Cross-Chain Sandwich Attacks

• Cross-Chain Sandwich Attacks are multi-chain exploits that leverage public cross-chain messages to front-run and back-run swap transactions.
• The attack synchronizes front-run and back-run transactions across chains, enabling attackers to extract significant profits by exploiting timing advantages.
• Mitigation strategies such as encrypted events, private relayers, and time-lock commitments are proposed to curb information leakage and secure cross-chain communications.

A cross-chain sandwich attack is a multi-chain extension of the classic single-chain maximum extractable value (MEV) sandwich, exploiting cross-chain message leaks in decentralized finance (DeFi) protocols built around liquidity-pool-based cross-chain bridges. By eavesdropping on public on-chain events from a source blockchain, the attacker gains an information advantage, enabling the strategic placement of front-running and back-running transactions on a destination chain. This attack undermines current MEV defenses, leading to significant extractable value and threatening the security guarantees of cross-chain infrastructure (Li et al., 19 Nov 2025).

1. Formal Definition and Attacker Model

A cross-chain sandwich attack occurs between two blockchains, denoted S (source) and D (destination), connected by a cross-chain messaging protocol (CCMP), which includes Commit, Verify, Consensus, and Execute steps. The victim user $U$ submits a cross-chain swap intent via Commit on S, emitting a public on-chain event $m$ that reveals the swap parameters—token pair $(X,Y)$, input amount $\Delta x_v$, slippage $s_v$, destination liquidity pool $P$, and minimum return.

An adversary $\mathcal{A}$ observes this event at block $N_s$ before the intended swap transaction $T_v$ appears in D's mempool, introducing a time advantage $\Delta t$. The adversary computes the optimal front-running input $\Delta x_{A1}$ using the slippage-equality condition: $$\frac{\tfrac{x_0 y_0}{\, x_0 + (1-f)\, \Delta x_{A1}\,} (1-f)\, \Delta x_v}{\, x_0 + \Delta x_{A1} + (1-f)\, \Delta x_v\,} = (1 - s_v)\, \frac{y_0 (1-f)\, \Delta x_v}{\, x_0 + (1-f)\, \Delta x_v\,}$$ where $(x_0, y_0)$ are pre-attack reserves, and $f$ is the swap fee. The attacker times their front-run transaction $T_{A1}$ prior to $T_v$, and then back-runs with $T_{A2}$ immediately after $T_v$ on D.

The expected profit, accounting for noisy swaps and stochasticity, is

$$\mathbb{E}(P) = \Delta x_{A1} \left[ \left( q + (1-q)p \right) r^+ + (1-q)(1-p) r^- \right]$$

where $q$ is the probability of no intervening swaps, $p$ the probability of remaining profitable despite noise, and $r^+, r^-$ the mean positive/negative rates, respectively [(Li et al., 19 Nov 2025), Eq. 2]. In scenarios without single-chain competition, the theoretical maximum profit is $s_v \Delta x_v$.

2. Vulnerability in Liquidity-Pool-Based Cross-Chain Bridges

Protocols such as Symbiosis, ThorSwap, and deBridge parallel single-chain AMM semantics on the destination chain but require relayers to transmit all swap parameters through on-chain events on the source chain. In standard operation:

• Users initiate swaps via BridgeContract on S, emitting an OracleRequest event with full calldata for execution on D.
• Relayers access and forward this public event.
• Only during the Execute phase on D does the actual victim swap $T_v$ become pending in D's mempool.

The public emission of calldata—including assets, amounts, target pools, and slippage—provides adversaries a guaranteed information lead, unmitigated by destination-chain mempool privacy or ordering defenses. This underlying protocol design is the core enabler of cross-chain sandwich attacks (Li et al., 19 Nov 2025).

3. Execution Sequence and Attack Workflow

The attack proceeds as follows:

1. The user submits a swap on S, triggering the emission of an OracleRequest event at $N_s$.
2. $\mathcal{A}$ monitors S, retrieves $m$, and locally simulates it to extract pool $P$, amount $\Delta x_v$, and slippage $s_v$.
3. $\mathcal{A}$ computes and submits the optimal front-run transaction $T_{A1}$ on D, timed immediately after $N_s$.
4. Relayers conduct consensus and submit the victim's transaction $T_v$ for execution on D.
5. $\mathcal{A}$ posts the back-run transaction $T_{A2}$ immediately after $T_v$, typically leveraging higher gas price or private relays to win block inclusion.
6. Profits accrue as $\Delta x_{A2} - \Delta x_{A1} - G_c$, where $G_c$ is cumulative gas cost.

This approach yields a systematic information advantage: the attacker's $T_{A1}$ always arrives on D before any mempool-based MEV bot can react, and in back-running, empirical analysis shows attackers win the race for 55% of instances [(Li et al., 19 Nov 2025), Table VI]. The workflow by design subverts mempool-based ordering fairness by acting before $T_v$ is even visible in the destination infrastructure.

