The rise of Decentralized Finance (DeFi) has opened a new era for global capital markets, where permissionless transactions and transparency are at the forefront. However, according to Tan Phat Digital's observations, these core characteristics have unintentionally created a favorable environment for sophisticated profiteering behaviors, the most prominent of which is front-running. In a traditional context, front-running is considered an illegal practice where brokers take advantage of inside information about customer orders to trade in advance. In the DeFi world, this concept has evolved into a complex technical ecosystem, where MEV (Maximal Extractable Value) bots exploit the structure of the transaction cache (mempool) and the consensus mechanism of the blockchain to profit from common users.
The scale of this activity has reached an industrial level; As of 2023, the total value of MEV mined on the Ethereum network has exceeded 600 million USD. This phenomenon is not just a software bug but a systemic characteristic of public and permissionless blockchains, where transaction ordering can be manipulated through gas fees or network latency. Understanding front-running not only helps users protect their assets, but also provides insight into the challenges of designing fair and scalable financial systems of the future.
Blockchain Architecture and Transaction Ordering Processes
To understand why front-running exists, it is necessary to first analyze how a transaction is processed on the blockchain. Unlike centralized exchanges (CEXs) that use a "first come, first serve" (FIFO) order matching engine, blockchain operates on a multi-step process that includes initiation, broadcast, and validation, where the order of execution does not necessarily follow chronological order.
Linear flow of a transaction
A blockchain transaction begins when a user signs a digital message with a private key, identifying parameters such as address only receive, the amount of assets and the gas fee (priority fee) they are willing to pay. Once signed, the transaction is broadcast to the peer-to-peer (P2P) network. Here, each node in the network will store transactions in a temporary storage space called Mempool (Memory Pool).
Mempool acts as a public "waiting room" for unconfirmed transactions. It is here that blockchain transparency becomes a double-edged sword. Because the mempool is public, anyone with sufficient technical capacity can scan and analyze pending transactions to look for profiteering opportunities, such as large swaps on decentralized exchanges (DEXs) like Uniswap.
Next comes the Validation and Arrangement phase. In modern Proof-of-Stake (PoS) networks, entities called block builders sift transactions from the mempool to include in the next block. The top priority criterion is often not the time a transaction is sent, but the profit that transaction brings to builders and validators through gas fees. This has led to the emergence of "Priority Gas Auctions" (PGA), where attackers can pay higher fees to insert their orders in front of the victim's orders.
Details of the transaction phases and corresponding risks:
Initiation Phase: User signs the transaction and sets the gas fee. The main risk is information leakage via insecure RPC nodes.
Broadcast Phase: Transactions are broadcast to P2P nodes. The risk is being scanned and analyzed by bots in the public mempool.
Validation Phase: Miner/Validator selects transactions to block. An attacker can manipulate the order based on paying higher gas fees.
Block Aggregation Phase: Transactions are arranged into a block structure. Risk of Insertion or Displacement.
Completion Phase: Block is added to the chain and status updated. There is a high level of risk of chain reorganization (Reorg attacks).
Transparency and information asymmetry
The essence of front-running in DeFi lies in the asymmetry of information processing capabilities. While the average user only interacts with a simple wallet interface, MEV bots use sophisticated algorithms to simulate the impact of transactions in the mempool on the state of the smart contract. The ability to predict price fluctuations before they actually happen on-chain allows attackers to make risk-free transactions, turning the mempool into a "Dark Forest" where every exposed action can be hunted by automated bots.
See more: What is Miner Extractable Value (MEV)? In-depth Miner Solutions 2026
Classification of Front-running Strategies in DeFi
Front-running is not a single behavior but includes many different tactics, each targeting a specific vulnerability in the transaction process or structure of financial protocols.
Sandwich Attack
This is a common form of front-running and causes the most direct damage to users swapping tokens on the DEX. A clamp attack occurs when a bot detects a large buy order that has the potential to increase the price of an asset. The bot will execute two transactions surrounding the user's order:
Front-run: The bot places an order to buy that asset with a higher gas fee to be executed immediately before the user's order. This pushes the asset price slightly higher.
Back-run: Immediately after the user's order is executed (causing the price to increase further), the bot will execute an order to sell the previously purchased asset to profit from the price difference created by the user's order.
Victims of this attack are subject to the maximum slippage they have set. in the wallet, resulting in receiving fewer tokens than expected. Studies show that around 70% of clamp attacks on Ethereum involve a single entity, indicating a high degree of centralization of MEV mining power.
