How Does A Sandwich Attack Work In DeFi Trading?

Updated July 13, 2026 6 min read

A trade on a decentralized exchange isn’t private the instant it’s submitted — it sits visible in a public queue for a short window before it’s confirmed, and that visibility is exactly what a sandwich attack exploits.

The short answer

A sandwich attack happens when someone spots a pending trade in the public transaction queue and places one trade right before it and another right after it, profiting from the price movement the victim’s own trade causes. The attacker buys just ahead of the victim, letting the victim’s purchase push the price up further, then immediately sells into that higher price — effectively “sandwiching” the original trade between two of their own.

Why this is even possible

On many blockchains, submitted transactions don’t execute instantly. They wait briefly in a public pool, visible to anyone watching the network, before a validator or miner selects and confirms them. This window exists for legitimate technical reasons related to how transactions get processed and ordered, but it also creates an opportunity: anyone monitoring that pool can see a large pending trade coming and act on that information before it settles.

The three steps

Why “market orders” are especially exposed

This kind of manipulation targets trades placed with loose price tolerance, sometimes called slippage tolerance — the maximum price movement a trader is willing to accept before a transaction fails. A wide tolerance gives an attacker more room to push the price before the trade still executes; a tighter tolerance limits how much a sandwich attack can extract, though it also raises the chance the trade fails entirely during ordinary price movement.

Who is actually capturing the value

Sandwich attacks are one specific example of a broader category sometimes called extractable value — profit captured by controlling the order in which transactions are processed rather than by taking on ordinary market risk. This activity is often automated, run by specialized programs constantly scanning pending transactions for opportunities, rather than a person manually watching and reacting.

What actually determines the price a trade settles at

Decentralized trading relies on how a protocol determines the price of an asset at the moment a trade executes, and the mechanics that make sandwich attacks possible are closely tied to how that price is calculated in real time from the assets available in a trading pool. Understanding that a displayed price and an executed price can differ — sometimes because of ordinary market movement, sometimes because of exactly this kind of activity — is part of understanding how decentralized trading actually works day to day.

The takeaway

A sandwich attack is a mechanical exploitation of transaction ordering and public visibility, not a hack in the sense of stolen funds or broken code — the trade executes exactly as coded, just at a worse price than the victim expected. Recognizing why the transaction queue is public, why slippage tolerance matters, and why this activity persists as long as the underlying incentives exist is the clearest way to understand a risk that’s built into the mechanics of decentralized trading itself.