Maximal Extractable Value (MEV) represents profits validators or sophisticated bots can extract by reordering, inserting, or censoring transactions within a block. This activity, which includes practices like arbitrage, liquidations, and sandwich attacks, has grown into a multi-billion dollar industry. For any team operating in DeFi—whether building a protocol, managing a treasury, or executing trades—ignoring MEV means ceding economic advantage and accepting hidden costs. Monitoring is the first step toward developing a defensive or competitive strategy.
LABS
Guides
Setting Up a Team to Monitor MEV Activity
This guide provides a framework for protocol teams and DAOs to establish an internal function for monitoring Maximal Extractable Value (MEV) activity. It details the required tools, key metrics, and processes for detecting malicious MEV and informing security responses.
Chainscore © 2026
introduction
TEAM STRATEGY
Introduction: The Need for MEV Monitoring
Maximal Extractable Value (MEV) is a critical force shaping blockchain economics. Proactive monitoring is essential for protocols, traders, and researchers to understand risk, optimize performance, and maintain network integrity.
Setting up an effective MEV monitoring team requires defining clear objectives aligned with your project's needs. A DEX or lending protocol might focus on detecting harmful sandwich attacks on users to improve front-end protections. A trading firm monitors for profitable arbitrage opportunities and network congestion. Block builders or validators analyze bid flows to optimize revenue. Start by instrumenting your systems to capture key metrics: latency for transaction submission, slippage on user swaps, liquidation efficiency, and the frequency of reverted transactions. Tools like the Ethereum MEV Dashboard by Flashbots provide a high-level starting point.
The technical stack for a monitoring setup typically involves three layers. First, a data ingestion layer using node providers (Alchemy, Infura) or direct archive node access to stream mempool and on-chain data. Second, a processing layer where you run MEV-specific detection heuristics, perhaps using open-source libraries like mev-inspect-py for historical analysis or EigenPhi for real-time dashboards. Third, an alerting and storage layer to log incidents and notify your team via Slack or PagerDuty when specific thresholds are breached, such as a spike in failed transactions or a large-value sandwich attack.
Beyond reacting to incidents, a mature team uses monitoring data for strategic analysis. This involves classifying MEV bots by their behavior patterns, mapping relationships between searchers and builders, and simulating the economic impact of different transaction ordering rules. For example, analyzing a week's worth of Uniswap V3 data might reveal that 0.5% of all swap volume is lost to sandwich attacks, quantifying the problem. This analysis directly informs product decisions, like implementing commit-reveal schemes or private transaction relays such as Flashbots Protect.
Ultimately, MEV monitoring shifts your team from a passive to an active participant in the blockchain's economic layer. It provides the empirical foundation needed to protect users, capture value responsibly, audit validator behavior, and contribute to protocol design. As MEV strategies evolve with new chain architectures and applications, maintaining a dedicated focus on monitoring ensures your operations remain resilient and informed in a competitive landscape.
prerequisites
BUILDING A MONITORING TEAM
Prerequisites and Team Composition
Effective MEV monitoring requires a cross-functional team with specific technical skills and access to specialized infrastructure. This section outlines the core roles and technical prerequisites needed to build a capable MEV surveillance unit.
Monitoring MEV activity is not a task for a single individual; it requires a team with diverse expertise. The core roles include a Blockchain Data Engineer responsible for building and maintaining data pipelines from nodes and mempools, a Quantitative Researcher to analyze patterns and develop detection heuristics, and a Security Analyst to assess the impact of extracted MEV on protocol safety and user experience. For larger operations, a DevOps/SRE engineer is crucial for managing the high-availability infrastructure required for real-time monitoring.
The technical foundation begins with reliable, low-latency access to blockchain data. You need connections to full nodes (preferably archival) for multiple chains like Ethereum, Arbitrum, and Solana to reconstruct historical state. Access to mempool data streams is non-negotiable for seeing pending transactions; services like BloXroute, Blocknative, or running your own geth or Erigon node with transaction propagation are essential. The team must also be proficient with data tools like Apache Kafka for stream processing, TimescaleDB or ClickHouse for time-series data, and frameworks like The Graph for indexing.
