A Web3 bug bounty hunter discovered an exposed private Tenderly simulation fork on a DeFi protocol by fuzzing RPC endpoint paths with EVM Chain IDs. The exposed node showed a $22M discrepancy versus real Mainnet balances, revealing an artificial simulation state. After the triage team initially dismissed the report as public blockchain data, the researcher proved the vulnerability by executing a state override via eth_call with a stateDiff parameter — something only possible on a Tenderly fork, not a standard public RPC proxy. The team ultimately validated the finding. Key takeaways include fingerprinting RPC nodes with web3_clientVersion, comparing balances against Etherscan, and using state overrides as definitive proof of simulation environments.
Table of contents
Phase 1: The Initial Recon and the BypassPhase 2: The $22 Million DiscrepancyPhase 4: The Pushback from TriageGet Hacker MD ’s stories in your inboxPhase 5: The “State Override” Nuke (Proving the Bug)The ResolutionTakeaways for Web3 Bug HuntersSort: