Context is Key: False Positives in Calldata Simulation

San Francisco, CA — Apr 30th, 2025

Agora introduces Transaction Simulation and Verification feature: simulation of proposals using full governor and timelock context, with Tenderly support.

image.png

Governance can be risky business

Executing a proposal change or transaction involves real stakes and high pressure.

Proposals often handle millions of dollars in value. A single misstep can lead to a failed or erroneous transaction that delays payment or locks funds. That's why when someone uses Agora to launch a proposal, the margin for error is zero.

Note to self: simulations can go wrong!

Testing proposal simulations is a common feature for a product like Agora, if anything it is expected. This usually entails invoking a proposal's calldata using a service such as Tenderly. Tenderly, known well in the DAO and governance space as the platform that allows for safe testing and previewing of smart contract transactions. This is important as once it is deployed onchain, it's permanent so precautions are needed to ensure executions are error free.

A simulation may not be reliable if it is not configured properly or not given the full runtime context. In the worst case scenario, it can indicate a false positive, for instance by naively only checking the calldata. The correct treatment means testing the proposal's calldata, given the full context of a specific Timelock contract.

This is critical, although more complex, because timelocks aren't perfectly standardized. A timelock is the most common pattern for delaying transactions. It's a necessary complexity and security mechanism that enforces a waiting period between when a proposal is approved and when it can be executed.

Luckily there is Seatbelt

Released in January 2022, Seatbelt is a security check mechanism developed by ScopeLift, which received a grant from the Uniswap Grants Program for its development.

Seatbelt aims to make governance safer by generating human-readable reports of a simulation, based on the full context and a plethora of checks, fully exposing the would-be state change to the reader. The team at Scopelift understands the difficulty in simulating proposal transactions.

"If a governance proposal is active, it can't yet be executed. That's because votes are ongoing, and the proposal has not yet passed. Simulating the transaction naively will therefore revert. We leverage the Tenderly Simulation API to workaround these limitations."
— ScopeLift Team

The tool was developed because governance proposal transactions are complex without standard audit processes, making it difficult for users to understand what proposals actually do and potentially leading to serious issues like failed execution, lost funds, or unusable governance systems.

Seatbelt-Inspired Simulation Is Now Available on Agora

The feature is out in beta across all Agora compatible deployments. You no longer need to break a sweat when executing a proposal transaction and instead can take the precautionary steps to trust our simulation feature that is battle tested to give you extra security and reassurance.

Feature Spotlight

Here is how we have implemented Seatbelt-style checks in proposal transaction simulations across Agora deployments:

  1. Comprehensive Contextual Simulations
    We now simulate proposals within their full execution context, mirroring the exact conditions under which they will run onchain, including timelock interactions.

  2. Proactive Validation Tool
    Agora integrates Seatbelt-style checks during the proposal drafting phase, allowing users to identify and rectify issues before proposals are submitted onchain.

  3. Post-Publication Checks by Any User
    After a proposal goes live, we enable any user to inspect the integrity of the proposed transaction at any time. This provides stakeholders with confidence in the proposal's execution.

  4. Enhanced Tenderly Integration
    Our collaboration with Tenderly has been refined to ensure simulations accurately reflect real-world conditions, minimizing discrepancies between simulated and actual outcomes.

Security is not an afterthought

All this to stress that we are obsessed with bettering our security measures under the hood. Oftentimes security mechanisms as such don't come up in public sentiment unless something goes wrong and then it's too late!

There's a reason smart contract execution is so error-prone: calldata is arbitrary, context-sensitive, and the surface area for subtle bugs is massive. Preventative measures can be taken to mitigate any team learning the hard way.

We believe the community needs shared infrastructure here. Maybe it's a library. Maybe it's a framework. Maybe it's a hosted service. But whatever form it takes, we think the pattern of preflight proposal checks—context-aware, reliable, and extensible—should become standard across the DAO ecosystem.

We see Seatbelt as a shining example of what that could look like. Encouraging other teams to build these security proofs to make the shared infrastructure more resilient is how we collectively build trust.

See our docs to learn more about the Simulation Transaction and Verification feature on Agora.

Deploy Agora for your protocol today