XRP Ledger Sandwich Attack Risk: Ripple EX CTO Proposes a Fix

Ripple ex-CTO David Schwartz has pushed back on claims that the XRP Ledger leaves everyday traders exposed to sandwich attacks, saying the risk is real but overstated.

Concerns surfaced on X after an account argued that validators and well-connected nodes gain a timing edge by observing pending transactions before each ledger closes. Sophisticated actors can then calculate whether front-running a trade is profitable, and spam multiple transactions to secure a favorable slot in the canonical order.

Sandwich Attack Mechanics on the XRP Ledger

Transaction ordering on the XRP Ledger uses a deterministic formula involving transaction hashes. That formula is public. This lets actors position transactions ahead of a target trade on the XRP Ledger DEX and AMM, worsening slippage for ordinary users.

Concerns arose that the issue creates an uneven playing field, particularly for traders using popular wallets and decentralized applications.

Concerns have been raised about the possibility of front running or transaction sandwich attacks on XRPL payments and offer crossing.For the reasons I've explained, I'm not that concerned about this issue. But I have a proposal for a fairly simple scheme that would eliminate… https://t.co/lnhTv1bhBK

— David 'JoelKatz' Schwartz (@JoelKatz) June 29, 2026

Schwartz Says Validators Cannot Act Quietly

Schwartz acknowledged the concern but pointed to several mitigating factors, drawing on his earlier positions in XRP Ledger design debates. First, pending transactions are publicly visible to everyone before a ledger closes. No party holds exclusive early access. Second, a single validator gains no meaningful advantage. Coordinating multiple validators would leave clear evidence, since validators sign all proposals and validations.

“Running a validator does not help you do this unless multiple validators conspire. If multiple validators did conspire, or a single validator attempted it, it would be very obvious to everyone exactly who was doing this and that validator would be immediately removed from everyone’s trust lists.”

Schwartz also noted that confirmed attacks, beyond proof-of-concept testing, remain unreported. The core economic barrier is straightforward. Profitable attacks need high liquidity to justify the effort and low liquidity to move the price. Those two conditions rarely coincide. Recent XRP Ledger institutional privacy work addresses a related concern at the data layer.

A 2-Step Reservation Scheme for the XRP Ledger

For traders who want firmer guarantees, Schwartz outlined a transaction reservation approach. A user first broadcasts a reservation specifying a future ledger sequence number, a transaction ID, and a small fee. If that reservation confirms, the actual trade executes before any transaction submitted after the reservation went public. The approach requires two submissions per protected trade.

The method complements XRP Ledger privacy transfer proposals by targeting front-running at the execution layer rather than at the data layer.

XRP continues to trade well below its all-time high as attention turns to whether fairness improvements like this could support longer-term adoption.