Market Prices

BTC Bitcoin
$64,160.1 +1.25%
ETH Ethereum
$1,844.21 +0.63%
SOL Solana
$75.08 +0.40%
BNB BNB Chain
$570.4 +1.33%
XRP XRP Ledger
$1.09 +0.45%
DOGE Dogecoin
$0.0722 -0.18%
ADA Cardano
$0.1643 -0.24%
AVAX Avalanche
$6.54 +0.37%
DOT Polkadot
$0.8307 -3.36%
LINK Chainlink
$8.28 +0.89%

Event Calendar

{{年份}}
30
04
upgrade Celestia Mainnet Upgrade

Improves data availability sampling efficiency

28
03
unlock Arbitrum Token Unlock

92 million ARB released

22
03
unlock Optimism Unlock

Circulating supply increases by about 2%

18
03
unlock Sui Token Unlock

Team and early investor shares released

10
05
upgrade Ethereum Pectra Upgrade

Raises validator limit and account abstraction

12
05
halving BCH Halving

Block reward halving event

08
04
upgrade Solana Firedancer

Independent validator client goes live on mainnet

15
04
halving Bitcoin Halving

Block reward reduced to 3.125 BTC

Gas Tracker

Ethereum 28 Gwei
BNB Chain 3 Gwei
Polygon 42 Gwei
Arbitrum 0.5 Gwei
Optimism 0.3 Gwei

💡 Smart Money

0xd170...0480
Top DeFi Miner
+$0.2M
88%
0xd625...74f8
Institutional Custody
-$4.7M
68%
0x8c50...188a
Top DeFi Miner
-$2.7M
91%

🧮 Tools

All →

The Simulation Spoofing Attack: Why Your DeFi Wallet Lied to You

StackShark
Market Quotes

Over the past seven days, a single Ethereum Curve pool processed 129,000 transactions that never settled. Every user who approved that transaction lost gas fees. Every simulation returned a perfect quote. The execution? Revert, every time. This is not a frontrunning attack. It is not a sandwich. It is a new class of deception: simulation spoofing.

I have spent nine years in crypto, from auditing ICO whitepapers in 2017 to executing ETF arbitrage in 2024. My ESTJ brain demands systematic verification. This attack breaks the foundational assumption that simulation equals execution. That assumption is now a liability.

Let me walk you through the mechanics. Then I will show you why your wallet's next trade might be a trap.


Context: The Trust in Dry Runs

During the 2022 Terra collapse, I executed an emergency withdrawal protocol across three DeFi platforms in 45 minutes. My pre-coded liquidation bots saved 85% of my portfolio. The key was preparation. Today, wallets and aggregators use a similar preparation step: they simulate transactions locally or on a node before sending them. This simulation estimates output, gas cost, and slippage. It allows the user to review and approve.

The problem? Simulation is a request to the blockchain without intent to commit. The blockchain sees a eth_call — a dry run. Malicious smart contracts can detect this difference. They respond with a fake, favorable quote. When the real transaction arrives — a eth_sendRawTransaction — the contract behaves differently: it reverts, or worse, executes at a worse price.

Verification precedes valuation; always. But the industry skipped verification for the most common transaction type: swaps.

In 2023, I reverse-engineered StarkNet's Cairo language for 200 hours. I learned that every layer of abstraction introduces a trust boundary. Simulation is an abstraction layer, and someone just found the crack.


Core: How the Attack Works — Technical Breakdown

The attack was discovered by Enso, a blockchain security firm. They identified two distinct cases:

  1. Curve Pool on Ethereum Mainnet: A malicious pool contract was deployed. When queried via eth_call (simulation), it returned inflated output amounts. For example, a trade that should yield 100 USDC returned 1,000 USDC in simulation. The aggregator picked this pool as optimal. The user sent the real transaction. The pool executed the swap at the true rate — lower — but the aggregator had already committed to the trade. The user paid gas, and the pool operator pocketed the spread. Over 129,000 such transactions were recorded. The total gas wasted exceeded $30,000. The attacker's net profit? Only $34,600. This is not a gold rush. It is a harassment campaign with low capital efficiency.
  1. Uniswap v4 Hook on Polygon: Uniswap v4 introduced hooks — custom code that runs before or after a swap. This hook checked whether the call was a simulation by analyzing the gas limit. Simulations typically use lower gas limits. If the hook detected that, it returned a pristine quote. For real transactions, the hook reverted the entire swap. 99.1% of transactions to this pool failed. The pool was live for weeks.

