◈ ⬢ blockchain · Intermediate
Sandwich Attack Detection On Chain: Protect Your Trades
Learn how sandwich attacks work on-chain, how to detect them in real time, and practical steps to protect your trades from MEV bots.
◈ Contents
You submit a swap on Uniswap. A bot notices your transaction sitting in the mempool, fires two transactions around yours like a vice, and extracts value from your trade before your transaction even confirms. You paid more than you should have. This is a sandwich attack — one of the most common and damaging forms of MEV (Maximal Extractable Value) in DeFi. Understanding how it works and how to detect it on-chain is not optional knowledge anymore. It is the difference between trading efficiently and being someone else's profit.
What Is a Sandwich Attack and Why It Happens
A sandwich attack is a form of price manipulation executed entirely on-chain. Think of it like this: you are at a market stall about to buy the last box of apples for $10. A faster buyer sees you walking over, grabs the box first, then turns around and sells it back to you for $12. You still get your apples, but you paid $2 extra — and that money went straight into the faster buyer's pocket.
In DeFi, the 'faster buyer' is an automated bot monitoring the public mempool — the waiting room where unconfirmed transactions sit before miners or validators include them in a block. When you submit a large swap, say buying ETH with USDC on a decentralized exchange, that transaction is visible to everyone before it confirms. A sandwich bot spots it, calculates the expected price impact, and executes this sequence:
- Front-run: Bot buys the same asset you are buying, pushing the price up slightly
- Your transaction executes at the now-higher price
- Back-run: Bot immediately sells what it just bought at the inflated price, pocketing the difference
Key Takeaway: Sandwich attacks do not require hacking. They exploit the transparency of public blockchains. Every unconfirmed transaction is visible — bots are simply faster and more systematic than humans.
How to Detect a Sandwich Attack On-Chain
Detecting a sandwich attack after the fact is straightforward once you know what pattern to look for. On Ethereum and EVM-compatible chains, every block contains a full record of transaction ordering. A sandwich always leaves the same fingerprint: three specific transactions in sequence within the same block, often from the same wallet or contract for the front-run and back-run legs.
Here is exactly what to look for when inspecting a block on Etherscan or any block explorer. You will see the bot's buy transaction at a lower position (higher priority fee), your transaction in the middle, and the bot's sell transaction immediately after — all touching the same liquidity pool and token pair within the same block.
| Position | Transaction | Sender | Effect |
|---|---|---|---|
| Tx #45 | Buy TOKEN_A with ETH | Bot wallet | Price increases |
| Tx #46 | Buy TOKEN_A with ETH (yours) | Your wallet | Executes at inflated price |
| Tx #47 | Sell TOKEN_A for ETH | Bot wallet | Bot profits, price drops back |
On Binance Smart Chain (BSC), sandwich attacks are even more prevalent due to lower gas costs making them economically viable for smaller trade sizes. If you trade on BNB Chain DEXes, the probability of being sandwiched increases significantly compared to Ethereum mainnet where high gas costs filter out low-value attacks.
Tools for Real-Time Sandwich Attack Detection
Manual block inspection works for post-mortem analysis, but real-time protection requires dedicated tooling. Several on-chain analytics platforms have built MEV detection directly into their infrastructure.
EigenPhi is the most comprehensive MEV analytics platform available today. It tracks sandwich attacks, arbitrage, and liquidations across major DEXes in near real-time. You can search any transaction hash and immediately see if it was part of an MEV bundle. MEV Blocker by CoW Protocol is another tool worth knowing — it routes your transactions through a private RPC endpoint that actively protects you from front-running bots.
Flashbots Protect is a private transaction relay that bypasses the public mempool entirely. When you configure your MetaMask or wallet to use Flashbots RPC, your transactions go directly to validators without being visible to sandwich bots. This is currently the most effective defensive measure for frequent DeFi traders.
Key Takeaway: Tools like EigenPhi give you historical MEV data. For real-time protection, use private RPCs like Flashbots Protect or MEV Blocker to bypass the public mempool entirely.
For traders who also use centralized venues like Bybit or OKX alongside DeFi, it is worth noting that sandwich attacks are exclusively a DeFi/on-chain problem. When you trade on Bybit or OKX, your order book trades go through centralized matching engines that have no mempool exposure. The risk is isolated to DEX activity.
Practical Steps to Protect Yourself Right Now
Detection is useful, but prevention is better. There are several concrete actions you can take today to reduce your sandwich attack exposure without requiring deep technical knowledge.
