Last Updated: February 2026
Every experienced DeFi trader has encountered the moment: a swap executes on Uniswap or another decentralised exchange, and the received amount is noticeably worse than the price quoted seconds earlier. The standard assumption is market slippage – prices moved during confirmation. But blockchain forensic analysis reveals a different reality for a significant portion of these transactions. Sophisticated automated bots monitor the public mempool for pending trades, insert their own transactions immediately before and after the victim’s swap, and extract profit from the artificially widened price impact. This practice – known as front-running or MEV extraction – is not a bug in decentralised finance. It is a structural feature of transparent mempools and deterministic execution, and it generates billions of dollars in value extracted from ordinary users.
Yet the same transparency that enables front-running also exposes it. Every front-run transaction, every sandwich attack, every block position manipulation is permanently recorded on-chain. Investigators can reconstruct exactly who profited, how much they extracted, from which victims, and through what smart contract infrastructure – often with more precision than traditional market surveillance systems can achieve in centralised finance. The gap is not in the evidence. The gap is in understanding where market efficiency ends and illegal manipulation begins.
What Front-Running Looks Like in Decentralised Finance
Front-running in DeFi differs fundamentally from its traditional finance counterpart. In conventional markets, front-running requires access to privileged order flow information – a broker trading ahead of a client’s order, or an exchange employee acting on non-public data. In DeFi, the information is public by design. Every pending transaction sits in a visible mempool, broadcasting its intent to the entire network before execution. The question of whether exploiting this publicly visible information constitutes manipulation – or simply efficient market participation – remains legally unresolved.
Investigators categorise DeFi front-running into five distinct patterns, each with different forensic signatures and legal implications.
| Front-Running Type | Mechanism | Primary Detection Signal | Estimated Scale |
| Sandwich Attack | Bot places a buy before and sell after a victim’s DEX swap, profiting from induced price impact | Three transactions in same block: bot buy → victim swap → bot sell, with bot profit matching victim’s excess slippage | Hundreds of millions USD annually on Ethereum alone |
| Pure Front-Running | Bot copies a pending profitable transaction and submits it with higher gas to execute first | Near-identical transaction data with higher gas price, executing in earlier block position | Common in arbitrage and NFT minting |
| Back-Running | Bot places a trade immediately after a large swap to capture the arbitrage created by the price impact | Arbitrage transaction in the next position after a large trade, restoring pool price to market rate | The most common MEV type by volume |
| Liquidation Front-Running | Bot monitors lending protocols for positions approaching liquidation thresholds, then executes the liquidation for the reward | Liquidation transaction submitted with high priority fee immediately after price oracle update crosses threshold | Significant during market volatility events |
| JIT Liquidity | Bot adds concentrated liquidity to a pool just before a large swap executes, capturing more fees, then removes it immediately after | Liquidity add → swap → liquidity remove sequence within same block, with liquidity provider earning disproportionate fees | Growing practice on Uniswap V3/V4 |
The Sandwich Attack: Anatomy of the Most Common Front-Run
Sandwich attacks account for the largest measurable harm to DeFi users and produce the clearest forensic evidence. The mechanics operate in three steps executed within a single block.
First, a searcher’s bot detects a pending swap in the mempool – for example, a user swapping 50 ETH for USDC on Uniswap. The bot calculates the expected price impact of this trade on the liquidity pool. Second, the bot submits a buy transaction with a higher priority fee, ensuring it executes before the victim’s swap. This buy pushes the price up. Third, the victim’s swap executes at the now-inflated price, receiving fewer USDC than expected. Immediately after, the bot sells the tokens it purchased, capturing the price difference as profit. The victim’s loss is the bot’s gain – a direct, calculable extraction.
Transaction fee analysis reveals these patterns clearly. The front-running transaction consistently pays an elevated priority fee to secure its block position, while the back-running transaction pays a lower fee because its position relative to the victim’s trade is guaranteed by the block builder. On Ethereum alone, zeromev has catalogued over 1.25 million sandwich attacks across the network’s history, with the peak reaching approximately 84,000 attacks per month in April 2021 – roughly one every 30 seconds. In 2025, sandwich attacks constituted $289 million, or 51.5% of total MEV transaction volume. By March 2025, over 33,000 users were being victimised monthly by just 101 identified sandwich entities. The Ethereum bot known as jaredfromsubway.eth became the most studied MEV operator, extracting an estimated $40–60 million in net profit while spending tens of millions in gas fees – an expenditure that was profitable only because the extracted value consistently exceeded it.
