Exclusive data from EigenPhi reveals that sandwich attacks on Ethereum have waned

In the volatile world of decentralized finance, a single data dump can tilt market sentiment for weeks. The title-bearing finding from EigenPhi’s exclusive dataset paints a nuanced picture: sandwich attacks on Ethereum have waned in 2025, even as the broader MEV landscape remains active. For traders, developers, and policymakers, this shift offers both relief and new questions about protection, incentives, and the next steps for a more resilient ecosystem. The title of this report is not merely a headline—it signals a turning point in how we understand order-flow exploitation, the economics of block-building, and the race to shield ordinary users from costly slippage. Below is a deep dive into what this means, backed by data, case studies, and practical implications for 2025 and beyond.

The crux of the story lies in extractable value—MEV—where block builders can reorder, insert, or censor transactions to capture extra profits at the expense of end users. Among MEV strategies, sandwich attacks—frontrunning and backrunning a victim’s swap—are particularly punishing because they deliver a suboptimal execution price to the victim while pocketing a spread for the attacker. Ethereum’s high on-chain activity and open block-building market make it especially susceptible to this genre of manipulation. Yet the latest dataset from EigenPhi, comprising more than 95,000 sandwiches captured between November 2024 and October 2025, suggests a slowdown in meaningful extraction. The question is: why did this happen, and what does the title hold for traders and the engineers building protective layers around the protocol?

What sandwich attacks are, and why they matter

How front-running and back-running routine works

A sandwich attack typically unfolds in three steps. First, a searcher spots a large swap on a popular decentralized exchange (DEX) pair. Second, the attacker submits a front-running transaction to buy the token ahead of the victim, nudging the price up. Third, after the victim executes, the attacker sells into the inflated price, pocketing the difference as profit. In practice, this sequence can be more sophisticated. Some attackers insert a center transaction between the front-run and back-run and even adjust liquidity in the pool to push prices unfavorably for subsequent victims. The end result is predictable slippage for the victim and a modest windfall for the attacker.

Why does this occur on Ethereum in particular? The combination of high transaction throughput, a liquid market for DEXes, and a permissive block-building environment creates ample opportunities for MEV extraction. The open order-flow makes it possible for searchers to identify worthy opportunities, while gas markets provide a means to arbitrate priority. The title of the current research pushes back against the idea that MEV is a solved problem; instead, it emphasizes how the dynamics of attack surfaces, competition among bots, and evolving protection tools shape outcomes for users.

Economic implications for users and block builders

From a user perspective, sandwich attacks introduce a predictable cost of doing swaps in public pools. The EigenPhi dataset shows that annual losses attributed to sandwich extraction hover around tens of millions of dollars across traders. The seemingly modest profit margins for attackers—roughly 5% after gas costs—mask the systemic friction they generate: higher slippage on ordinary trades, increased gas fees, and a more complex on-chain experience. For block builders, however, those same dynamics create a high-velocity, competitive market where success favors speed, access to diverse liquidity venues, and the ability to execute multiple targets in rapid succession. The title tells a story of a market where both sides push to optimize, but with persistent frictions that keep end-user costs elevated relative to ideal, frictionless trading.

EigenPhi’s data: scope, method, and takeaways

Dataset scope and timeframe

Cointelegraph Research collaborated with EigenPhi to analyze a dataset spanning November 2024 through October 2025. The researchers assembled more than 95,000 premium samples of sandwich activity, offering a rare window into both micro-episodes—single sandwich events—and macro-trends, such as month-to-month variance in the total value captured by attackers and the total cost borne by victims. The title of these findings is not merely to quantify losses but to illuminate how the distribution of attacks evolved across pools, tokens, and market regimes.

