Transaction Simulation Spoofing targets the simulation feature in Web3 wallets, which previews potential outcomes of a transaction before users sign them. Attackers exploit this by manipulating the simulation to trick users into approving malicious transactions.
A notable case occurred on January 10, 2025, when attackers stole 143.45 ETH using this method. Let's dive into how it works.
A- How it works
Here is how hackers plan and execute the attack in 5 simple steps.
🔍 1. Phishing Setup
Attackers begin by creating a fake website that mimics a legitimate Web3 platform—such as an NFT claim page, airdrop site, or DeFi platform. Victims are often lured through social media, phishing emails, or compromised X posts promising rewards.
🎭 2. Simulation Manipulation
The phishing site prompts users to connect their Web3 wallet (e.g., MetaMask or Trust Wallet). When the wallet runs a simulation, it displays a “safe” outcome (e.g., “You’ll receive 0.1 ETH”) by querying a benign contract or static state. This convinces users that the transaction is legitimate.
🔄 3. On-Chain Switch
Once the simulation is complete—but before the user signs—the attacker swaps the transaction data or updates the contract using a malicious proxy. If the user signs, the real transaction sends funds directly to the attacker’s address instead of delivering the promised reward.
✅ 4. User Approval and Fund Drain
Trusting the simulation result, the victim signs the transaction. Since most wallets don’t re-simulate the transaction before signing, users remain unaware of any changes. Upon execution, the attacker immediately drains the funds from the victim’s wallet.
🕵️ 5. Covering Tracks
After stealing the funds, attackers often use crypto mixers (like Tornado Cash) or rapidly transfer funds across multiple wallets, making it nearly impossible to trace the stolen assets.
This attack exploits the gap between simulation and execution, taking advantage of both user trust and the complexities of smart contract interactions.
B- How to Protect Yourself from Transaction Simulation Spoofing
Follow these steps to keep your Web3 wallet secure as of February 22, 2025:
✅ Step 1: Verify Website Legitimacy
Manually type the official URL of trusted platforms (e.g., opensea.io, uniswap.org) instead of clicking links from emails or social media. Bookmark frequently used sites to avoid typosquatting scams (e.g., unlswap.org). Always check for HTTPS to ensure a secure connection.
👀 Step 2: Inspect Wallet Prompts Carefully
When prompted to approve a transaction, review all details thoroughly. Expand the “Transaction Data” or “Raw” tab to inspect the contract address and function calls. Cross-check this information using Etherscan or official project documentation.
🔄 Step 3: Simulate Transactions Independently
Use blockchain explorers like Etherscan or Tenderly to simulate transactions manually and verify the outcome. If unsure, initiate a small test transaction (e.g., 0.001 ETH) before committing larger funds.
🛡️ Step 4: Update Your Wallet Security
Enable advanced settings in your wallet, such as Enhanced Token Detection or Transaction Simulation Warnings in MetaMask. For added security, use a hardware wallet like Ledger or Trezor to display raw transaction data on a separate device.
⚠️ Step 5: Avoid Blind Signing
Be cautious when granting unlimited approvals. Regularly manage and revoke unnecessary permissions using tools like revoke.cash. If a website pressures you to act quickly (e.g., “Claim now!”), take your time to verify authenticity.
📈 Step 6: Monitor and Respond Promptly
Set up transaction alerts through Etherscan or your wallet app to monitor outgoing funds. After using new platforms, revisit revoke.cash to cancel any unwanted contract permissions.
C- Why You Should Care
The growing threat of Transaction Simulation Spoofing, highlighted by the January 2025 ETH theft, stresses the importance of vigilance in the Web3 space.
While wallet technology is improving—with some offering simulation mismatch warnings—it’s not foolproof. Even large platforms like Bybit fell victim to a sophisticated spoofing attack on February 21, 2025, demonstrating that even seasoned players can be targeted.