How Block Builders and Validators Shape Front-Running
Since Ethereum’s transition to Proof of Stake in September 2022, the MEV landscape has been restructured by Proposer-Builder Separation. Validators no longer order transactions themselves in most cases. Instead, specialised block builders construct optimised blocks – including MEV-extracting transaction bundles – and bid for the right to have their block proposed. MEV-Boost, the middleware that facilitates this process, is used by approximately 90% of Ethereum validators.
This architecture creates forensic opportunities. Block builders who consistently include sandwich attack bundles can be identified and their smart contract interactions mapped. The block builder ecosystem is concentrated – a small number of builders win the majority of block auctions – making attribution more tractable than it might appear. Investigators can query the MEV-Boost relay APIs to determine which builder constructed any given block and what MEV was extracted within it.
How Investigators Detect Front-Running on the Blockchain
Front-running detection combines mempool analysis, block-level transaction ordering inspection, and profit calculation across multiple on-chain interactions. Each detection method targets a different phase of the front-running operation.
Block Position Analysis
The most direct detection method examines the ordering of transactions within confirmed blocks. For sandwich attacks, investigators look for a specific three-transaction pattern: a buy transaction from address A, immediately followed by a swap from address B (the victim), immediately followed by a sell transaction from address A – all targeting the same liquidity pool. When this pattern appears with the first and third transactions sharing the same originating contract or wallet, and the middle transaction experiencing measurably worse execution than the pool’s state warranted, the sandwich is confirmed.
Tools like zeromev and EigenPhi automate this analysis at scale, scanning every block for front-running patterns and cataloguing the extracted MEV. Flashbots Explore provides a public dashboard of detected MEV across Ethereum blocks, enabling investigators to identify which searchers and builders are most active in extraction.
Gas Price Anomaly Detection
Front-running transactions exhibit distinctive gas price behaviour. In the pre-EIP-1559 era, front-runners engaged in priority gas auctions – bidding up gas prices to outcompete each other for block position. These gas wars were clearly visible on-chain as sequences of rapidly escalating gas prices targeting the same liquidity pool.
Post-EIP-1559, the signal shifted to priority fees (tips) paid to validators. A front-running transaction typically pays a significantly elevated priority fee relative to other transactions in the same block. By comparing the priority fee distribution within a block against the median, investigators can flag transactions with anomalously high tips – a hallmark of MEV extraction where the searcher is paying for priority position.
Smart Contract Forensics
MEV bots operate through dedicated smart contracts designed for atomic execution of multi-step strategies. These contracts have distinctive bytecode signatures – they interact with DEX router contracts, execute flash loans, and perform swaps across multiple pools within a single transaction. Forensic analysis of the contract code reveals the intended MEV strategy.
Many MEV bots are not verified on Etherscan, meaning their source code is not publicly readable. However, investigators can decompile the bytecode and analyse the function calls to determine the contract’s behaviour. Common patterns include calls to Uniswap V2/V3 router swap functions, WETH wrapping and unwrapping, and multi-pool routing – all within a single atomic transaction that reverts if any step fails. The contract address itself becomes an attribution anchor: once identified as an MEV bot, all historical interactions with that contract can be mapped to build a complete extraction timeline.
Profit Calculation and Victim Impact Assessment
Quantifying MEV extraction requires comparing what the victim received against what they would have received without the front-run. Investigators calculate the counterfactual execution price – the price the victim’s swap would have achieved if no front-running transaction had preceded it – and compare this against the actual execution price. The difference, multiplied by the trade size, equals the victim’s loss.
For sandwich attacks, this calculation is straightforward: the front-running buy increased the price by a calculable amount, the victim’s swap executed at this inflated price, and the back-running sell captured the difference. The bot’s profit minus gas costs equals the net extraction. This precision makes MEV-related evidence unusually quantifiable – investigators can calculate exact dollar losses for specific victim transactions.
From Mango Markets to MEV Bots: How Enforcement Is Evolving
The legal treatment of DeFi front-running remains one of the most unsettled areas in cryptocurrency regulation. Three categories of cases have begun to establish precedent.
The Mango Markets Prosecution – and Its Reversal
The most closely watched DeFi market manipulation case involved Avraham Eisenberg’s exploitation of Mango Markets, a Solana-based trading platform. In October 2022, Eisenberg used coordinated trading across two accounts to manipulate the price of MNGO perpetual futures, artificially inflating his collateral value and borrowing approximately $110 million from the protocol – draining its reserves. Eisenberg publicly defended his actions as a “profitable trading strategy.” In April 2024, a jury convicted him of commodities fraud, commodities manipulation, and wire fraud.
