Market Prices

BTC Bitcoin
$64,187.1 +1.57%
ETH Ethereum
$1,846.02 +1.37%
SOL Solana
$74.91 +0.82%
BNB BNB Chain
$570.9 +1.69%
XRP XRP Ledger
$1.09 +0.32%
DOGE Dogecoin
$0.0723 +0.64%
ADA Cardano
$0.1647 +2.11%
AVAX Avalanche
$6.57 +1.50%
DOT Polkadot
$0.8338 -1.37%
LINK Chainlink
$8.3 +2.28%

Event Calendar

{{年份}}
12
05
halving BCH Halving

Block reward halving event

18
03
unlock Sui Token Unlock

Team and early investor shares released

15
04
halving Bitcoin Halving

Block reward reduced to 3.125 BTC

10
05
upgrade Ethereum Pectra Upgrade

Raises validator limit and account abstraction

22
03
unlock Optimism Unlock

Circulating supply increases by about 2%

30
04
upgrade Celestia Mainnet Upgrade

Improves data availability sampling efficiency

08
04
upgrade Solana Firedancer

Independent validator client goes live on mainnet

28
03
unlock Arbitrum Token Unlock

92 million ARB released

Gas Tracker

Ethereum 28 Gwei
BNB Chain 3 Gwei
Polygon 42 Gwei
Arbitrum 0.5 Gwei
Optimism 0.3 Gwei

💡 Smart Money

0x9252...3dfc
Market Maker
+$2.2M
91%
0xd500...613e
Early Investor
+$2.7M
66%
0x1705...cd34
Arbitrage Bot
+$1.9M
67%

🧮 Tools

All →

The Simulation Trap: How Malicious DeFi Pools Exploit Routing Optimizers for 22.5% Overquotes

CryptoBear
Guide

Hook

A freshly deployed Curve pool on Ethereum quietly returned a 22.5% price improvement over the leading competitor. For three consecutive days, it lured hundreds of routing aggregators into selecting it as the optimal swap venue. Then, every single transaction reverted. The pool never intended to execute a trade. It was a simulation trap—a piece of code designed to look perfect in pre-execution previews and fail on-chain. Total gas wasted: over $30,000. Total realized profit for the attacker: $3,460. Pocket change, but the method is a blueprint for much larger heists.

The Simulation Trap: How Malicious DeFi Pools Exploit Routing Optimizers for 22.5% Overquotes

Context

Every modern DeFi wallet and aggregator relies on a silent hero: the simulation engine. Before you click “Confirm,” a local node or RPC endpoint replays your transaction against the latest state. It estimates output, gas, and slippage. The aggregator then picks the pool offering the best simulated return. This system assumes one thing: that the pool's response during simulation is honest. That assumption is now broken.

The attack, independently detected by Enso Security and reported by Unchained, exploits a fundamental gap between Ethereum’s EVM simulation and actual execution. An attacker deploys a liquidity pool—on Curve, Uniswap v4, or any protocol supporting custom logic—that acts like a chameleon. During simulation, it returns an inflated quote. During execution, it either reverts or switches to a worse price. The user sees a perfect trade, sends the transaction, and gets a failed or unfavorable result. The aggregator has already forwarded the order flow. The damage is instant.

This isn’t a theoretical risk. Two confirmed cases exist: a Curve pool on Ethereum mainnet that processed over 129,000 simulated swaps, and a Uniswap v4 hook on Polygon with a 99.1% failure rate. The attacker deployed additional contracts across other chains, suggesting a systematic operation rather than a one-off experiment.

Core

The technical mechanism is elegant in its simplicity. The malicious pool uses a conditional statement that checks the caller’s gas limit. During simulation, typical callers (like a wallet’s eth_call) send a gas limit of 2^64-1 or a very high value, triggering the “honest” branch that returns an attractive price. During real execution, the transaction carries a lower gas limit, causing the contract to branch into the “malicious” path—revert or return a worse price. It’s a classic EVM inconsistency exploit, weaponized against simulation.

