Sandwich Attacks on Constant Product AMMs

A sandwich attack is the canonical predatory MEV strategy. The attacker exploits the deterministic pricing of an AMM and the visibility of pending transactions to extract value from an unsuspecting trader. It is the DeFi equivalent of front-running studied in market microstructure, but executed atomically within a single block.

Setup: Constant Product AMM

Consider a pool with reserves $(x, y)$ for tokens $X$ and $Y$ , governed by the constant product invariant:

x \cdot y = k

A trader buying token $Y$ by depositing $Δ x$ of token $X$ (with fee rate $f$ , where $f = 0.003$ for a typical 0.3% pool) receives:

Δ y = \frac{y \cdot Δ x \cdot ( 1 - f )}{x + Δ x \cdot ( 1 - f )}

The effective price paid per unit of $Y$ is $P_{eff} = Δ x /Δ y$ . As $Δ x$ grows relative to $x$ , the price impact increases superlinearly --- this is the mechanical property the attacker exploits.

The Attack: Step by Step

Initial state: Pool has reserves $(x_{0}, y_{0})$ with $k = x_{0} \cdot y_{0}$ .

Step 1: Victim Submits a Swap

A victim submits a transaction to buy token $Y$ by depositing $Δ x_{v}$ of token $X$ . This transaction is visible in the mempool (on Ethereum) or detectable through leader proximity and transaction flow analysis (on Solana).

The victim has set a slippage tolerance $s$ --- they will accept a price up to $(1 + s)$ times the current spot price.

Step 2: Attacker Front-Runs

The attacker inserts a transaction before the victim’s, buying token $Y$ with amount $Δ x_{a}$ . After the attacker’s buy:

x_{1} = x_{0} + Δ x_{a} \cdot (1 - f)

y_{1} = \frac{k}{x _{1}} = \frac{x _{0} \cdot y _{0}}{x _{0} + Δ x _{a} \cdot ( 1 - f )}

The pool price of $Y$ in terms of $X$ has increased from $x_{0} / y_{0}$ to $x_{1} / y_{1}$ .

Step 3: Victim Executes at Worse Price

The victim’s transaction now executes against the shifted pool $(x_{1}, y_{1})$ . They receive:

Δ y_{v} = \frac{y _{1} \cdot Δ x _{v} \cdot ( 1 - f )}{x _{1} + Δ x _{v} \cdot ( 1 - f )}

This is strictly less than what they would have received against $(x_{0}, y_{0})$ . The difference is the victim’s loss.

Step 4: Attacker Back-Runs

The attacker sells the $Δ y_{a}$ tokens acquired in Step 2 back to the pool, now at a higher price. After the victim’s trade, the pool is at $(x_{2}, y_{2})$ . The attacker’s sell yields:

Δ x_{out} = \frac{x _{2} \cdot Δ y _{a} \cdot ( 1 - f )}{y _{2} + Δ y _{a} \cdot ( 1 - f )}

The attacker’s profit is:

π_{a} = Δ x_{out} - Δ x_{a} - gas/tips

Formal Analysis

Optimal Front-Run Size

The attacker chooses $Δ x_{a}$ to maximize profit subject to the constraint that the victim’s transaction still executes (i.e., the victim’s slippage tolerance $s$ is not exceeded).

The victim’s maximum acceptable price per unit of $Y$ is:

P_{m a x} = \frac{x _{0}}{y _{0}} \cdot (1 + s)

The attacker’s front-run shifts the pool price. The constraint is that the victim’s effective execution price after the front-run must remain below $P_{m a x}$ . This gives the attacker’s maximum front-run size $Δ x_{a}^{*}$ .

For a constant product AMM with fee $f$ , the optimal front-run (ignoring gas) satisfies:

Δ x_{a}^{*} = \frac{x _{0}}{1 - f} (\frac{( 1 + s ) ( 1 - f ) ^{2} \cdot Δ x _{v}}{x _{0} + Δ x _{v} ( 1 - f )} + 1 - 1) - \frac{Δ x _{v} \cdot x _{0}}{x _{0} + Δ x _{v} ( 1 - f )}

In practice, searchers solve this numerically. The closed-form is unwieldy, but the structural insights are clear from the partial derivatives.

