Citation
Chen, J., Tang, Y., Duan, Y. “More to Extract: Discovering MEV by Token Contract Analysis.” arXiv:2603.07996v1 [cs.CR] (Mar 9, 2026). Syracuse University / Singapore Management University.
Core Problem
Existing MEV discovery tools analyze application-layer contracts (DEX pools) or attacker contracts, but ignore the wide range of token contracts themselves. Many tokens have non-standard supply-control functions (rebase, mint-on-transfer, fee-on-transfer) that create MEV opportunities invisible to standard tools.
tMEV: Token-Contract MEV
tMEV = MEV arising from non-standard token contract functions.
Motivating Example (AMPL rebase):
tx0: DEX.swapXY(dX) → get dY1 tokens
tx1: Token.rebase() → all balances adjust upward
tx2: DEX.swapYX() → sell dY2 > dY1 at original price
profit = dY2 - dY1 (free tokens from rebase)
This opportunity is invisible to tools that only model standard ERC20 interactions.
Pipeline: tSCAN + tSEARCH
tSCAN
- Static analysis tool for token contracts
- Identifies non-standard supply-control functions: rebase, mint-on-transfer, fee-on-transfer, balance manipulation
- Built on Slither; high effectiveness with low performance overhead
tSEARCH
- Generates, refines, and solves token-specific constraints to find profitable transaction sequences
- Uses symbolic execution over identified non-standard functions
- Produces concrete transaction sequences ready for submission
Key Result
tSEARCH extracts 10× more profit than observed MEV activity in the same sample (via transaction replay).
This means current searchers are missing significant opportunities because they’re only analyzing standard DEX/protocol contracts.
Why Existing Tools Miss tMEV
| Tool | What it analyzes | What it misses |
|---|---|---|
| Nyx, Foray | DEX pool contracts | Non-standard token functions |
| DeFiTainter | Application-layer contracts | Token-layer dependencies |
| SmartCAT | Attacker contracts | Victim token contracts |
| tSEARCH (this paper) | Token contracts | (designed to find this gap) |
The gap arises because token contracts are typically treated as black boxes by MEV tools. But rebase tokens (AMPL, stETH rebases), mint-on-transfer tokens, and fee-on-transfer tokens all create MEV opportunities through interactions with DEX pools.
Implications
For Searchers
- Significant alpha remains uncaptured in tMEV
- Tools need to model token contracts, not just DEX contracts
- Particularly high-value categories: rebase tokens around rebase events, fee-on-transfer tokens with pool routing
For Protocol Design / Security
- Validators and block builders should be aware that tMEV opportunities may create complex bundle dependencies
- Token contract auditors should flag non-standard supply functions as potential MEV vectors
For MEV Measurement
- Historical MEV measurement papers likely undercount realized extractable value
- The 10× undercount estimate suggests current “MEV market size” figures are conservative
Related Pages
- Arbitrage: CEX-DEX and AMM Arb — CEX-DEX arb and other standard MEV types
- MEV Supply Chain: Searchers, Builders, Relays, and Validators — Searcher capabilities and competitive landscape
- Encrypted Mempools — Encrypted mempools won’t protect against tMEV (opportunity in state, not pending transactions)