Shield provides a two-step security model for EVM transactions: simulate to preview outcomes, then validate to verify integrity before signing.
Transaction Flow
Simulate Phase
The simulate endpoint executes your transaction on a forked EVM state at the current block. This produces:
| Field | Description |
|---|
simulationId | UUID identifying this simulation. Use it with /validate. |
result.status | "Success" or "Error" — whether the transaction would succeed on-chain. |
result.amountOut | Predicted output amounts in wei, one per tokenOut address you specified. |
result.gas | Actual gas consumed during the simulation. |
result.error | Error details when the transaction would revert. |
tokenIn, tokenOut, and amountIn to tell Shield which token flows to track during simulation. The simulation metadata is cached for 5 minutes.
Validate Phase
The validate endpoint compares your unsigned transaction against the cached simulation. Each field is checked independently:
| Check | What It Verifies |
|---|
chainId | The chain ID matches the simulation. |
data | Calldata matches by hash — detects any modification to the transaction payload. |
to | Target contract address matches (case-insensitive). |
from | Sender address matches (case-insensitive). |
value | Native token value (in wei) matches exactly. |
valid field is true only when all individual checks pass. If any check fails, you know exactly which field was modified.
Security Model
The simulate-then-validate pattern prevents a class of attacks where transaction data is modified between the time a user reviews it and the time they sign it:
- Frontrunning protection — The simulated
amountOut shows what the user will actually receive, not an optimistic estimate.
- Calldata integrity — The
data field is compared by hash, so any byte-level change to the calldata is detected.
- Address verification — Both
to and from addresses are validated, preventing contract address substitution attacks.
- Value integrity — The native token
value is checked to prevent unauthorized ETH transfers.
The 5-minute cache window means market conditions can change between simulation and execution. The amountOut is accurate at the time of simulation but may differ slightly when the transaction is mined. Use slippage protection in your transaction calldata to account for this.
Source Agnostic
Shield does not require transactions to originate from Enso APIs. Any valid EVM transaction calldata can be simulated and validated:
- DEX aggregators — 0x, Paraswap, Odos
- DeFi protocols — Aave, Compound, Uniswap, Yearn
- Custom contracts — Your own smart contract interactions
- Multisig operations — Gnosis Safe or other multi-signature wallet transactions
- Smart account operations — ERC-4337 UserOps via
operationType: 1 (DelegateCall)
See the Third-Party Transactions guide for detailed examples.