Displacement Attack
In a substitution attack, the attacker does not seek to transact alongside the victim but rather seeks to completely replace the victim's transaction with his own. This often happens in situations with fixed profits such as:
Arbitrage: When there is a price difference between exchanges, a user submits an order to take advantage of it. The bot detects this order and sends a similar order with higher gas fees to get the chance first.
Liquidations: In lending protocols like Aave, when a position is undercollateralized, anyone can perform a liquidation to receive a reward. Bots are always scanning the mempool to "steal" these liquidations from normal users.
Domain registration or NFT: Attackers can monitor domain purchases (like ENS) or mint rare NFTs to insert their orders first.
Suppression Attack
Suppression attack, or also known as "block stuffing", is the practice of an attacker sending a series of transactions with extremely high gas fees to fill the entire capacity of a block. The goal is to prevent any other transactions, including the victim's, from being included in that block. This tactic is often used in time-sensitive situations such as preventing price updates from Oracles or preventing others from participating in an administrative auction. Although costly, the profits from manipulating large events can easily compensate for the huge gas costs.
See also: DeFi (Decentralized Finance) is what? - Vision 2025-2030
Why Do DeFi Users Often Lose? Analysis from an Economic and Technical Perspective
According to in-depth analysis from Tan Phat Digital, user losses in DeFi are not just the result of bad luck but are a direct consequence of the mathematical models that decentralized exchanges use, combined with technical infrastructure barriers.
AMM and Slippage mechanism
Most DEXs today operate based on the Automated Market Maker (AMM) model with a constant product formula:
x x y = k
Where x and y are the number of two types of tokens in the liquidity pool, and k is a constant. When a user makes a large swap, they change the ratio of these tokens, resulting in a change in price. Slippage is the difference between the price at the time of placing an order and the price at the time of actual execution.
Users often set a level of "Slippage Tolerance" to ensure successful transactions even when prices fluctuate slightly. However, front-running bots use this same tolerance as a profit target. If you set a 1% slippage, the bot will calculate the exact number of tokens to buy to push the price up by exactly 0.99%, forcing you to buy at the worst price possible without causing the transaction to fail. This turns slippage from a protection tool into an "MEV tax" that users must pay to bots.
Mempool's Absolute Transparency
In traditional finance, trading orders are kept private in the exchange's order book. In DeFi, every transaction intention is exposed to the whole world as soon as the user presses the "Submit" button. This transparency, which is considered an advantage to prevent centralized fraud, becomes a rich source of data for front-running algorithms. The ability to "scan" orders allows bots to know the exact price impact of a transaction before it occurs, completely eliminating risk for attackers.
Competing Gas Fees and Validator Power
In blockchains like Ethereum, the order of transactions is determined largely by the gas fees users are willing to pay. Front-running bots are capable of calculating profit margins on the fly and are willing to pay up to 90% of expected profits as gas fees for priority processing. Ordinary users, who typically use the wallet's default gas fee, have no ability to compete in these gas fee auctions.
Furthermore, in the Proof-of-Stake model, validators have ultimate power in arranging transactions within a block. This leads to the emergence of complex MEV supply chains, where profits from front-running users are shared between searchers, builders and validators.
Main factors causing damage to users:
High slippage: Due to the AMM model and low liquidity. Impact: User receives fewer tokens than the price displayed at the time of placing the order.
Public Mempool: Pending transactions are visible to all nodes. Impact: Exposed trading intentions and becoming a target for bots.
Gas War: Priority auction mechanism (PGA). Impact: User transactions are delayed or pushed down after bot transactions.
Clamp attack: Inserting a buy order before and selling after the original transaction. Impact: Direct loss of profits to MEV bots through price arbitrage.
Technological asymmetry: Bots use low latency infrastructure and strong algorithms. Impact: Common users are always slow to validate and execute orders.
MEV and Supply Chain Ecosystem: From Searcher to Builder
Front-running in DeFi today has become a multi-billion dollar industry with a specialized supply chain, especially after Ethereum's The Merge event.
Supply chain components MEV
Searchers: Professional bot operators, using mempool scanning algorithms to find MEV opportunities. They create transaction "bundles" and send them to the builder instead of the public mempool to avoid being front-run by other bots.
Builders: Collect bundles and transactions to build the block with the highest total value. This market is currently extremely concentrated, with the two largest builders producing nearly 80% of the blocks on Ethereum.
Relayers: Trusted intermediary nodes between builders and validators, ensuring fairness in selecting the most profitable block.
Validators: The holders of the right to propose the final block. They often use MEV-Boost to choose the block that gives the highest reward.
The Proposer-Builder Split (PBS) aims to democratize MEV distribution, but it also formalizes the extraction of value from end users. About 15% of validator revenue on Ethereum today comes from payouts by clamp attack bots.