4. Heuristic Detection and Empirical Characterization

Detection of real-world cross-chain sandwich attacks is accomplished via a heuristic model tailored to historical Symbiosis bridge data. Key detection rules include:

• Directionality: Both $T_{A1}$ and $T_v$ execute $X \rightarrow Y$, while $T_{A2}$ reverses ($Y \rightarrow X$).
• Temporal windows: $N_s \leq$ block($T_{A1}$) $< N_v$; and $N_v \leq$ block($T_{A2}$) $\leq N_v + num$, where $num$ is a block search window.
• Amount-matching: The ratio $\mathrm{backSold} / \mathrm{frontBought}$ must be within $[0.9, 1.1]$ to confirm economic linkage.
• Address association: Either same recipient address or both transactions interact with the same pool.
• Exclusion: Pairs where $T_{A1}$ and $T_v$ are mined in the same block are classified as single-chain attacks and omitted.

This formalizes identification of sandwich pairs $\{ T_{A1}, T_v, T_{A2} \}$ matching the specification above [(Li et al., 19 Nov 2025), Sec. IV-A].

Empirical Results (Symbiosis, Aug 10–Oct 10 2025)

Metric	Value	Note
Cross-chain swaps analyzed	60,130
Valid swaps (filtered)	37,649	95% had $\Delta t < 100$ s
Detected sandwich pairs	316,809
Single-chain sandwiches	269	0.085% of total
Total bridged volume	\$412,632,065	Filtered set
Attacker profit (excl. gas)	\$5,273,857	1.28% of bridged volume
Largest individual profit	\$20,284
Unexploited profit (estimated)	\$1,425,500
Most attacked pool	BUSD–WBNB (PancakeSwap)	57.65% attacks, 60.1% attacked vol.

The Ethereum→BSC route accrued \$2,096,164 profit (0.85% of volume), Base→BSC \$1,447,602 (1.6%), and Arbitrum→BSC \$337,532 (0.99%). Cross-chain sandwiches comprised the overwhelming majority of all sandwich profit versus single-chain counterparts, which earned only \$6,109 (0.12% of total) (Li et al., 19 Nov 2025).

Empirical parameter estimates: $q = 0.57$, $p = 0.68$, $r^+ = 4.5\%$, $r^- = -4.7\%$, aggregate $\mathbb{E}(r) = 3.23\%$. Attackers placed $T_{A1}$ and $T_{A2}$ in immediate proximity to source and destination events, affirming the theoretical model [(Li et al., 19 Nov 2025), Fig. 9].

5. Limitations of Existing Defenses

Prevailing MEV mitigation frameworks—including proposer/builder separation (PBS) [Yang '25], fair transaction ordering [Kelkar '20/'22/'23], and encrypted/private mempool mechanisms [Choudhuri '24/'25]—are effective only at or after the point $T_v$ becomes mempool-visible or block-inclusion is determined on the destination chain. Since the critical leak occurs on S, before D is engaged, these tools are structurally incapable of protecting against cross-chain sandwich attacks:

• PBS cannot prevent $T_{A1}$ from being included before $T_v$ on D.
• Fair ordering only governs transactions visible at D’s consensus time.
• Mempool privacy on D offers no protection when S reveals transaction intent openly.

This indicates a fundamental gap: leakage at the cross-chain message layer is orthogonal to defenses focused solely on destination-chain transaction ordering (Li et al., 19 Nov 2025).

6. Mitigation Strategies and Protocol Redesign

Mitigating cross-chain sandwich risk requires protocols to eliminate or severely restrict the emission of actionable calldata from the source chain. Potential mitigations include:

• Private Relayers: Transmitting $m$ off-chain only to trusted relayers prevents public leaks but introduces centralization and trust issues.
• Encrypted Events and Off-Chain Decryption: On-chain events are published in encrypted form, with execution on D triggered by a threshold decryption committee. This approach incurs complexity and on-chain cost.
• Destination-Side Path Computation: Only generic swap intents $(\Delta x_v, X, Y)$ are emitted on S, with the routing/pool selection deferred to on-chain DEX aggregators at execution on D. This makes pool-guessing futile for attackers.
• Time-Lock Commitments: Users submit hash commitments to swap details on S, revealed only after a short time delay less than $\Delta t$, so adversaries cannot reconstruct full calldata ahead of D's mempool arrival.

All effective strategies aim to sever the information flow from S to public observers prior to D’s mempool admission, fundamentally altering the risk surface for multi-chain MEV (Li et al., 19 Nov 2025).

7. Significance and Research Implications

Cross-chain sandwich attacks demonstrate critical emergent vulnerabilities as DeFi infrastructure integrates cross-chain composability and liquidity. The observed profits (\$5.27M, 1.28% of bridged value in two months) and systemic bypass of all existing MEV defenses highlight the urgent need for bridge and DEX designers to reconsider message flows and on-chain data exposure (Li et al., 19 Nov 2025). Current research establishes formal models for attacker behavior, supplies robust detection methodologies, and suggests protocol-level countermeasures, but secure-by-design interoperability remains an open challenge. A plausible implication is that further deployment of liquidity-pool bridges without redesign may materially worsen MEV extraction and user harm in multi-chain ecosystems.