Sandwich Attacks on Ethereum Rollups

• Sandwich attacks on Ethereum rollups are MEV strategies that exploit cross-layer ordering to extract profit from victim trades.
• Formal models quantify attack profitability by optimizing trade sizes, evaluating slippage effects, and assessing batch execution probabilities.
• Empirical analyses reveal low success rates and negative median net PnL, driving recommendations for private mempools and randomized sequencing.

A sandwich attack is a maximal extractable value (MEV) strategy whereby an adversary observes a victim’s pending swap and orchestrates two trades: a frontrun to buy into the victim’s intended asset before their transaction, and a backrun to sell after, extracting profit by manipulating the local price. While endemic on Ethereum Layer-1 (L1) owing to its public mempool, Ethereum rollups—Layer-2 (L2) solutions such as Arbitrum, Optimism, Base, Unichain, and zkSync—introduce sequencing architectures that fundamentally alter the feasibility and profitability of sandwiching. Recent research rigorously models these attacks, analyzes transaction-level data, and clarifies both the empirical rarity and the cross-layer nuances of sandwiching in the rollup context (Torres et al., 2024, Gogol et al., 27 Jan 2026).

1. Classical Sandwich Attacks and the Role of the Mempool

On Ethereum L1, the public mempool discloses all pending transactions, enabling adversaries to monitor for victim swaps and submit sandwich legs to sandwich the victim’s trade in the same block. The canonical workflow is:

• The attacker submits $T_{A_1}$ (frontrun: buy) before the victim’s swap $T_V$,
• The attacker submits $T_{A_2}$ (backrun: sell) immediately after $T_V$.

The profit per sandwich is given by

$$\text{Profit} = (p_{\text{sell}} - p_{\text{buy}}) \times q - c_{\text{gas}}$$

where $q$ is the trade quantity and $c_{\text{gas}}$ is total gas expended. Public mempool visibility and atomic builder markets make this exploitation deterministic and highly competitive.

In contrast, rollups employ private sequencer mempools: unless a user controls the sequencer, pending swaps are invisible—rendering public sandwich strategies infeasible. As a result, empirical analysis over a multi-year window detects zero standard on-chain sandwich attacks on Arbitrum, Optimism, and zkSync (Torres et al., 2024).

2. Formal Modeling of Sandwich Profitability in Rollups

Recent formalization extends the sandwich paradigm to automated market makers (AMMs) on rollups, considering both constant product (CPMM) and concentrated liquidity (CLMM) models (Gogol et al., 27 Jan 2026). The attacker operates three trades: front-run ($f$) of size $x_f$, victim trade ($v$) of size $V$, and back-run ($b$) of size $x_b$.

In the small-trade regime ($x_f, V \ll L$, with $L$ being pool liquidity), the incremental profit before gas is: $$\Delta \Pi(x_f; V) \approx (1 - \varphi)^2 \frac{x_f V - x_f^2}{L} - 2\varphi x_f$$ where $\varphi$ is the swap fee. The optimal attack size without slippage constraint is

$x_f^* = \frac{V}{2}$

and the net expected profit accounts for both slippage and gas costs.

For CLMMs, optimization takes into account tick boundaries. Crossing into lower liquidity ticks can amplify profits if $x_f + V$ is sufficient to push the price across a tick, but is limited by slippage tolerance.

3. Execution Feasibility Under Rollup Sequencer Architectures

Sandwiches in private-mempool rollups are constrained by sequencers’ batching and ordering policies, and the lack of atomic inclusion (i.e., the inability to guarantee that $f$, $v$, $b$ land together).

Three principal probabilistic factors determine success:

• Same-batch probability: For batch window $T_s$ and attack submission separation $\Delta T$, probability $$p_{\text{batch}} \approx \max(0, 1 - \Delta T / T_s)$$.
• Priority ordering: Under FCFS, background arrivals modeled as Poisson process ($\lambda$) yield $P_{\text{FCFS}} = \exp(-\lambda \Delta T)$; under tip-priority, the probability is $P_{\text{PGA}}$ as an expected value over background tip distribution.
• Arrival-time noise: Modeled as Gaussian variance $\sigma^2$, with $$p_{\text{arrival}} \approx \exp( - (\Delta T)^2 / 2\sigma^2 )$$.

The aggregate co-inclusion probability is

$$P_{\text{co}} \approx p_{\text{batch}} \times P_\text{priority} \times p_{\text{arrival}}$$

Empirical measurements under typical rollup parameters ($T_s \approx 300$–$800$ms) yield $P_{\text{co}} \in [0.05, 0.20]$; only 5–20% of attempted sandwiches are expected to land as valid same-batch, correctly ordered sandwiches (Gogol et al., 27 Jan 2026).