Attacker Profit

The attacker’s gross profit (before gas/tips) can be expressed as:

π_{a} = Δ x_{out} - Δ x_{a}

where both terms are functions of $Δ x_{a}$ , the pool state $(x_{0}, y_{0})$ , the victim’s trade size $Δ x_{v}$ , and the fee $f$ . The profit is approximately:

π_{a} \approx \frac{Δ x _{a} \cdot Δ x _{v} \cdot ( 1 - f ) ^{2}}{x _{0} \cdot ( 1 + \frac{Δ x _{a} ( 1 - f )}{x _{0}} ) \cdot ( 1 + \frac{( Δ x _{a} + Δ x _{v} ) ( 1 - f )}{x _{0}} )} \cdot \frac{Δ x _{v} ( 1 - f )}{x _{0}}

The key scaling: profit grows roughly as $O (Δ x_{v}^{2} / x_{0})$ for small trades relative to pool size. This has direct implications for who gets sandwiched.

Victim Loss

The victim’s loss is the difference between what they would have received without the sandwich and what they actually received:

L_{v} = Δ y_{v}^{no attack} - Δ y_{v}^{attacked}

Δ y_{v}^{no attack} = \frac{y _{0} \cdot Δ x _{v} ( 1 - f )}{x _{0} + Δ x _{v} ( 1 - f )}

The victim’s loss is bounded by their slippage tolerance:

L_{v} \leq s \cdot Δ x_{v} \cdot \frac{y _{0}}{x _{0}}

In practice, an optimal attacker extracts close to this upper bound.

What Makes Sandwiching Profitable

Three factors determine sandwich profitability:

Larger victim trades are more profitable. Profit scales superlinearly with $Δ x_{v}$ . A trade that is 2x larger does not yield 2x the profit --- it yields more, because the price impact curve is convex.

Higher slippage tolerance means more extraction. The slippage tolerance $s$ is the upper bound on what the attacker can extract. A victim setting 10% slippage is offering up to 10% of their trade value to the attacker. The attacker’s optimization is simply: extract as much as the victim permits.

Smaller pools amplify everything. Pool size $x_{0}$ appears in the denominator of the profit expression. A $10,000 trade in a $100,000 pool has 100x the price impact of the same trade in a $10,000,000 pool. This is why shallow liquidity pools are sandwich magnets.

Why Pump.fun / PumpSwap Tokens Are Especially Vulnerable

Pump.fun’s bonding curve tokens and the subsequent PumpSwap liquidity pools exhibit every characteristic that maximizes sandwich profitability:

Extremely low liquidity. Newly launched tokens often have total pool liquidity under $50,000. Even modest trades create enormous price impact, making them ideal sandwich targets.

High slippage tolerance from users. Memecoin traders routinely set slippage to 10—30% (sometimes higher) because token prices move so fast that tight slippage causes transaction failures. This slippage tolerance is a direct invitation to sandwich bots.

Jito bundles enable atomic execution. On Solana, sandwich attackers use Jito bundles to submit their front-run, the victim’s transaction, and their back-run as an atomic package. If any part fails, none execute. This eliminates the execution risk that constrains sandwich attacks on Ethereum (where front-run and back-run are separate transactions that may not land in the expected order).

Unsophisticated retail participants. Most pump.fun users are retail traders unfamiliar with MEV concepts. They do not use private transaction submission, do not minimize slippage, and often trade through basic wallet interfaces with no MEV protection. They are, in the language of market microstructure, pure uninformed flow --- exactly the flow that predatory intermediaries profit from most.

The combination is devastating: maximum price impact, maximum slippage headroom, atomic execution guarantees, and a user base that neither understands nor defends against the extraction. See The Pump.fun Economy for the aggregate impact.

Connection to Market Microstructure

Sandwich attacks are the AMM analog of front-running in order-driven markets. In traditional market microstructure, front-running is illegal --- it violates the broker’s duty of best execution. In DeFi, no such duty exists. The mempool is public, the AMM’s pricing function is deterministic, and anyone can insert transactions. The result is a market structure where the “broker” (the MEV bot) actively trades against its “customers” (other mempool participants).

The Protection Strategies article covers practical defenses.

Socratic Questions

If sandwich attacks extract value up to the victim’s slippage tolerance, what is the game-theoretic equilibrium slippage setting for informed vs. uninformed traders?
Concentrated liquidity (e.g., Uniswap v3) reduces price impact for trades within the active range. Does this reduce or increase sandwich profitability? Consider that concentrated LPs are themselves subject to JIT competition.
Could an AMM design make sandwiching unprofitable without sacrificing capital efficiency? What tradeoffs would be required?
The victim’s loss is bounded by $s \cdot Δ x_{v} \cdot (y_{0} / x_{0})$ . If a user must set high slippage to trade volatile tokens, is there any way to limit the attacker’s extraction within that tolerance?
Jito bundles make sandwich attacks atomic on Solana. If Solana removed bundle support, would sandwich attacks disappear or simply become less efficient?

Learning Finance

Explorer

Sandwich Attacks