Economic Impact Analysis and Market Statistics (2020-2025)
Historical data shows that MEV and front-running have grown from a small niche to an economic force that dominates on-chain activities.
MEV market developments over the years year:
Total MEV extracted: In 2020, it reached about 180,000 USD/month; By 2023, it will reach a total of 600 million USD; It is expected that in 2025 it will remain at 10 million - 15 million USD/month.
Pinch attack rate:Increased from a low level in 2020 to a very high level in 2023. It is expected that in 2025 there will be about 60,000 - 90,000 attacks per month.
Wasteful gas fees fees: From the minimum level in 2020, this number is equivalent to 4500 blocks in 2023. In 2025, the trend gradually decreases due to the popularity of private relays.
Builder concentration: Increases sharply from the low level in 2020 to 50% - 60% in 2023 and reaches about 80% of the market share for the top 2 Builders input in 2025.
Clamp bot net profit:Decreased from 2020 high to 2023 average. Expected 2025 ROI to be only about 5% due to competition and rising gas fees.
A case in point is the "jaredfromsubway.eth" bot. In 2024 and 2025, this bot accounted for 70% of all clamp attacks on Ethereum. Jared's tactics have evolved to the level of "multi-layer clamping", targeting up to 4 victims at the same time, showing the continuous evolution of profiteering algorithms.
Restrictions and Defense Strategies for Users
To protect assets, Tan Phat Digital recommends that DeFi users apply the following defense strategies:
Set a minimum Slippage Tolerance pros
Users should set slippage as low as possible, usually less than 0.5% for trading pairs with high liquidity. If the slippage is too low, the trade may fail when the price fluctuates naturally, but it effectively prevents clamp attack bots because they no longer have enough profit margin to execute. For extremely large orders, break the transaction into small pieces and spread them over time.
Use RPCs and Private Transaction Channels
Instead of broadcasting transactions to a public mempool, users can use services like Flashbots Protect or the built-in MEV protection feature in wallets like Trust Wallet. At that time, the transaction will be sent directly to the builder and only displayed on the chain when it has been successfully included in the block, making it impossible for bots to see previous orders to attack.
DEX protocols against MEV
Many new generation exchanges have integrated protection mechanisms:
CoW Swap: Search for coincidence of needs (Coincidence of Wants) between users to match orders directly without going through the liquidity pool.
1inch RabbitHole: Send transactions directly to the validator to avoid mempool.
Batch Auctions: Collect multiple orders and execute them at the same time at a uniform price, eliminating the time order factor.
Ethical and Legal Aspects: MEV is "Bug" or "Feature"?
The existence of front-running has sparked a fierce debate. One line of view holds that MEV is an inevitable part of the free market, helping to exploit price differences and maintain stability. On the contrary, the majority of users consider clamp attacks as "parasitic" behavior, eroding trust in DeFi.
About the legal landscape in 2025:
European Union (MiCA): Regulations take full effect from the beginning of 2025, laying the foundation for market manipulation management.
United States: GENIUS Act (2025) provides a legal framework for digital assets, paving the way for anti-manipulation regulations applicable to MEV bots and builders.
UK:The FCA highlights the need for transparency and accountability in blockchain networks.
10 Typical Case Studies of Front-running and MEV on Blockchain
Below is a collection of typical real-life cases that have shaped the picture of MEV and front-running in recent years compiled by Tan Phat Digital:
1. "King" of clamp bots - Jaredfromsubway.eth (Ethereum) This is the most famous case in the MEV world. This bot generated more than 34 million USD in revenue in just the first 3 months of 2023. Jared v2 even uses "multi-layer clamping" tactics, targeting multiple victims at the same time in a single block of transactions to optimize profits.
2. Peraire-Bueno Brothers Lawsuit (Ethereum) Two brothers who graduated from MIT were accused of misappropriating approximately $25 million through sophisticated clamping attacks against other MEV bots. This case is now at the center of the legal debate over whether MEV is innovation or financial fraud.
3. "Sandwich The Ripper" and 20 million USD accumulatedA famous wallet address (0x3c98d) profited about 20 million USD on Ethereum through relay manipulation and extremely aggressive clamping attacks. This bot often takes advantage of leaked command streams to insert its commands in front of users.
4. Validator Counterattack - MEV Bot's $20-25 Million LossIn April 2023, a validator carried out a "reverse" attack against MEV bots themselves. By replacing the bot's back-run commands with his own, this validator appropriated more than 20 million USD from 8 different MEV bot wallet addresses.