Key metrics and what they reveal

• Annual losses to traders: The research estimates roughly $60 million in annual trader losses due to sandwich extraction. While this headline figure sounds large, it must be balanced against the size of the on-chain market and its volume growth.
• Attacker margins: After gas costs, the net profit margin for attackers centers around 5%, illustrating razor-thin profitability that is highly sensitive to gas prices, competition among bots, and network conditions.
• Hit rate and volumes: The typical sandwich activity occurs in a landscape of 60,000–90,000 attacks per month, signaling persistent competition and a broad attack surface across the Ethereum ecosystem.
• Pool targeting: About 38% of attacks were directed at low-volatility pools containing stablecoins, wrappers, and liquid-staking tokens (LSTs) tied to Ether and Bitcoin. Around 12% struck stable swaps, which are especially susceptible to slippage surprises when liquidity or tick movements spike unexpectedly.
• Notable tokens and pairs: The memecoin MANYU paired with WETH stood out as an actively traded, albeit highly specialized, target. Jared—the well-known MEV searcher with the moniker jaredfromsubway.eth—has consistently pursued this pool since July, extracting tens of thousands across dozens of attacks.

One of the most provocative observations is the role of a single actor—Jared—in a substantial share of attacks. The dataset indicates that around 70% of all sandwich attacks in 2025 involved Jared’s strategy in some form. This concentration raises questions about market dynamics, bot strategy, and the extent to which a single player can shape outcomes in a highly automated, low-friction market. The title emphasizes how persistent concentration can distort risk and profit distributions, even when the overall number of attacks fluctuates.

The economics of attack and defense

The data underscore a recurring theme: profitability in MEV-borne activities depends as much on volume as on margin. As extraction margins compress under competitive pressure, attackers pivot toward quantity, seeking to maximize flat-rate profitability by participating in as many opportunities as possible. In October 2025, the number of distinct sandwich bots active on Ethereum reached roughly 515, but only a bit more than 100 bots executed trades in a typical month. The implication is clear: the field is crowded, and sustainable profits require both scale and precision.

Gas costs remained an important variable. Across most of 2025, on-chain gas expenses stayed relatively low compared with per-attack revenue, supporting the viability of aggressive strategies. Yet even with favorable gas economics, the data show that profitability is fragile. April 2025 saw a temporary negative margin for Jared’s strategy, illustrating how misreads of slippage, price impact, or countermeasures can erase what looks like a reliable edge.

Who’s who in the sandwich ecosystem?

Jedipage: the central figure and strategy evolution

Jared, also known by the handle jaredfromsubway.eth, emerged as a central figure in the 2025 dataset. His v2 bot introduced a more aggressive multi-victim approach, sometimes inserting a center transaction to push swap rates for subsequent victims. In practice, this means Jared can manipulate price movement across multiple targets in a single window, increasing total profit per session even when individual attacks yield only a few cents or dollars. The title here isn’t about a lone rogue; it’s about a broader category of searchers who constantly refine their technique to outpace rivals and reduce risk.

Botnet dynamics: number of operators vs. profitability

As noted, the ecosystem hosted hundreds of distinct bots, but only a subset of those bots executed trades monthly. The skew is stark: a few “top-line” bots capture a disproportionate share of opportunities, while the majority operate at break-even or negative margins. In 2025, approximately one-third of active sandwich bots operated around breakeven (-$10 to +$10), and roughly 30% posted net losses. This distribution underscores the idea that success in this niche is not about volume alone; it’s about superior opportunity selection, fast execution, and precise gas management. The title draws attention to how fragile the economics are for newcomers and why the field tends to consolidate around a small number of high-skill operators.

Targeting patterns: pools, tokens, and liquidity strategies

The data reveal that attackers favored specific kinds of pools, particularly those with lower price volatility or with tokens that introduce additional complexity into price discovery. The 38% share of attacks on low-volatility pools tied to stablecoins, wrappers, and LSTs suggests that attackers recognize predictable price movement in these venues. The 12% hit rate on stable swaps highlights a blind spot for protection when liquidity moves are subtle but impactful. The persistent attention to the MANYU/WETH pair shows that even less-liquid niches can become profitable if the attacker can reliably forecast price impact and liquidity dynamics. The title in this pattern signals how attackers continuously recalibrate risk and reward across evolving liquidity landscapes.

Current protection tools and user-facing defenses

As sandwiching persisted, the user community leaned on protection tools and best practices: slippage controls, private transaction pools, and strategies to randomize transaction timing. The dataset’s implications are clear: while these measures improve user outcomes in some cases, they do not eliminate the risk. The title reflects a movement toward layered MEV protection, combining application-level safeguards with network-level innovations to reduce susceptibility to front-running and back-running.