Software development skills are centered around Python and Go. Python, with libraries like web3.py, pandas, and scikit-learn, is the standard for data analysis and model prototyping. Go is preferred for building high-performance, concurrent services that listen to node RPC endpoints and handle WebSocket streams. Every team member should understand core MEV concepts: frontrunning, backrunning, sandwich attacks, arbitrage, and liquidations. Familiarity with tools like the Ethereum Execution API specification and MEV-Boost relay architecture is also required.
Establishing a development and testing environment is a critical first step. The team should set up a local testnet (e.g., a local geth devnet or Anvil fork) to simulate MEV scenarios without cost. Using foundry's forge and cast tools allows for creating and broadcasting custom transaction bundles to test detection logic. This sandbox environment is where you'll prototype bots that replicate common MEV strategies, providing a ground truth dataset to train and validate your monitoring systems before deploying them on mainnet.
Finally, the team must define clear operational protocols. This includes creating alerting systems (e.g., using PagerDuty or Slack webhooks) for detected high-value MEV events, maintaining dashboards (with Grafana or similar) for real-time visibility into network activity, and establishing a response playbook. The playbook should detail steps for different scenarios, such as a large-scale sandwich attack on a popular DEX pool, including how to analyze the event, measure user impact, and potentially communicate findings to relevant protocols or the public.
core-tools-stack
OPERATIONAL SETUP
Core MEV Monitoring Tools
Building an effective MEV monitoring team requires a stack of specialized tools for data collection, analysis, and alerting. These are the foundational resources for tracking searcher activity, block construction, and network-wide trends.
MONITORING DASHBOARD
Key MEV Metrics and Alert Thresholds
Critical on-chain metrics for detecting and quantifying MEV activity, with suggested alert thresholds for a monitoring team.
| Metric | Description | Normal Range | Alert Threshold | Monitoring Tool |
|---|---|---|---|---|
Maximal Extractable Value (MEV) | Estimated profit from reordering, inserting, or censoring blocks. | $0 - $50k per block (varies by chain) |
| EigenPhi, Flashbots MEV-Explore |
Sandwich Attack Volume | USD value of trades impacted by sandwich attacks. | < 5% of DEX volume |
| EigenPhi, MistTrack |
Gas Price Spikes (Gwei) | Sudden increase in base fee indicating bidding wars. | Within 20% of 7-day avg |
| Blocknative, Etherscan Gas Tracker |
Unusual Failed Transaction Rate | Percentage of failed transactions in a block (often from frontrunning). | 5-15% |
| Tenderly, Blocknative |
Arbitrage Profit per Block | Profit from DEX arbitrage captured by searchers. | $1k - $20k |
| EigenPhi, MEVBlocker |
Liquidation Profit per Block | Value extracted from DeFi liquidations. | $0 - $10k |
| DeFi Llama, EigenPhi |
Time-Bandit Attack Likelihood | Probability measure based on chain reorg depth. | < 0.1% |
| Chain-specific client monitoring (e.g., Geth, Erigon) |
OFAC Compliance Rate | Percentage of blocks compliant with OFAC sanctions list. | 78-85% (Ethereum post-merge) | < 70% | mevwatch.info, Rated Network |
data-pipeline-setup
MEV MONITORING
Building a Data Pipeline and Alert System
A practical guide to architecting a system that ingests, analyzes, and alerts on blockchain MEV activity for your team.