5. 0xBAD incident - Win big then lose it allA MEV bot named 0xBAD once performed a record arbitrage transaction, earning 800 WETH in just one order. However, just a few hours later, a vulnerability in the bot's source code was exploited by someone else, resulting in the withdrawal of 1,100 WETH.
6. Yuga Labs's NFT 'Otherdeed' Open Sale In May 2022, Yuga Labs' metaverse land sale caused severe Ethereum network congestion. MEV bots have fiercely competed for gas fees to get in first, pushing the average gas fee to 474 gwei, making it impossible for ordinary users to make any transactions.
7. Cross-chain sandwich attacks in 2025A recent study shows that attackers have profited more than 5.27 million USD in just 2 months (August - October 2025) by exploiting information from bridge protocols such as Symbiosis to perform sandwich attacks on the target chain before user commands appear.
8. DeezNode bot dominates SolanaOn the Solana network, DeezNode bot carried out more than 82,000 clamping attacks in just 30 days, earning about 65,880 SOL (equivalent to 13 million USD at that time). DeezNode is famous for its direct integration with validators to ensure transactions always land correctly.
9. B91 bot and 7,800 SOL in one month Another typical case on Solana is the B91 bot, which performs thousands of high-frequency attacks. In just one month, this bot extracted 7,800 SOL from memecoin traders on DEXs like Raydium and Jupiter.
10. Savannah Technologies's losses In the attack by the Peraire-Bueno brothers, Savannah Technologies was the biggest victim, losing up to 13 million USD in just a series of delicately arranged transactions. This is a reminder that even professional entities can fall victim to MEV.
10 Frequently Asked Questions about Front-running and MEV
1. What exactly is front-running in cryptocurrency?Front-running occurs when someone uses knowledge of an upcoming transaction to make their own trade beforehand to make a profit. In DeFi, bots monitor the mempool (which holds pending transactions) and pay higher gas fees to get priority in order processing before you.
2. How does a Sandwich Attack work?This is when the bot places a buy order right before your trade (to push up the price) and a sell order right after your trade completes (to take profit from the price difference you created). You are the "core" of the sandwich and must suffer losses due to high prices.
3. How do I know if I've been hit with a front-run or sandwich attack?The clearest signs are that you received significantly fewer tokens than originally expected, or the strike price was higher than the listed price when you pressed the send button. You can check the transaction history on block explorers (like Etherscan) to see if there are bot transactions surrounding your order.
4. Is front-running the same as Arbitrage? Not quite. Arbitrage is generally considered healthy because it helps balance prices between exchanges. Meanwhile, front-running and sandwich attacks are often considered malicious because they directly extract value from a specific user's wallet by manipulating command order.
5. Is front-running illegal in the cryptocurrency market? In traditional finance, this is illegal. However, in crypto, it remains in a legal gray area due to its decentralized nature. Some regions such as the EU (MiCA) are starting to consider these practices in terms of market manipulation.
6. Why should I set a low slippage? A high slippage (e.g. above 1%) is an ideal target for a pinch bot. If you set a low slippage level (like 0.1% - 0.5%), bots will not be able to push the price up too high without causing your transaction to fail, from which they have no profit margin left to attack.
7. How does MEV Protection on wallets like Trust Wallet work? This feature (usually enabled by default) hides your transaction from the public mempool until it is confirmed on-chain. This way, front-running bots cannot "see" your commands in advance to perform clamping attacks.
8. Is it really safe to use Private RPC?Yes, private RPCs like Flashbots Protect send your transactions directly to trusted block builders instead of broadcasting them publicly. This completely eliminates the possibility of bots scanning the mempool and attacking before the order is blocked.
9. Does front-running happen on Solana or Layer 2?Yes. Even though Solana doesn't have a traditional mempool, bots are still competitive through low latency infrastructure and services like Jito. Layer 2 also deals with MEV, but it is now usually controlled by a centralized sequencer.
10. What is the long-term impact of Front-running on DeFi?If left unchecked, it could erode user trust, reduce liquidity, and make the market less attractive to new investors. Therefore, anti-MEV solutions are the leading development focus of today's protocols.
Front-running in DeFi is a complex phenomenon that arises from the intersection of transparent blockchain architecture and economic dynamics. Users often suffer losses due to the public nature of the mempool and the prioritization of transactions based on gas fees. However, the development of tools like private transaction channels and intent-based protocols is gradually changing the landscape.
Understanding front-running is not only a survival skill but also a condition for promoting transparency. Tan Phat Digital hopes this article helps you have a comprehensive view to proactively protect your assets. In the long term, Tan Phat Digital believes that the combination of technical innovation and a clear legal framework will be the only path to make DeFi truly a fair financial system for everyone.
Share