Threshold encryption and Shutter-style approaches

Two notable technical ideas have gained attention in 2025: threshold encryption and batched threshold encryption. These constructs aim to hide sensitive transaction details until they are committed to a block, thereby reducing the visibility that MEV bots rely on. Shutter’s approach, alongside Batched Threshold Encryption, presents a pathway to curtail the information leakage that makes sandwich attacks feasible in a high-velocity market. The claim in many research discussions—reflected in the title—is that native MEV protection at the protocol level could stand as a long-run solution, complementing application-layer protections and exogenous safeguards like transaction encryption and better auction design for block builders.

Protocol-level debates and policy considerations

There is a robust debate about introducing native MEV protection within Ethereum’s protocol layer. Proponents argue that a standard, opt-in protection mechanism could reduce unfair advantages for attackers, stabilize user costs, and foster more predictable liquidity. Opponents point to potential trade-offs: higher latency, reduced throughput, or unintended incentives that could shift MEV into other, harder-to-monitor channels. The title underscores the importance of evaluating these trade-offs with careful modeling, pilot deployments, and rigorous governance processes to avoid undermining the very incentives that keep networks secure and decentralized.

Volume trends and their implications for MEV

From Q1 2025 to Q3 2025, on-chain DEX volumes on Ethereum rose from around $65 billion per month to above $100 billion per month. The surge in activity creates both more opportunities for attackers and more liquidity for victims to defend against them. The title of the ecosystem, therefore, is not simply a tale of rising risk; it’s a narrative about resilience—how users and builders adapt to a more vibrant market while minimizing frictions and losses.

Profitability dynamics in a rising volume environment

Despite higher volumes, the average per-sandwich profit remained modest. In 2025, the net monthly profit after gas costs hovered around $260,000, driven by a combination of many small gains and some outsized hits. Notably, an outlier in January 2025 pushed a single attack’s profit well above typical levels, reminding observers that a single event can distort short-term metrics. The title in these numbers is cautionary: even as the market grows, profitability remains highly sensitive to the competitive landscape and to gas price fluctuations that can squeeze margins.

Who is being hit most: victims and protected segments

A recurring pattern in the data shows that ordinary users who execute swaps on typical pairs may face continued slippage pressure, especially when the attacked pools have some structural fragility or limited liquidity depth. The dataset’s breakdown points toward a need for more robust protection in high-friction moments—for example, during periods of high volatility or when large orders sweep across popular pools. The title reminds us that progress requires both better tooling and smarter marketplace design to shield users without stifling liquidity or innovation.

For traders and liquidity providers

Traders should incorporate MEV-aware strategies into their risk models. This includes leveraging private execution venues, slippage-aware routing, and dynamic order sizing to mitigate the impact of sandwich attacks. Liquidity providers can benefit from deeper liquidity across pools and from liquidity-averaging techniques that reduce the relative gain an attacker can extract from a single event. The title of the current findings emphasizes the need for adaptive tactics—what works in a high-volume, two-sided market may not work in a calmer regime—and the importance of monitoring for shifts in attacker behavior, such as multi-victim strategies seen in Jared’s newer bot iterations.

For developers and wallet providers

Developers can implement additional on-chain protections at the application layer, such as transaction sequencing controls and enhanced slippage safeguards. Wallets can offer default settings that minimize exposure to sandwich attacks, including better front-end alerts when a large swap is likely to attract MEV attention. The title also suggests exploring user education as a core piece of defense—empowering users with knowledge about how sandwich attacks work and what tools exist to reduce risk.

For exchanges and protocol designers

Exchanges and protocol designers face a dual challenge: maintaining liquidity and improving user protection without undermining market efficiency. The data advocate for continued exploration of native MEV protection at the protocol level, as well as transparent metrics on how protection affects liquidity, price discovery, and incentive alignment for block builders. The title is a call to action for governance processes, experimentation, and collaboration across the Ethereum ecosystem to implement protections that scale alongside market growth.

