas price differences that are either above or below the usual competitor standards.
Multi‑victim variation: This is where things get interesting! The same searcher targets two or more victims within a small number of blocks, using some clever liquidity tricks in the middle (think adding or removing liquidity on Uniswap V3 between transactions). EigenPhi has even reported on these “new recipes.” Check it out here!
User‑harm metric: So, what does user harm look like? It's when the realized slippage is greater than what the user set as their maximum by at least 50% OR when the final execution price falls outside the user’s protected quote band when they came through your router.

Operationalize with:

When it comes to making things happen, operationalizing is key. Here are some steps you can follow to make sure your strategies hit the ground running:

Define Clear Goals
Be specific about what you want to achieve. Instead of saying "improve sales," try "increase sales by 20% in Q1."
Identify Resources
Figure out what tools, people, or funds you’ll need to make your plan work. This could mean hiring more staff, investing in new software, or allocating a budget.
Develop a Timeline
Set deadlines for every part of your plan. This keeps everyone on track and helps you monitor progress along the way.
Assign Responsibilities
Make sure everyone knows their role. This helps prevent confusion and ensures that tasks get done on time.
Create Metrics for Success
Decide how you’ll measure your progress. This could include KPIs (Key Performance Indicators) like customer satisfaction scores or sales numbers.
Regular Check-Ins
Schedule frequent meetings to see how things are going. This is a good opportunity to address any roadblocks and adjust plans if needed.
Iterate and Improve
Be open to change. If something isn't working, don’t hesitate to tweak your approach. Continuous improvement is the name of the game!

By following these steps, you’ll be well on your way to turning your ideas into reality. Ready to operationalize? Let’s go!

Sliding window per pool: If there are more than 3 sandwiches in the last 50 swaps, we'll clamp down the router slippage to a range of 0.1-0.3% and suggest using MEV-protected routing.
Wallet-side MEV protection defaults: For those big trades, let’s route swaps through private order flow using Flashbots Protect or MEV Blocker RPC. Plus, we should include an option to toggle between “max refund vs. max privacy.” Check out the details here: (docs.flashbots.net)

Mitigation you can deploy this quarter

Private RPCs default for high-risk flows:
- Flashbots Protect: This provides a private mempool, optional MEV refunds, and some handy configurable hinting.
- MEV Blocker: Features multiple endpoints like /fullprivacy, offers rebates on backruns, uses the OFA model, and has a super easy “swap RPC URL” integration for wallets and routers. (docs.flashbots.net)
Batch/intents for swaps: Consider using CoW Protocol or something similar to dodge that annoying FCFS ordering. When you pair it with protected submissions, you can keep your order flow under wraps. (cow-swap.com)
Transparency dashboards:
- Get insights on the top searchers interacting with your users, track attack counts by pool, see the average user slippage delta compared to protected routing, and find out how much refund money has been captured.
- You can also tap into public datasets, like Eden’s MEV‑Share BigQuery mirror, to boost your internal metrics without the hassle of managing your own collectors. (docs.edennetwork.io)

Pillar 3 -- Oracle anomalies: stale, deviant, conflicting

When it comes to the priciest incidents in DeFi, the culprits are often oracle misuse, stale reads, or changes in feed methods. We've seen classic examples like Mango and some notable "edge" failures in 2025 that highlight just how crucial seconds and thresholds can be. (cftc.gov)

What to alert on (three tiers)

Staleness

When it comes to updatedAt and heartbeat: if the difference between now and updatedAt is greater than heartbeat minus a tiny buffer (ε), it’s time to sound the alarm. Chainlink’s docs recommend keeping an eye on updatedAt and round freshness; just remember, heartbeats can vary across different assets and chains. (docs.chain.link)
Each asset has its own heartbeat: avoid using a one-size-fits-all hour; some assets only have limits of 60 seconds or 10 minutes. Stale checks should be specific to each feed. A notable incident in 2025 highlighted how a tiny seconds mismatch led to some unwarranted shutdowns. (reports.zellic.io)

2) Deviation

Deviation threshold breaches: If the price changes more than the configured deviation percentage since the last round, it's time to raise an alert. For lending and liquidations, you'll want to either require a TWAP or hit pause. Make sure your monitors reflect the deviation and heartbeat models from Chainlink, Scribe, and Binance. Check them out here.
Confidence-aware reads (Pyth): When the confidence interval divided by the price exceeds α (like greater than 0.5%), consider scaling back leverage or broadening liquidation thresholds. A lot of protocols don’t take full advantage of confidence bands, so this is a good chance to step up your game. More info can be found here.