Then the precedent collapsed. In May 2025, a federal judge granted Eisenberg’s motion for acquittal and vacated all three convictions, ruling that the government had failed to prove that any essential part of the commodities offences occurred within the court’s jurisdiction. The reversal left the legal status of DeFi protocol exploitation more uncertain than before – a jury had found the conduct criminal, but the conviction could not survive procedural challenge. For front-running enforcement, the Eisenberg saga demonstrated both the potential and the fragility of applying existing commodities fraud statutes to DeFi activity.
The Peraire-Bueno Brothers: $25 Million in 12 Seconds
In April 2023, brothers Anton (24) and James (28) Peraire-Bueno – both MIT graduates – executed what the DOJ described as the first criminal exploitation of MEV infrastructure. The brothers created 16 Ethereum validators and used bait transactions to lure sandwich bots. When their validator was selected to propose block 16,964,664, they exploited a vulnerability in the MEV-Boost relay to access the full contents of the builder’s proposed block, replaced their lure transactions with tampered ones, and extracted $25.3 million from the MEV bots in 12 seconds.
The preparation was meticulous. Blockchain audit firm OtterSec identified that the validator had been funded through a privacy-preserving transfer via the Aztec zk-rollup more than 18 days before the attack. Transaction graph analysis subsequently traced the extracted funds through intermediate wallets and DeFi protocols. The DOJ charged both brothers with wire fraud and money laundering conspiracy. Their trial began in October 2025, but ended in a mistrial in November when the jury deadlocked – jurors reported being overwhelmed by the technical complexity. Prosecutors have sought a retrial for early 2026. The case tested whether manipulating MEV-Boost transaction ordering constitutes criminal fraud, a question that remains unanswered.
Regulatory Positioning on MEV
Regulatory positioning has advanced significantly without producing definitive rules. IOSCO stated in December 2023 that the ability to reorder and insert blockchain transactions “enables conduct that in traditional markets would be considered manipulative and unlawful.” In July 2025, ESMA published a dedicated report on MEV implications, concluding that while some practices like arbitrage may contribute to market efficiency, front-running and sandwich attacks “raise concerns around transparency, fairness and user outcomes.” The CFTC brought enforcement actions against three DeFi protocols in September 2025 for illegal derivatives trading, though none specifically targeted MEV extraction.
In the European Union, MiCA’s market abuse provisions – fully applied since December 2024 – explicitly cover the functioning of distributed ledger consensus mechanisms, bringing MEV within regulatory scope. Sandwich attacks that deliberately worsen a victim’s execution price bear strong resemblance to the layering and spoofing practices prohibited in both traditional and now crypto-asset markets. The Peraire-Bueno mistrial and the Eisenberg reversal, however, demonstrate the practical difficulty of securing convictions for DeFi manipulation under existing statutes – even when the on-chain evidence is unambiguous.
Countermeasures and Their Forensic Implications
The DeFi ecosystem has developed several technical countermeasures against front-running, each of which creates different forensic considerations.
Private transaction pools. Services like Flashbots Protect allow users to submit transactions directly to block builders, bypassing the public mempool entirely. This eliminates mempool-based front-running but concentrates transaction flow through fewer intermediaries. For investigators, private order flow means some transactions have no mempool visibility – but the executed transactions remain fully visible on-chain.
MEV-Share. Flashbots’ MEV-Share protocol enables users to capture a portion of the MEV their transactions generate, rather than having it entirely extracted by searchers. From a forensic perspective, MEV-Share creates explicit on-chain evidence of MEV redistribution, making the value flows more transparent rather than less.
Encrypted mempools and order flow auctions. Emerging protocols encrypt transaction contents until block inclusion, preventing searchers from reading pending trades. While these systems reduce front-running, they also reduce the forensic visibility of pre-execution activity that investigators currently use to reconstruct manipulation intent.
DEX-level protections. Some decentralised exchanges have implemented anti-MEV features including slippage limits, time-weighted average pricing, and batch auction mechanisms that execute all trades in a block at a single price. Investigators analysing DEX transactions must account for these protections when calculating whether observed execution prices reflect manipulation or protocol-designed behaviour.
Frequently Asked Questions
Is front-running on a DEX actually illegal?
