Zengo X logo displayed on an abstract circuit board background with glowing nodes.
Zengo

Transaction Simulation White Paper

Tal Be'ery

Tl;dr: This White Paper – born from an Ethereum Foundation grant – details our findings on critical vulnerabilities in popular Web3 transaction simulation solutions, including the novel “Red Pill” attack. This research offers insights and recommendations to enhance the security of decentralized systems.

White Paper

Web3-Transaction-Simulation-White-Paper-Final

Recommendations

For users:

  1. Make sure the wallet you are using for Web3 transactions includes a Transaction Simulation capability as part of a holistic security solution that consists of multiple additional elements.
  2. Security mechanisms are not a replacement for common-sense. If something is too good to be true, it probably is, even if your advanced security mechanisms do not alert.

For Wallets and Simulation Implementors:

  1. Transaction Simulation capabilities are an important and even mandatory security tool for modern wallets and should be part of any modern Web3 wallet.
  2. Transaction Simulation is not easy to get right, so it is probably better to use a battle tested implementation or service and not โ€œroll your ownโ€.
  3. Test your Transaction Simulation implementation against our red pill attack reference implementation to make sure your solution is not vulnerable to such attacks.
  4. Create a comprehensive Web3 security solution which includes Transaction Simulation along with additional elements (e.g. security reputation).
  5. It is very important to put Transaction Simulation results in the necessary context to enable users to make informed decisions. E.g. the user experience for โ€œApprovalโ€ transaction simulation should include explanation on the implications of approval and the reputation of the Approval spenderโ€™s address. E.g. approval for an EOA address should be a red flag.

Conclusions

Transaction Simulation is a highly relevant solution to protect users against rogue Dapps suggesting bad function calls to good contracts controlling Tokens and NFTs. The rogue Dapps abusing good contracts scenario, constitutes a very large portion of the issues that users are faced with.

However, it is important to note that Transaction Simulation is not a panacea and must be augmented with additional solutions to provide a more extensive user attack surface coverage. Additionally, Simulation and similar security solutions should be thoroughly tested, because of the negative impact of the false sense of security that may facilitate further abuse.

Join the Conversation

Stay tuned for more updates as we continue to push the boundaries of Web3 security research. Contact the Zengo X team and follow us on X.