3) Cross‑feed Conflicts

There’s often a mismatch between primary and secondary data sources (think Chainlink vs. Pyth vs. Chronicle) when dealing with >N blocks. Chronicle does a nice job by offering readWithAge() to check for freshness. It’d be smart to integrate that into the same dashboard so operators won’t have to keep checking Etherscan manually. (docs.chroniclelabs.org)
When you're planning any updates to methods, consider cranking up the sensitivity. We've noticed that a lot of outages and attacks take advantage of the time around parameter or method changes. It’d be a good idea to set narrower guardrails during those intervals. (odaily.news)

Automatic circuit breakers (recommended)

In the event of a breach, make sure to pause any sensitive functions like mints or borrows automatically. Chainlink really suggests using circuit breakers through Automation for this. Also, don’t forget that Chronicle/Scribe and Binance Oracle have their own deviation and heartbeat models--make sure to incorporate those into your guards. (docs.chain.link)
If your primary data is stale but your secondary data is fresh, switch to the secondary for readings. Just make sure not to mix them without having confidence weights in place.

Emerging practice: OEV capture and private updates

Share oracle updates through private order flow (OEV capture) to ensure that arbitrage occurs in a controlled auction. This way, the value comes back to your protocol and users rather than being snatched up by bots. If you're looking to get into the nitty-gritty, the MEV Blocker has got you covered with detailed docs on OEV workflows for oracle integrators. Check it out here: (docs.cow.fi)

Research you can pilot

LLM-assisted oracle manipulation detection (AiRacleX) has shown better recall for past incidents. Think of it as a helpful sidekick for triage and analysts, guiding you through your anomaly queues. Check it out here: (arxiv.org)

Architecture: what we deploy for clients

Data Plane
- Node Access: You've got access to the archive and the mempool, which includes the Txpool and tracing where that's an option.
- Event Streams: Keep an eye on Approval/Permit events, swaps, oracle RoundData updates, and logs for the 7702 tx type.
- Indexing: Push all that data to Kafka/PubSub and store it in an OLAP solution like BigQuery, ClickHouse, or Snowflake.
- Enrichment: Don’t forget about your labelers like Scam Sniffer, or any of your custom drainer/MEV lists. You can also explore the Eden MEV‑Share public datasets. (docs.edennetwork.io)
Analytics + Alerting
- Rules Engine: Leverage Tenderly Alerts to trigger on specific events or parameters; Forta bots are great for tracking correlated phases; and you can use custom stream processors for cross-feed windows. (docs.tenderly.co)
- Playbooks: Set up Slack and PagerDuty notifications with runbooks for each pillar--like revoking to lock the UI, routing sandwich attacks via private RPC, or pausing and switching the feed for oracles.
Prevention by Default
- For your wallet or router RPCs, they’ll default to Protect/MEV‑Blocker when you're doing high-value swaps. Plus, you can toggle “max privacy” and “max refund” modes in the settings. (docs.flashbots.net)

Drains (EVM)
- If Approval.value is greater than or equal to 0.95 times ERC20.balanceOf(owner) and the spender isn’t on the allowlist → Send a High Alert, and attach a “Revoke now” deep link.
- If tx.type is 0x04 and the authorization_list.length is at least 1, and the codeHash(authorized) is unverified → Send a Critical Alert; if there are 3 or more token transfers in the call tree, block UI actions for that user until a review is done. (eips.ethereum.org)
Sandwich (EVM)
- Within a single block, if you detect A→Buy, VictimSwap, and A→Sell on the same pool with a net positive change for A and a price impact greater than x bps to the victim; log the searcher label and bump up the pool risk score.
- If the pool risk score exceeds the threshold after the last 50 swaps → route all flows from your app through a private RPC for that pool for 60 minutes. (docs.flashbots.net)
Oracle
- If the time since updatedAt is greater than heartbeat - 10s → Send a Warning Alert; if it exceeds the heartbeat → Send a Critical Alert and pause sensitive operations.
- If the absolute difference between primary and secondary divided by mid is over 0.5% for 3 rounds in a row → Send a High Alert and reduce LTVs until things converge. (docs.chain.link)