The Simulation Trap: How Malicious DeFi Pools Exploit Routing Optimizers for 22.5% Overquotes

Let’s look at the numbers. The Curve pool on Ethereum attracted 129,251 transactions. Enso calculated that users were quoted an overquote—the difference between the inflated simulation price and the real floor price—totaling $225,000. But the attacker only extracted $3,460 in actual profit, likely from a few successful trades where the revert logic failed or the timing was exploited. The remaining $221,540 never materialized because the transactions reverted. Yet the gas spent on those reverts—$30,000—burdened users and clogged the mempool.

The Uniswap v4 case is more insidious. The hook allowed the attacker to deploy a pool with a custom afterSwap callback that checks block.timestamp or block.number. In a simulated call (eth_call), these values are set to the current state, but the hook can alter its response based on whether it detects a real transaction versus a static call. Out of 1,200 attempted trades, only 11 succeeded. The 99.1% failure rate is a signature of intentional sabotage.

Based on my experience in 2017 auditing ERC-20 tokens, I saw a similar pattern: smart contracts that return different values to different callers. That was a vulnerability in token transfers. Here, it’s a vulnerability in price discovery. The industry has focused on frontrunning, sandwich attacks, and oracle manipulation, but this attack targets the simulation layer—a blind spot no one anticipated.

The Simulation Trap: How Malicious DeFi Pools Exploit Routing Optimizers for 22.5% Overquotes

The attacker’s address reveals a pattern of deployment. They created at least three other contracts on Ethereum and Polygon, each with similar logic but varying revert conditions. Enso’s analysis shows that the Curve pool alternated between honest and malicious behavior over time, making it difficult to flag with a single on-chain check. This is not a script kiddie; it’s a deliberate strategy to maximize confusion and evade detection.

Contrarian

Most coverage of this attack frames it as another MEV variant. It is not. MEV exploits transaction ordering. This exploit exploits transaction simulation. The two are orthogonal. Ordering attacks require the attacker to see pending transactions; simulation spoofing requires the attacker to see nothing but the aggregator’s call pattern. It is cheaper, harder to detect, and scales linearly with the number of pools deployed.

The contrarian angle: this is actually a bullish signal for DeFi security vendors. Enso Shield, the product that caught this, will now see demand spike. Every aggregator and wallet will need “post-simulation verification”—a step that compares the simulated output to the actual execution hash. This adds latency but closes the gap. The market will pay for that latency because the alternative is trust in a broken assumption.

Another unspoken insight: Uniswap v4’s hook architecture, while innovative, lowers the barrier for deploying malicious pools. Pre-v4, launching a Curve pool required bootstrapping liquidity. Now, any developer can spin up a hook with arbitrary logic. The decentralization benefits are real, but so is the attack surface. Expect more “toxic hooks” in the coming months, especially on Polygon and other low-fee chains where gas waste is less painful for attackers.

Enso’s discovery also highlights the failure of the simulation-as-reality dogma. Wallets like Rabby and MetaMask, and aggregators like 1inch and ParaSwap, should have already built validation checks. They didn’t. The attacker’s profit was a tiny fraction of the gas wasted, but the true cost is the erosion of user trust. Yield is the bait; liquidity is the trap. The simulation trap is the latest iteration.

Takeaway

The simulation trap is now active. The attacker deployed more contracts. Enso’s detection caught only two. How many others are still floating, waiting for a larger target? The next iteration will not settle for $3,460. It will drain a honeypot or manipulate a large swap. Surveillance is anticipating the break before it happens. The break happened. Now the industry must rebuild the simulation layer with the same rigor as the execution layer.

Fear & Greed

25

Extreme Fear

Market Sentiment

Altseason Index

44

Bitcoin Season

BTC Dominance Altseason

Market Cap

All →
# Coin Price
1
Bitcoin BTC
$64,187.1
1
Ethereum ETH
$1,846.02
1
Solana SOL
$74.91
1
BNB Chain BNB
$570.9
1
XRP Ledger XRP
$1.09
1
Dogecoin DOGE
$0.0723
1
Cardano ADA
$0.1647
1
Avalanche AVAX
$6.57
1
Polkadot DOT
$0.8338
1
Chainlink LINK
$8.3

🐋 Whale Tracker

🔵
0xd525...efa2
2m ago
Stake
3,165 ETH
🔵
0x071f...38a6
1d ago
Stake
673,259 USDT
🔵
0x373e...74be
30m ago
Stake
1,209,706 DOGE