This agent detects the creation of scam contracts based on bytecode similarities to known scam contracts provided by other forta bots like bot 0xf715450e392acb385eabdb8fc94278b3821d2c9a148de777726673895c7283a0.
This bot will listen to every contract creation event and retrieve the runtime bytecode of the created contract. Then a CFG of the bytecode will be built, and instructions of every function will be extracted to be vectorized using doc2vec model. Finally, the vectorized function features of the contract will be compared with the vectorized function features of the known scam contracts using FAISS. That is, this bot performs function-level semantic similarity detection.
When calculating the similarity between contracts, we define the similarity of contract
where
where
Finally, the similarity score will be normalized by:
All chains that Forta supports
- NEW-SCAMMER-CONTRACT-CODE-HASH
- Fired when a similar contract is identified based on the code similarity hash
- Severity is always set to "medium"
- Type is always set to "suspicious"
- Metadata:
alert_hash
- the alert hash from the handleAlert function that brought this scammer into scope (so the scammer contract that the new scammer contract is similar to)new_scammer_eoa
- the EOA that created the new scammer contractnew_scammer_contract_address
- the address of the new scammer contractscammer_eoa
- the EOA that created the original scammer contractscammer_contract_address
- the original scammer contractsimilarity_score
- score that expresses the similarity between the original scammer contract and the new scammer contract identifiedsimilarity_hash
- the similarity hash for grouping the two contracts together
- Labels
- New scammer EOA will be set as
scam
- New scammer contract address will be set as
scam
- confidence will be calculated by the above mentioned equation.
- New scammer EOA will be set as
npm run sequence tx0x77ef021978dc893297a77a51990efab1ef9234006a1d97bb78678354d92de632,0xe350cf63228ae2277b0e5b49089c6f255acd481cea19892749357fe74edbd0f7,tx0xa2819befc5c19c3a51fbbea8557e4dfebd2be41cdd7359462c18027a364e7fae,0xc3b228892e92ebf86f7e71bc202279a0a4863ca83f73fa7c8df9a592a59943cb,tx0x77ef021978dc893297a77a51990efab1ef9234006a1d97bb78678354d92de632,tx0x136454296922d5c6908061434dcd3645995fe9419a147d0fe5eab6d5eb8fea9a
The above test script should raise alerts two times, one for the second transaction (starts with tx
) and one for the third transaction.
The model is trained on slither-audited-smart-contracts
dataset. After processing there will be more than 2,000,000 functions for our model to learn unsupervisedly. The training process takes roughly 3 hour on M1 Max.
python construct_dataset.py && python train.py
- Train with larger dataset, like paradigm-data-portal.
- Flag precise malicious function calls. (require upstreaming flagging)