Monitoring Maximal Extractable Value (MEV) is critical for protocols, traders, and researchers to understand market dynamics and systemic risks. A dedicated data pipeline transforms raw blockchain data into actionable intelligence. This involves three core components: a data ingestion layer to capture on-chain events and mempool transactions, a processing and analysis engine to identify MEV patterns, and an alerting and visualization dashboard for your team. Tools like EigenPhi, Flashbots MEV-Explore, and Blocknative provide foundational data, but a custom pipeline allows for tailored analysis of specific strategies like arbitrage, liquidations, or sandwich attacks relevant to your operations.
The first step is establishing reliable data sources. You'll need access to a JSON-RPC node (e.g., from Alchemy, Infura, or a self-hosted Geth/Erigon client) for real-time block and transaction data. For mempool streaming, services like Blocknative Mempool Stream or Bloxroute are essential to see transactions before they are mined. Additionally, subscribe to mev-share events if interacting with Flashbots Protect. Structuring your pipeline, you might use Apache Kafka or Amazon Kinesis to handle the high-throughput stream of raw data, ensuring no critical transactions are missed during network congestion.
With data streaming in, the processing layer applies logic to detect MEV. This often involves analyzing transaction bundles for patterns. For example, a simple Python script using web3.py can flag potential sandwich attacks by identifying a user transaction with a low slippage tolerance that is immediately preceded and followed by larger swaps from the same entity. More complex analysis might use a graph database like Neo4j to map the flow of funds across multiple transactions in a block, uncovering multi-step arbitrage paths. Calculating profit in USD requires fetching real-time price feeds from an oracle like Chainlink or a DEX's liquidity pool reserves.
For effective team monitoring, processed data must be stored and made accessible. A time-series database like TimescaleDB or InfluxDB is ideal for storing metrics such as daily MEV revenue by searcher, most exploited pools, and alert histories. Build a dashboard using Grafana or a custom React app to visualize this data. Key panels should show: total extracted value over time, a list of recent MEV events with transaction hashes, and a breakdown of MEV categories (e.g., DEX Arbitrage, Liquidations). This gives your team a real-time overview of the MEV landscape affecting your protocol.
The final component is the alert system. Configure alerts for specific, high-impact events. For a lending protocol, an alert might trigger when the health factor of a large collateral position nears the liquidation threshold, signaling imminent MEV activity. For a DEX, you could alert on a series of failed user transactions with high gas, indicating possible sandwich attempts. Implement these using PagerDuty, Slack webhooks, or Telegram bots. The alert should include the transaction hash, involved addresses, estimated profit, and a direct link to a block explorer like Etherscan for immediate investigation.
Maintaining this system requires ongoing refinement. MEV strategies evolve, so your detection logic must adapt. Regularly review false positives and update pattern signatures. Consider open-source detection bots from the flashbots GitHub repository as a starting point. By building this pipeline, your team transitions from reactive to proactive, capable of quantifying MEV risk, auditing protocol performance, and potentially developing mitigation strategies like fair ordering or using private transaction relays to protect your users.
TEAM ROLES AND ACTIONS
Incident Response Playbook
Defined actions for team members during a major MEV incident, such as a sandwich attack or time-bandit attack.
| Role | Immediate (0-5 min) | Short-Term (5-30 min) | Long-Term (30+ min) |
|---|---|---|---|
MEV Analyst | Confirm incident via block explorers (Etherscan) and internal alerts. Triage severity. | Analyze attack vector (e.g., mempool sniping, contract exploit). Document initial findings. | Produce a post-mortem report with root cause analysis and mitigation recommendations. |
Protocol Engineer | Pause vulnerable contract functions if a kill switch exists. Isolate the threat. | Audit contract logic for the exploited vulnerability. Begin drafting a patch. | Deploy and verify the fix. Update monitoring rules to detect similar patterns. |
Communications Lead | Activate internal alert channel (e.g., Discord, PagerDuty). Notify core team. | Draft initial external statement for users. Coordinate with legal/compliance. | Publish post-mortem. Manage ongoing community and stakeholder communications. |
Risk Manager | Assess immediate financial exposure and potential for cascading losses. | Model worst-case scenarios. Review insurance or treasury coverage. | Update risk framework and incident response plan based on lessons learned. |
Validator Operator | Monitor validator health and slashing risks. Check for missed attestations. | Consider adjusting proposer boost settings or relay selection if applicable. | Participate in post-incident review of validator infrastructure and relay strategy. |
resource-links
MEV OPERATIONS
Essential Resources and Documentation
These resources help engineering and research teams build internal capability to monitor, analyze, and respond to Maximal Extractable Value (MEV) activity across Ethereum and other EVM chains. Each card focuses on a concrete tool or documentation set that supports production monitoring workflows.
