Detect Ongoing Attacks In Web3 With Free Tools

How hard is it to detect ongoing attacks on smart contracts and alert on time? Wouldn’t that require an expensive monitoring solution to gather and index the data, extract and analyze the various features, filter benign transactions and flag malicious activity?

It’s much simpler than it looks, thanks to publicly available free tools. In this blog post, we show how to monitor any protocol and detect ongoing attacks with minimal effort and budget, whether as a protocol owner or as a security researcher.

This blogpost is based on aggregated experience from experimenting and playing with multiple various free Web3 security tools.

We use Forta bots for monitoring, and Pessimistic Spotter for push notifications. Let the games begin:

Forta Bots for Alerting and Filtering

Step 1: Search for alerts from Forta’s ”attack-detector-feed” bot (combining alerts from various Forta bots)

Step 2: In order to verify a given alert on a specific EOA, search for appearances of it in other Forta bots. An EOA that appears in various other indicative Forta bots (like malicious-smart-contract-ml-v3 for example) is likely to be an attacker, and should be reviewed manually to confirm. otherwise, it's most probably not an attacker.

On a daily average, 40 alerts are raised by the attack-detector-feed bot (step 1) for the entire ecosystem. Filtering a specific protocol or a set of smart contracts results in significantly fewer alerts. Following step 2 takes around 15 minutes, after which we'll have to manually review the remaining alerts.

Let’s take a look at the attack-detector-feed bot alerts from July 30th:

As we review the results, we can see that many alerts are associated with tagged attackers, such as "JPEGd_69 exploiter1" (0x6Ec21…78538), "JPEGd_69 exploiter2" (0x172f6...21e60), "CurveFinance Exploiter1" (0x30fb9...47aee5), and "CurveFinance Exploiter2" (0xdce5d...5d7d8).

Let's take the alert on EOA 0x6Ec21…978538 for example and illustrate how we perform step 2:

We can see that this EOA appears under several suspicious categories, so it’s definitely a candidate for manual review.

Let’s look how a benign example looks like:

‍

Moving to step 2.

We can quite easily see that there is no point in delving into this EOA further, since it is clearly a false positive.

Note that Forta’s free mode does not allow focused dedicated push notifications. We therefore use Pessimistic Spotter for push notifications, and whenever Pessimistic Spotter detects something suspicious, we use the free Forta bots to further investigate.

Pessimistic Spotter for Push Notifications

Pessimistic Spotter allows us to sign up for push notifications whenever someone deploys a suspicious contract associated with certain addresses. Pessimistic Spotter itself takes into account various parameters such as funds source, contract with selfdestruct, flash loans and much more. All we need to do is to register with the relevant contract and filter the alerts using free Forta bots as described above.

Using this method, we’ve been able to detect the ongoing attack on micDAO minutes before Certik tweeted, the ongoing attack on Onyx Protocol 50 seconds after the attacker’s contracts were deployed, and more.

‍

This method is obviously not fool-proof, but no security solution is. We believe it is definitely good enough and cost effective