4. Cross-Layer Sandwiching: Attack Strategies and Empirical Outcomes

Although direct same-chain sandwiching is stymied, cross-layer communication reintroduces sandwich vectors (Torres et al., 2024). Researchers systematically catalog three attack strategies exploiting the public visibility of L2-call transactions on the Ethereum L1 mempool:

Strategy	Key Steps	Execution Site(s)
S₁: Classical Cross-Layer	Frontrun/backrun on L1 to sandwich L2 swap transaction (visible on L1)	L1, with effects on L2
S₂: Hybrid	Frontrun on L1, backrun directly to L2 sequencer ahead of victim batch	L1 (frontrun), L2 (backrun)
S₃: Speculative	React to finalized L1 blocks, insert both legs on L2 before relayed victim	L2 only

Simulation of these strategies over historical L1→L2 bridge traffic (notably, Hop Protocol) identifies approximately 170,000 potential targets. Total simulated extractable profit is approximately 2 million USD over 32 months: Arbitrum ($\sim$1.2 million per strategy), Optimism ($\sim$0.75 million per strategy) (Torres et al., 2024). These scenarios assume attacker capital in the $10k$–“infinite” range; even modest budgets suffice for hundreds of profitable opportunities. The cross-layer delay (mean $\sim$13 minutes on Arbitrum) provides attackers with a generous window for S₃-type insertions.

5. Empirical Prevalence, Profitability, and False Positive Analysis

Automated sandwich detection on rollups suffers from high false-positive rates. Naïve heuristics overestimate sandwiching due to shared routers and fragmented actor identity. Enhanced methods group transactions by (chain, block, pool), then filter based on actor identities and swap directions.

Analysis across Arbitrum, Base, Optimism, Unichain, and zkSync (2025 data) yields:

• Only 5–25% of candidate sandwich patterns meet the “strong signature” ($|x_b / x_f - 1| \leq 10\%$).
• Front–back run correlation: as low as 0.08 (Optimism), maximum 0.63 (Arbitrum); victim–attacker leg correlation $<0.6$ everywhere.
• Median net PnL per sandwich is negative across all chains:

Chain	Median Net PnL (USD)	IQR Net PnL
Arbitrum	–$0.80 | [–$1.96, +$0.40]
Base	–$2.23 | [–$4.06, +$0.91]
Optimism	–$0.46 | [–$1.47, +$0.21]
Unichain	–$0.65 | [–$3.30, +$0.27]
ZKsync	–$0.44 | [–$0.66, +$0.26]

Prevalence is extremely low: 95% of supposed sandwich structures fail economic checks, and bot-level “sandwich efficiency” remains $<0.1\%$$everywhere (<a href="/papers/2601.19570" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Gogol et al., 27 Jan 2026</a>).</p> <h2 class='paper-heading' id='policy-implications-and-mitigation-recommendations'>6. Policy Implications and Mitigation Recommendations</h2> <p>Research consensus is that the private mempool design and lack of public builder markets render same-block sandwiching rare and unprofitable in current rollup architectures (<a href="/papers/2601.19570" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Gogol et al., 27 Jan 2026</a>). Nevertheless, cross-layer attack surfaces persist so long as L2 swaps are relayed via Ethereum L1’s public mempool (<a href="/papers/2405.00138" title="" rel="nofollow" data-turbo="false" class="assistant-link" x-data x-tooltip.raw="">Torres et al., 2024</a>).</p> <p>Key defensive strategies include:</p> <ul> <li><strong>Maintaining private or encrypted mempools</strong>: Blocks S₁/S₂ by concealing pending swaps.</li> <li><strong>Batching window minimization</strong>: Short batch periods ($$<300$ms) reduce$P_{\text{batch}}$$and thus attack feasibility.</li> <li><strong>FCFS (first-come, first-served) sequencing</strong>: Promotes timing noise and impedes tip-ordering attacks.</li> <li><strong>Economic-consistency checks</strong>: Sequencer logic rejects suspicious$$f$/$b$ pairs unless victim size justifies the wedge.

Proof-of-delay or randomized time-locks: Hinder adversarial timing.

Proposer-builder separation: Rollup builders selectively admit only profitable cross-layer bundles, rejecting inefficient MEV attempts.

A plausible implication is that, as rollups move toward public mempools or builder markets, or as transaction sizes increase, probabilistic sandwiching may regain practical feasibility. Sequencer and protocol designs must anticipate these economic models and preemptively incorporate countermeasures, rather than retrofitting controls after vulnerabilities emerge (Gogol et al., 27 Jan 2026, Torres et al., 2024).