The bot attack that ruined a public sale
Humidifi’s public sale on Friday lasted just seconds before collapsing completely. Automated wallets, organized in what appears to be a coordinated attack, drained the entire allocation almost instantly. The team confirmed that regular users had no chance to participate. According to their analysis, the attacker used thousands of wallets, each preloaded with 1,000 USDC.
These wallets triggered batch transactions into the DTF contract, allowing massive purchases in a single block window. Each bundle executed about 24,000 USDC worth of buys, equal to roughly 350,000 WET tokens per batch. The result was predictable but still shocking: a single organized bot farm captured everything in seconds. Community members who had been waiting for the launch found themselves completely locked out.
Scrapping everything and starting over
Instead of letting the exploit stand, Humidifi made a pretty drastic decision. They voided the entire sale. The sniped tokens won’t be honored, and those wallet addresses will receive zero allocation going forward. A brand-new token contract is being deployed right now.
What I find interesting is how they’re handling the legitimate participants. All Wetlist users and JUP stakers who qualified for the original sale will receive a pro-rata airdrop under the new contract. This move ensures that real users still get access, even after the failed launch. It’s a decent compromise, I think.
Humidifi also confirmed that the Temporal team rewrote the DTF contract, and OtterSec completed a full audit on the updated code. The goal is straightforward: prevent any repeat of automated bundle attacks during the next sale. They’ve scheduled the new public sale for Monday and will share fresh details before launch.
How the attack actually worked
The exploit relied on speed, batching, and scale. Each wallet held a fixed USDC balance. Instead of sending individual buy orders, the attacker created instructions that acted like preloaded “buy buttons.” When the sale went live, multiple transactions fired six instructions per transaction. This allowed the attacker to execute a massive volume in one burst.
With multiple bundles submitted back-to-back, the entire supply vanished before human users could even react. This method highlights a growing issue across Solana launches. Batch execution and wallet farming continue to dominate poorly protected public sales. Without strong contract-level protections, even fair launches remain exposed to automated capital.
Community trust and the path forward
Humidifi’s reaction was blunt and fast. Instead of defending the failed launch, the team admitted the failure and instantly moved to protect real users. The decision to relaunch with audited code and exclude the sniper addresses helped calm initial backlash.
The timing is sensitive, though. Humidifi recently faced criticism over its fee structure and profitability, just days before this public sale collapsed. That context made Friday’s failure even more explosive across Solana DeFi circles.
Still, the project’s rapid reset shows the team understands the damage a bot-controlled launch can cause. If Monday’s sale runs clean, it may help repair confidence. If it fails again, trust could unwind much faster. Currently, one thing is clear: bots won the first round. Humidifi is betting everything on winning the second.
Perhaps this incident will push more projects to think harder about launch mechanics. The arms race between developers and bot operators continues, and right now, the bots seem to have the upper hand in many cases.
