Solana's Permanent Delegate Burn Scam: How Token-2022 Extensions Power 2026's Largest Automated Rug Pull Factory — And a Detection Pipeline to Stop It

In March 2026, Solana's network degradation isn't coming from a protocol bug — it's coming from an industrial-scale scam token factory exploiting Token-2022's Permanent Delegate extension to burn victims' tokens seconds after purchase. RugCheck.xyz flags over 40% of new Solana tokens as using this extension. Here's how the attack works at the bytecode level, and a complete detection pipeline you can deploy today. The Permanent Delegate Attack Flow Token-2022 (SPL Token 2022) introduced token extensions — powerful primitives for compliance, privacy, and programmability. The PermanentDelegate extension grants a designated authority unconditional power to transfer or burn any holder's tokens without their signature. The intended use case: regulatory compliance (freezing sanctioned addresses). The actual use in 2026: automated theft. Attack Sequence (Step by Step) 1. Attacker deploys token via Token-2022 with PermanentDelegate = deployer wallet 2. Creates liquidity pool on Raydium/Orca wit