The attacker deployed multiple contracts. Enso traced the same operator behind both pools and found additional contracts on other chains. The technique is reproducible. It does not require advanced coding. It only requires understanding the difference between eth_call and eth_sendRawTransaction.

Based on my 2024 ETF arbitrage experience, I know that tiny spreads add up when volume is high. 129,000 transactions. Even if each user lost only $0.23 in gas, the emotional damage is higher. Trust erodes slowly, then all at once.

Enso built a detection tool called Enso Shield. It flags pools that exhibit simulation-spoofing behavior. They partnered with Curve and Oku (a Uniswap v4 frontend) to integrate the check. But the core issue remains: the industry needs a standard for post-execution verification.


Contrarian: Retail vs Smart Money — The Blind Spot

Retail investors assume that if their wallet shows a good price, it will execute. They blame slippage or frontrunning when it fails. Smart money knows that simulation is a hint, not a guarantee. But even sophisticated traders missed this vector.

Here is the contrarian insight: This attack is not about MEV. MEV exploits transaction ordering. Simulation spoofing exploits transaction simulation itself. It is a meta-level deception. The blind spot is that we trusted the quote before verifying the execution.

During my 2017 ICO audit, I rejected 11 of 14 projects because their tokenomics failed the “smell test.” The smell test for simulation is simple: did the actual transaction match the simulated output? Very few wallets check this. Rabby, MetaMask, 1inch — none of them perform a post-swap verification against the simulation hash. They trust the destination pool.

The attack also reveals a deeper structural issue: permissionless pool deployment. Uniswap v4 allows anyone to deploy a pool with custom hooks. No approval, no audit. The flexibility is powerful but weaponizable. The attacker only needed to deploy a hook that misbehaves conditionally. No code review, no security score. Just a few lines of Solidity.

In my 2025 AI-agent framework, I designed a rule: the agent must confirm every trade's actual price vs simulated price before logging success. This human-in-the-loop step prevented three fake-quote pools from being exploited. The implementation cost 10 lines of code. The absence of this check in major wallets is a regulatory time bomb. If a user loses significant funds due to a fake simulation, who is liable? The wallet? The aggregator? The protocol? The answer is unclear. This legal ambiguity is where regulators will strike first.


Takeaway: Actionable Levels for Your Trading

I do not trade on hope. I trade on levels and verification. Here is how to protect yourself today:

  • Use a wallet or aggregator that compares execution price to simulation price. Rabby and 1inch are starting to add this feature. If yours does not, demand it.
  • Set a maximum gas waste budget. If you see a pool with >10% failure rate in the last 1000 transactions, avoid it. Tools like Dune Analytics can surface this.
  • Prefer v3 pools over v4 hooks for now. Uniswap v3 does not have hooks. v4 hooks need to earn trust through audits or whitelisting. Treat them as unaudited smart contracts until proven otherwise.
  • For large trades, use a private mempool or flashbots. The simulation spoofing attack works on public mempool transactions. Private mempools change the execution environment, making it harder for hooks to distinguish simulation from execution.

The attack vector is here to stay. Enso Shield is a stopgap. The real fix is a protocol-level change: require pools to commit to a simulation hash. If the actual execution deviates beyond a defined tolerance, revert and refund gas. This is technically feasible today using ERC-165 or similar interfaces.

Rhetorical question for you: Will you wait for your wallet to add verification, or will you build your own checklist? Because in a sideways market, positioning is everything. And the worst position is holding a bag of failed transactions.

Verification precedes valuation; always.

Fear & Greed

25

Extreme Fear

Market Sentiment

Altseason Index

44

Bitcoin Season

BTC Dominance Altseason

Market Cap

All →
# Coin Price
1
Bitcoin BTC
$64,160.1
1
Ethereum ETH
$1,844.21
1
Solana SOL
$75.08
1
BNB Chain BNB
$570.4
1
XRP Ledger XRP
$1.09
1
Dogecoin DOGE
$0.0722
1
Cardano ADA
$0.1643
1
Avalanche AVAX
$6.54
1
Polkadot DOT
$0.8307
1
Chainlink LINK
$8.28

🐋 Whale Tracker

🟢
0xd655...3285
2m ago
In
26,564 SOL
🔵
0xdb11...6d72
3h ago
Stake
39,361 BNB
🔴
0x6711...4d36
1h ago
Out
4,882.21 BTC