The legal status remains unresolved in most jurisdictions. Traditional front-running laws require a breach of fiduciary duty or misuse of material non-public information – conditions that may not apply when the information (pending mempool transactions) is public. However, the Mango Markets conviction demonstrated that DeFi market manipulation can be prosecuted under existing commodities fraud statutes. Sandwich attacks, which deliberately worsen victim execution prices for the attacker’s profit, bear characteristics of market manipulation regardless of how the information was obtained. Regulatory clarity is expected to evolve through enforcement actions rather than new legislation.
How much value do sandwich attacks actually extract from DeFi users?
Cumulative sandwich attack extraction on Ethereum has reached hundreds of millions of dollars since 2020, with individual high-volume bots like jaredfromsubway.eth spending over $90 million in gas fees alone during 2023 – expenditure that was profitable only because extracted value exceeded it. The total economic cost to victims exceeds the direct extraction because the threat of sandwich attacks causes users to set wider slippage tolerances, accept worse prices, or avoid on-chain trading entirely. Academic estimates suggest MEV extraction imposes a systemic tax equivalent to several basis points on every DEX trade.
Can front-running bots be identified and attributed?
Yes. MEV bots operate through identifiable smart contracts with distinctive transaction patterns. Once a contract is flagged as an MEV bot, investigators can trace all its interactions, calculate total extracted value, identify victim transactions, and follow profit flows to their ultimate destinations. Attribution to real-world individuals requires additional steps – tracing the deployer wallet’s funding source to an exchange with KYC data, or identifying operational security failures that connect on-chain activity to off-chain identities.
What is MEV-Boost and how does it relate to front-running?
MEV-Boost is middleware used by approximately 90% of Ethereum validators that separates the roles of block proposing and block building. Specialised block builders construct blocks optimised for MEV extraction and bid for the right to have their blocks proposed by validators. While MEV-Boost was designed to democratise MEV access and reduce validator centralisation pressure, it also systematised MEV extraction by creating a competitive market for block construction. For investigators, MEV-Boost provides transparency – relay APIs reveal which builder constructed each block and the value of MEV included.
Do front-running protections like Flashbots Protect actually work?
Flashbots Protect and similar private transaction services effectively eliminate mempool-based front-running by keeping transaction contents hidden until block inclusion. However, they do not prevent all forms of MEV extraction – back-running and JIT liquidity provision can still occur if block builders can observe the transaction before ordering. These services also shift trust from the open mempool to the block builder, creating a new intermediary relationship. Approximately 30% of Ethereum transactions now use some form of private order flow, significantly reducing but not eliminating sandwich attack frequency.
How does front-running in DeFi differ from traditional market front-running?
In traditional finance, front-running requires access to privileged non-public information – a broker seeing client orders before execution. In DeFi, the information is public by design, as pending transactions are visible in the mempool. This distinction is legally significant because traditional front-running laws typically require breach of fiduciary duty or misuse of confidential information. DeFi front-running is also atomic and verifiable – every step occurs on a public ledger, making forensic reconstruction more precise than in traditional market surveillance where investigators must subpoena exchange records.
Forensic Precision Requires Forensic Expertise
Front-running detection in DeFi demands a combination of smart contract analysis, block-level transaction ordering expertise, mempool data interpretation, and precise profit-loss calculation – skills that sit at the intersection of blockchain forensics and quantitative trading analysis. Whether you are a protocol team investigating suspicious trading patterns, a regulator building an enforcement case against MEV operators, or a victim seeking to quantify and recover extracted value, the on-chain evidence exists to reconstruct every front-running event with mathematical precision.
Contact Crypto Trace Labs to discuss how D. Hargreaves and our forensic team can apply MEV detection and attribution methodology to your specific DeFi investigation.
About the Author
This guide was prepared by the blockchain forensics team at Crypto Trace Labs. Our founding members held VP and Director-level positions at Blockchain.com, Kraken, and Coinbase, bringing over 10 years of combined experience in cryptocurrency operations, on-chain analysis, and forensic investigation. Our team holds ACAMS certifications, MLRO qualifications across UK, US, and European jurisdictions, and Chartered status at Fellow Grade. We have analyzed vanity address exploitation patterns in hundreds of investigations and provided expert witness testimony on blockchain attribution methodologies in court proceedings.
This content is for informational purposes only and does not constitute legal, financial, or compliance advice. Crypto asset recovery outcomes depend on specific circumstances, regulatory cooperation, and technical factors. Consult qualified professionals regarding your situation.