- Set slippage tolerance to 0.5% or lower: Most DEX interfaces default to 0.5-1%. Sandwich bots need enough slippage headroom to profit. Tighter slippage means your transaction reverts rather than being sandwiched — you lose gas but not principal
- Use private RPCs: Add Flashbots Protect (https://rpc.flashbots.net) or MEV Blocker (https://rpc.mevblocker.io) as a custom network in MetaMask
- Trade in smaller chunks: Larger trades have more price impact, making them more attractive targets. Breaking a $50,000 swap into five $10,000 swaps reduces per-trade profitability for bots
- Use DEXes with built-in MEV protection: CoW Protocol and 1inch Fusion mode route orders through solvers that batch trades and eliminate front-running opportunities
- Time your trades: Mempool congestion varies. During low-activity periods, blocks fill faster relative to mempool size, giving bots less opportunity to insert transactions
- Monitor with VoiceOfChain: Real-time signal platforms like VoiceOfChain track on-chain activity including unusual MEV patterns that precede major price movements, giving you situational awareness before entering large positions
Reading the On-Chain Data: A Practical Walkthrough
Let us walk through how to verify if a specific transaction was sandwiched. This takes about 90 seconds and requires nothing more than a block explorer.
- Step 1: Go to Etherscan and paste your transaction hash into the search bar
- Step 2: Note your transaction's position within its block (shown as 'Transaction Index')
- Step 3: Click the block number to see all transactions in that block
- Step 4: Look at the transaction immediately before and after yours
- Step 5: Check if both neighboring transactions touch the same token pair and liquidity pool as yours
- Step 6: If the pre-transaction buys and the post-transaction sells the same asset you bought — you were sandwiched
For BSC transactions, use BscScan with the same methodology. For Arbitrum trades, Arbiscan. The pattern is identical across all EVM chains because the fundamental mechanism — public mempools and miner-controlled transaction ordering — is the same.
# Simple sandwich detection logic (conceptual)
# Check if surrounding transactions hit the same pool
def is_sandwiched(tx_hash, web3_provider):
tx = web3_provider.eth.get_transaction(tx_hash)
block = web3_provider.eth.get_block(tx['blockNumber'], full_transactions=True)
tx_index = tx['transactionIndex']
txs = block['transactions']
if tx_index == 0 or tx_index == len(txs) - 1:
return False # No neighbors
prev_tx = txs[tx_index - 1]
next_tx = txs[tx_index + 1]
# Check if prev and next tx come from same address (bot pattern)
same_sender = prev_tx['from'] == next_tx['from']
# In production: also verify same pool interaction
return same_senderPlatforms like VoiceOfChain automate this type of on-chain pattern recognition at scale, flagging MEV activity across thousands of transactions and alerting traders to unusual front-running spikes in specific token pools — particularly useful before entering a new position in a lower-liquidity token where sandwich risk is highest.
Frequently Asked Questions
Can sandwich attacks happen on Binance or Coinbase?
No. Sandwich attacks are exclusive to decentralized exchanges with public mempools. Centralized exchanges like Binance and Coinbase use private order-matching engines where transaction ordering is controlled internally and not publicly visible before execution. Your trades on these platforms are not exposed to MEV bots.
How much money do sandwich bots extract from traders?
According to EigenPhi data, sandwich attacks have extracted hundreds of millions of dollars from DeFi traders annually. Individual losses per trade are often small — sometimes just a few dollars — but the cumulative impact is significant. High-volume traders on Uniswap and similar platforms are disproportionately affected.
Does setting slippage to 0% prevent sandwich attacks?
Setting slippage to 0% will cause most of your transactions to revert (fail), which technically prevents sandwiching but also prevents your trades from executing. A more practical approach is setting slippage to 0.1-0.3% for liquid pairs, which is tight enough to make sandwiching unprofitable while still allowing legitimate price movement.
Are sandwich attacks illegal?
In most jurisdictions, sandwich attacks exist in a legal grey area. They exploit publicly available information (the mempool) and operate within the technical rules of the blockchain protocol. No laws explicitly criminalize MEV extraction. However, some legal scholars argue they could constitute market manipulation under traditional securities law frameworks.
What is the difference between a sandwich attack and front-running?
Front-running is one half of a sandwich — a bot buys before your transaction to profit from the price movement your trade causes. A sandwich attack adds a second step: the bot also sells immediately after your trade executes, capturing the price difference in both directions. Sandwich attacks are more profitable per transaction but more complex to execute.
Do Layer 2 networks like Arbitrum have sandwich attacks?
Yes, but significantly less than Ethereum mainnet. Arbitrum uses a sequencer that processes transactions in a first-come-first-served order, which reduces (but does not eliminate) MEV opportunities. Chains with centralized sequencers generally have lower sandwich attack frequency. However, they can still occur through sequencer-level MEV depending on the L2 design.
Conclusion
Sandwich attacks are one of the most concrete, measurable ways that uninformed DeFi trading costs real money. The good news is they are both detectable and largely preventable with the right habits and tooling. Use private RPCs for large swaps, keep slippage tight, prefer DEXes with built-in MEV protection, and use on-chain analytics tools to audit your past trades. If you want ongoing situational awareness of MEV activity and unusual on-chain patterns in the tokens you trade, platforms like VoiceOfChain give you a real-time feed of the signals that matter. The mempool is public — but your transaction does not have to be.