> ## Documentation Index
> Fetch the complete documentation index at: https://docs.enso.build/llms.txt
> Use this file to discover all available pages before exploring further.
# How It Works
> Understand Shield's simulate-then-validate security model.
export const date_0 = "2026-04-07"
Shield provides a two-step security model for EVM transactions: **simulate** to preview outcomes, then **validate** to verify integrity before signing.
## Transaction Flow
```mermaid theme={null}
flowchart LR
A[Build Transaction] --> B[Simulate]
B --> C{Review Results}
C -->|amountOut OK| D[Validate]
C -->|Reject| A
D --> E{Valid?}
E -->|Yes| F[Sign & Submit]
E -->|No - Tampered| A
```
## Simulate Phase
The simulate endpoint executes your transaction on a forked EVM state at the current block. This produces:
| Field | Description |
| ------------------ | -------------------------------------------------------------------------- |
| `simulationId` | UUID identifying this simulation. Use it with `/validate`. |
| `result.status` | `"Success"` or `"Error"` — whether the transaction would succeed on-chain. |
| `result.amountOut` | Predicted output amounts in wei, one per `tokenOut` address you specified. |
| `result.gas` | Actual gas consumed during the simulation. |
| `result.error` | Error details when the transaction would revert. |
You specify `tokenIn`, `tokenOut`, and `amountIn` to tell Shield which token flows to track during simulation. The simulation metadata is cached for **5 minutes**.
## Validate Phase
The validate endpoint compares your unsigned transaction against the cached simulation. Each field is checked independently:
| Check | What It Verifies |
| --------- | ------------------------------------------------------------------------------- |
| `chainId` | The chain ID matches the simulation. |
| `data` | Calldata matches by hash — detects any modification to the transaction payload. |
| `to` | Target contract address matches (case-insensitive). |
| `from` | Sender address matches (case-insensitive). |
| `value` | Native token value (in wei) matches exactly. |
The `valid` field is `true` only when **all** individual checks pass. If any check fails, you know exactly which field was modified.
## Security Model
The simulate-then-validate pattern prevents a class of attacks where transaction data is modified between the time a user reviews it and the time they sign it:
1. **Frontrunning protection** — The simulated `amountOut` shows what the user will actually receive, not an optimistic estimate.
2. **Calldata integrity** — The `data` field is compared by hash, so any byte-level change to the calldata is detected.
3. **Address verification** — Both `to` and `from` addresses are validated, preventing contract address substitution attacks.
4. **Value integrity** — The native token `value` is checked to prevent unauthorized ETH transfers.
The 5-minute cache window means market conditions can change between simulation and execution. The `amountOut` is accurate at the time of simulation but may differ slightly when the transaction is mined. Use slippage protection in your transaction calldata to account for this.
## Source Agnostic
Shield does not require transactions to originate from Enso APIs. Any valid EVM transaction calldata can be simulated and validated:
* **DEX aggregators** — 0x, Paraswap, Odos
* **DeFi protocols** — Aave, Compound, Uniswap, Yearn
* **Custom contracts** — Your own smart contract interactions
* **Multisig operations** — Gnosis Safe or other multi-signature wallet transactions
* **Smart account operations** — ERC-4337 UserOps via `operationType: 1` (DelegateCall)
See the [Third-Party Transactions guide](/pages/shield/guides/third-party-transactions) for detailed examples.