The exclusive EigenPhi dataset and the accompanying research deliver a nuanced verdict: sandwich attacks on Ethereum have waned in 2025, but the threat remains. The decline in extraction does not equate to a solved problem. The attackers continue to adapt—pursuing higher-volume strategies, refining multi-target approaches, and exploiting subtle slippage across targeted pools. At the same time, more traders have started to deploy protection tools and to diversify their execution strategies, pushing the economics of MEV toward thinner margins and greater experimentation with new defenses. The title of this story is that progress is real, but the playbook remains dynamic and contested. In the near term, we can expect a continued tilt toward protective measures, protocol-level innovations, and smarter market design that reduces end-user costs while preserving the incentives that keep Ethereum vibrant and decentralized.

As researchers and commentators continue to dissect the data, one thing remains clear: sandwich attacks are not a one-off anomaly but a test bed for the broader question of how to reconcile open markets with user protection. The title captures this tension—an ongoing evolution from reactive safeguards to proactive, design-level resilience. If 2024 taught us anything, it’s that high-frequency MEV activity responds quickly to changes in volume, technology, and policy. If 2025 has shown anything, it’s that the ecosystem is learning to respond—though not yet completely—by strengthening defenses and rethinking how value is extracted, distributed, and defended in a fully on-chain economy.

---

FAQ: Common questions about MEV, sandwich attacks, and the EigenPhi findings

What is MEV, and why does it matter?

MEV stands for maximal extractable value. It represents the economic value that block builders, searchers, and others can extract by ordering, including, or excluding transactions within a block. MEV matters because it affects execution costs for users, price discovery for assets, and the incentives structure for participants in the Ethereum ecosystem. The title of this research underscores the ongoing importance of understanding MEV as both a risk and a potential area for protocol innovation.

What exactly is a sandwich attack?

A sandwich attack involves a front-run, the victim’s swap, and a back-run that exploits price movement caused by the victim’s order. The attacker uses a combination of speed, market access, and gas incentives to ensure that the victim pays a higher price while the attacker pockets the spread. In practice, attackers may also insert center transactions or adjust liquidity to magnify price changes for subsequent victims. The title emphasizes how increasingly sophisticated strategies can complicate the landscape for users and defenders alike.

Why did sandwich attacks decline in 2025?

The EigenPhi data show a slowdown in extraction activity in 2025, even as on-chain volumes rose. Several factors likely contributed: more traders adopting protection tools, improved liquidity depth across pools, and the emergence of defensive strategies that reduce the effectiveness of front-running. However, the risk persists because there is no universal, protocol-wide shield, and attackers continue to refine strategies for higher-quantity opportunities. The title captures this dynamic tension between improvement and persistence of risk.

What can users do to protect themselves?

Users can adopt several practical steps: use slippage controls, favor reputable wallets with built-in MEV protections, consider private or batched execution options, and stay informed about pool depth and liquidity. Diversifying across pools and tokens can reduce exposure to a single vulnerable venue. The title invites readers to think about how simple user-level protections fit into a broader plan that includes protocol-level improvements and community-driven best practices.

What are Shutter’s threshold encryption and Batched Threshold Encryption?

Threshold encryption concepts aim to hide transaction details until they are committed to a block, reducing the information available to MEV searchers. Shutter’s approach and Batched Threshold Encryption are among the leading ideas in the space, offering a potential path toward making front-running and back-running less feasible. The title highlights that these technologies are part of a broader toolkit for encoding privacy into the trade lifecycle, with the goal of preserving user experience while maintaining transparency and trust in block production.

What does the future hold for native MEV protection?

Experts expect protocol-level protection to be a central piece of the puzzle in the next few years. While there are complexities to navigate—such as ensuring throughput and not sacrificing decentralization—these efforts could yield long-run resilience against sandwich attacks and other MEV-driven exploits. The title suggests cautious optimism: if implemented thoughtfully, native protections could reduce end-user costs and improve market efficiency without undermining the incentives that sustain a robust Ethereum ecosystem.

In sum, the 2025 landscape presents a more nuanced and resilient picture: sandwich attacks have waned but have not vanished; the economics have compressed, driving attackers toward higher throughput and more sophisticated strategies; and a growing chorus argues for integrated protections that combine protocol design with practical, user-facing defenses. The title of this ongoing story remains clear: a more secure, efficient, and equitable Ethereum is possible, but it requires sustained research, careful experimentation, and broad collaboration across developers, researchers, and the broader community.