The Simulation Lie: How Malicious Pools Are Manipulating DeFi Routing

CryptoSignal
Research

Network congestion? No. It’s a simulation-sized hole in DeFi’s armor. Over 129,000 transactions on Ethereum were routed to a single malicious pool on Curve. The victim? Trust in the quote itself.

The simulation is the new attack surface. And it has been bleeding capital silently.

Enso, a blockchain security firm, uncovered a pattern of “simulation spoofing” attacks targeting Ethereum and Polygon deployment. On Ethereum, a malicious Curve pool processed 129,000 transactions. On Polygon, a Uniswap v4 hook pool failed 99.1% of all executed trades. The cost? Approximately $30,000 in wasted gas—plus an unknown amount in missed opportunities and slippage. The attacker’s net profit? Only $34,600. That’s the tip of a very dangerous iceberg.

Context: Why the simulation matters.

When you trade on a decentralised exchange, your wallet or aggregator runs a local simulation. It checks which pool gives the best price, estimates gas, and returns a quote. That quote becomes your trade. If the pool is malicious, it returns a perfect simulated price—then rejects or alters the execution. The user sees a successful simulation, a failed transaction, and pays gas for nothing. The attacker pockets the difference via their own arbitrage or simply by wasting the user’s capital.

I have been in the crypto security space since 2017, auditing ICO smart contracts. I learned that code is not promise. But here, the code itself is a lie—a conditional revert that only triggers during real execution. This is not MEV. This is not frontrunning. This is a fundamental breach of the implicit contract between trader and aggregator.

Core: The technical breakdown.

The attack pattern is elegant in its simplicity. The malicious pool exposes a swap function that returns a favourable simulated output. During the actual EVM execution, the function checks the gasleft() or the msg.sender against a whitelist of known simulators. If the caller is a simulation environment (like Tenderly or a node’s eth_call), it returns a fake price. If it’s a real transaction, it reverts or returns a much worse price.

Enso’s analysis identified this on two distinct implementations: - On Ethereum, a Curve pool used a conditional revert pattern. Over 129,000 transactions were routed to it. The pool alternated between honest and malicious behaviour—making it undetectable in a single block. - On Polygon, a Uniswap v4 hook pool exploited the same concept. The hook logic simulated a favourable price, then reverted on real execution. The failure rate was 99.1%.

The Simulation Lie: How Malicious Pools Are Manipulating DeFi Routing

The attacker deployed multiple other contracts across chains. Enso’s “Shield” detection tool now flags these patterns, but the damage is already done. The attacker’s profit—$34,600—is modest, but the gas burned ($30,000) and the erosion of user trust are far larger costs.

My experience tells me this is just the beginning. In 2020, I reverse-engineered Uniswap v2 and Curve mechanics for a venture capital firm, and I saw how easy it was to game incentives. In 2021, I discovered that 40% of NFT metadata was stored on centralised servers. The pattern is always the same: the industry prioritises speed and convenience over verification. Now, the same error is costing traders in real time.

Contrarian: The real risk is not the profit, but the parasite.

Most commentary will focus on the small profit—$34,600 is a rounding error in crypto. That is the distraction. The real story is the systemic vulnerability it exposes. Every aggregator, every wallet, every DeFi protocol that relies on eth_call for price discovery is now under threat. The assumption that “simulated price equals executed price” is broken.

Furthermore, Uniswap v4’s hook architecture—intended to foster innovation—has lowered the barrier to deploying such malicious pools. Hook flexibility is a double-edged sword. The industry’s obsession with “permissionless innovation” now collides with the reality of adversarial exploits.

The congestion of trust is real.

The simulation’s congestion comes from too many assumptions layered on a single fragile call. The protocol’s integrity is dependent on the execution’s finality. When the execution diverges from simulation, the entire routing layer fails.

Takeaway: Verify after execution, not just before.

The next time your wallet shows a perfect price, ask yourself: what happens when I hit confirm? The answer may be a revert. The industry must move from simulation-based routing to execution-based verification. Aggregators should compare the post-trade output with the simulated quote. If they mismatch, reject the transaction and alert the user.

Enso’s Shield is one answer, but the real fix is cultural. We need to stop assuming the simulation is honest. We need to treat it as a hypothesis, not a guarantee. The parasite is small now, but it will grow. The question is: will we patch the wound before the infection spreads?

The Simulation Lie: How Malicious Pools Are Manipulating DeFi Routing


Based on my 2022 FTX collapse analysis, I learned that when the infrastructure fails, the cascade is swift. This attack is smaller, but similar in its structural implication. Do not wait for the next crisis.