How a sandwich attack works: mechanism, examples, and ways to prevent losses

With the development of the DeFi (decentralized finance) market, new forms of blockchain-related threats have emerged that can cause users to suffer losses without even realizing it. One such threat is the sandwich attack, which became possible due to the way Ethereum and similar blockchains operate.

What is a sandwich attack?

A sandwich attack, also known as "sandwiching", is a form of market manipulation that primarily targets users of DeFi (decentralized finance) exchanges.

A sandwich attack is one of the specific forms of MEV (Maximal Extractable Value) exploitation, where network participants, including validators, manipulate transactions to extract profit. Moreover, sandwich attacks are among the most common forms of MEV exploitation.

One of the key features of a sandwich attack is that it allows traders to profit from other users' transactions, especially cryptocurrency purchases. Sandwich attacks became widespread in 2020 with the emergence of the first decentralized exchanges, such as Uniswap, amid the growing hype around DeFi. However, Ethereum co-founder Vitalik Buterin had warned about the dangers of sandwich attacks as early as 2018.

Decentralized trading platforms like Uniswap became especially attractive targets for sandwich attacks because of the AMM* (Automated Market Maker) model they use. This model allows users to trade directly with one another instead of through an order book, as on traditional exchanges.

* AMM (Automated Market Maker) is a mechanism used by decentralized exchanges (DEXs) that enables users to swap cryptocurrencies directly through smart contracts without relying on a traditional order book or centralized intermediary. Instead of an order-based system like those used on conventional exchanges, AMMs rely on liquidity pools — collections of tokens supplied by users known as liquidity providers. Asset prices in these pools are determined automatically by mathematical formulas and fluctuate with buying and selling activity. For example, if a trader aggressively buys a token, the amount of that token in the pool decreases, causing the price to rise automatically. Because of this feature, AMM-based platforms are particularly vulnerable to sandwich attacks, since large trades can significantly affect the asset price before the transaction is finalized.

How does a sandwich attack work?

A sandwich attack, also known as a "front-running attack," allows attackers to effectively push a user's planned transaction aside by inserting their own transaction before it.

The process of a sandwich attack typically works as follows:

1. Searching for a target transaction. First, the attacker searches for a target transaction in the mempool (the queue of unconfirmed transactions) of Ethereum or another similar blockchain. Due to Ethereum's high throughput and transaction processing speed — with a new block created approximately every 12 seconds — manually identifying a suitable transaction for a sandwich attack is extremely difficult. Therefore, attackers use specialized MEV bots — automated programs designed to extract maximal value.
2. Front-running the victim's transaction. After locating a suitable transaction, the attacker acts ahead of the victim by submitting their own transaction so it is recorded on the blockchain before the victim's. In the cryptocurrency industry, this practice is known as front-running. As a result, the victim of the sandwich attack purchases the asset after the attacker, but at an inflated price.
3. Selling after the victim's purchase. Immediately after the victim's buy order is executed, the attacker sends a second transaction to sell the cryptocurrency, profiting from the price increase and successfully completing the sandwich attack. As a result, the victim's order becomes "sandwiched" between the attacker's two transactions, which is exactly how the attack got its name.

Sandwich attacks became possible because Ethereum's public mempool allows bots to scan pending transactions involving digital assets before they are confirmed on-chain.

Another factor enabling sandwich attacks is Ethereum's transaction ordering mechanism. After Ethereum transitioned to the Proof-of-Stake (PoS) consensus mechanism, validators gained full control over the ordering of transactions inside a block.

As a result, validators can prioritize transactions rather than process them in strict chronological order. For example, transactions with higher fees may be included in a block first. Attackers exploit this mechanism during sandwich attacks by increasing the transaction fee, thereby increasing the likelihood that their transaction is processed before the victim's pending transaction.

Why are sandwich attacks dangerous and how can they be prevented?

According to experts, sandwich attacks negatively affect not only individual traders but also the entire DeFi ecosystem. They make markets less predictable, increase cryptocurrency volatility, and create financial risks for all participants.

Low-liquidity assets, such as small-cap altcoins (cryptocurrencies other than Bitcoin), are especially vulnerable to sandwich attacks because they are more price-sensitive.

One protection method against sandwich attacks involves using flashbots — tools designed to mitigate the risks of MEV exploitation. These tools rely on specialized relays that allow transactions to bypass the public mempool.

As a result, attackers cannot detect the transactions required to execute a sandwich attack. However, such tools are technically complex and are usually accessible only to experienced traders.

Regular traders can also protect themselves by setting slippage limits — the maximum acceptable price deviation during order execution. This way, a buy order will not execute if the asset price moves beyond the specified slippage threshold, helping traders avoid becoming victims of sandwich attacks.

Notable cases of sandwich attacks on decentralized exchanges

Two sandwich attacks on Four.Meme causing more than $300,000 in losses

In February and March 2025, one of the most popular user-token launch platforms within the BNB Chain ecosystem, called Four.Meme suffered two separate sandwich attacks.

According to analysts, the total damage from both attacks amounted to approximately $303,000. The incidents demonstrated that security issues remain highly relevant in the DeFi space despite ongoing technological advancements.

Earlier, in 2024, the BNB Chain ecosystem had already experienced numerous sandwich attacks, with analysts estimating that around 35% of all network transactions were affected.

$4 million profit from a sandwich attack

An anonymous trader controlling the address jaredfromsubway.eth became widely known after earning approximately $4 million in profit within a single day through successful sandwich attacks on the Ethereum network.

The trader's success was so significant that, after these attacks, he single-handedly surpassed leading cryptocurrency services in Ethereum fee revenue, which ultimately made him famous within the crypto community.

More than $200,000 lost in a sandwich attack on uniswap

Uniswap was one of the first decentralized exchanges to repeatedly suffer from sandwich attacks. Most attacks targeted low-liquidity cryptocurrencies with very small market capitalizations, meaning the financial damage was often relatively limited.

However, larger incidents were also recorded. In March 2025, a trader reportedly lost more than $200,000 while swapping the stablecoins Tether (USDT) and USDC (USDC).

The affected trader submitted an order worth around $220,000, but after execution, due to a successful sandwich attack, received only approximately $5,200 in their wallet, losing nearly $215,000.