What changed in 2025 you must reflect in dashboards

EIP‑7702 is officially up and running on the mainnet (Pectra). Make sure your simulators and monitors can handle parsing 0x04 set-code transactions and keep track of delegated execution. It seems that drainer kits are taking advantage of 7702 to bundle multiple asset drains into a single user signature. More details can be found on The Block.
While sandwich extraction attacks on Ethereum have decreased, the overall number of attacks hasn't really changed, which means user harm is still very much a reality. Don't confuse "lower extraction" with "lower risk"--that's a misconception you definitely want to avoid. Check out more on this over at Cointelegraph.
Spam and MEV bots are eating up extra throughput, which is shifting the bottleneck from bandwidth to incentives. Keep an eye on order flow paths and consider defaulting sensitive flows to private RPCs to help users out. You can read more on this issue at The Block.
When it comes to Solana MEV, it's significant--so if you're working cross-chain, make sure to replicate sandwich dashboards and validator lists. You can find additional insights at Solana Compass.

30/60/90‑day rollout plan

Days 1-30: Baselines and Blocklists
- Let’s get Tenderly Alerts integrated for Approval/Permit/7702, and don’t forget to import the drainer blocklists. Plus, we need to roll out that revoke UX!
- We’ll set up primary oracle freshness checks with a per-feed heartbeat and deviation--just pull metadata from the providers. Check out the details in the Chainlink docs.
Days 31-60: Private Orderflow + Playbooks
- We should make your router/wallet default to Flashbots Protect or MEV Blocker. Also, let’s add in that “privacy vs. refund” toggle for user flexibility.
- Let’s build some circuit breakers so we can pause or flip-feed automation through on-chain executors. More info can be found in the Flashbots docs.
Days 61-90: Cross-Feed Reconciler and OEV Pilot
- Time to compare Chainlink, Pyth, and Chronicle for the top 10 assets. We’ll need to set up divergence thresholds and LTV degradation curves too.
- Let’s pilot OEV capture and private push updates for your price pusher where it makes sense. You can find more on this in the Cow.fi docs.

KPIs to track weekly

Drains: Here’s what we’re looking at: median time-to-revoke, the percentage of auto-revocations happening within 10 minutes, the count of high-risk approvals that got blocked, and the estimated loss averted.
Sandwich: Let’s dive into this--what’s the share of protected routing, how much have users seen slippage improve compared to the public mempool route, and how many refunds have been returned to users? You can check out more details here.
Oracles: We need to keep an eye on stale-read incidents, those divergence events we caught before they led to liquidations, the time it takes to hit pause, and of course, the false-positive rate.

Notes on standards and documentation

EIP‑712 (typed‑data) and ERC‑2612 (Permit) play a big role in phishing attacks, so make sure your signing prompts are easy for people to read. Also, it’s a good idea to have your backend decode and log the domainSeparator and nonces to keep an eye on any replay attempts. Check it out here: (eips.ethereum.org)
Chronicle and Chainlink are great at documenting deviation and heartbeat patterns, while Pyth provides confidence intervals. When designing monitors, try to reflect each model accurately instead of just smoothing out the important differences. You can find more info here: (docs.chroniclelabs.org)

Final takeaway for decision‑makers

Dashboards that just “visualize” blockspace aren’t enough these days. What you really need are policy-backed alerts that can automatically swoop in to help users, private order flow by default for those sensitive swaps, and oracle circuit breakers that align with each provider’s model. By following the guidelines laid out above--and sticking to a solid 90-day plan--you'll be able to significantly reduce losses from drains, minimize sandwich attacks, and catch oracle incidents before they blow up in the headlines.

7Block Labs takes care of everything from start to finish: the data plane, detection, user experience, and runbooks. If you're looking for a pilot that demonstrates loss-aversion ROI in less than 30 days, we’re all set to help you out.

References and Sources

Check out the lowdown on Pectra/EIP‑7702 status and semantics over at The Block.
Want to dive into drainer scale and those 7702‑based attack reports? Head over to BleepingComputer.
Curious about sandwich trends and MEV congestion? Take a look at Cointelegraph for some exclusive insights.
For the latest on Solana MEV figures and governance actions, check out Solana Compass.
If you’re looking for Oracle monitoring guidance (think Chainlink, Pyth, Chronicle, and Binance Oracle) along with those 2025 incident post‑mortems, swing by Chainlink Docs.
Finally, for some solid mitigations and tooling, like Flashbots Protect, MEV Blocker, Forta, and Tenderly, check out Flashbots Docs.