MONITORING SETUP
Operational FAQ for MEV Teams
Common questions and solutions for teams building infrastructure to track and analyze MEV activity across blockchains.
Effective MEV monitoring requires aggregating data from multiple real-time and historical sources. Core sources include:
- Blockchain RPC Nodes: A reliable, low-latency connection (e.g., via Erigon, Geth) for raw block and transaction data.
- Mempool Feeds: Access to transaction pools via services like Flashbots Protect, BloXroute, or dedicated mempool listeners to see pending transactions.
- MEV-Boost Relay APIs: Direct feeds from relays (e.g., Ultra Sound, Agnostic) to observe builder-submitted blocks and their payloads.
- Event Indexing: Using tools like The Graph or custom indexers to track specific contract events from DEXs, lending protocols, and NFT marketplaces.
Combining these streams allows you to reconstruct the lifecycle of an MEV opportunity, from its inception in the mempool to its inclusion in a finalized block.
conclusion-next-steps
CONCLUSION AND EVOLVING YOUR STRATEGY
Setting Up a Team to Monitor MEV Activity
Effective MEV monitoring requires a structured team approach. This guide outlines the roles, tools, and processes needed to build a sustainable operation.
Building a dedicated MEV monitoring team is a strategic investment for protocols, validators, and large traders. The core roles include a Data Engineer to manage infrastructure for ingesting and processing blockchain data from sources like Flashbots' mev-share or EigenPhi, a Quantitative Researcher to analyze patterns and model profitability, and a Security Analyst to identify malicious strategies like time-bandit attacks or sandwiching. A clear division of labor ensures 24/7 coverage and specialized expertise.
The technical stack is critical. You'll need reliable RPC nodes (or services like Alchemy, Infura) for low-latency data, a time-series database (e.g., TimescaleDB) for storing block and transaction data, and analytics platforms like Dune Analytics or Flipside for dashboarding. Custom scripts using libraries such as web3.py or ethers.js are essential for parsing transaction pools and identifying MEV bundles. Real-time alerting via Slack or PagerDuty should be configured for critical events like large-scale arbitrage or suspicious contract deployments.
Establish clear monitoring objectives and key risk indicators (KRIs). Objectives might include measuring extracted value from your protocol's pools, detecting adverse selection against your users, or ensuring validator compliance with ethical bundling policies. KRIs could be metrics like sandwich attack frequency, arbitrage profit margins exceeding a threshold, or a spike in failed transactions. These metrics should be tracked on dashboards reviewed in daily stand-ups.
Process evolution is mandatory. The MEV landscape changes with each hard fork and new protocol launch. Conduct weekly strategy reviews to assess the effectiveness of your detection methods. Participate in communities like the Flashbots Discord or attend events like Devconnect to stay informed. Periodically run internal red-team exercises where team members attempt to exploit your own systems to find blind spots. This proactive approach turns monitoring from a cost center into a source of competitive intelligence and risk mitigation.
Finally, integrate findings back into product and protocol development. Monitoring data should inform smart contract design—for example, implementing transaction ordering fairness (TOF) mechanisms like CowSwap's batch auctions or using private RPCs like Taichi Network. For validator operations, data can guide joining a proposer-builder separation (PBS) relay or adjusting block-building strategies. The goal is a feedback loop where monitoring directly enhances economic security and user experience.