- The paper demonstrates that GenDetect generalizes reactive detection for imitative DeFi attacks, achieving an F1-score of 0.98 with a 1% false positive rate.
- It details a novel framework combining semantic abstraction via CodeBERT and token type-aware logic matching using the ANSD metric to enhance detection robustness.
- The paper shows real-time detection capability on Ethereum with sub-second latency and uncovers 56 previously undetected attacks causing over $1.5M in damage.
GenDetect: Generalizing Reactive Detection for Resilience Against Imitative DeFi Attack Cascade
Motivation and Problem Statement
The proliferation of decentralized finance (DeFi) protocols has engendered a corresponding surge in financially driven attacks, exploiting both smart contract logic and compositional vulnerabilities. A salient behavioral pattern in this threat landscape is the Imitative Attack Cascade, where a disclosed attack rapidly spawns numerous copycat incidents leveraging similar transaction logic and semantic signatures. Empirical analysis of the Phalcon and DeFiHackLab datasets demonstrates that approximately 69% of DeFi attack transactions exhibit strong behavioral similarity to prior events, often materializing within hours or days. This underscores a critical limitation in existing detection paradigms, which are largely heuristic-driven, labor-intensive, and fail to generalize beyond initial exploit detection, resulting in excessive detection latency and persistent vulnerability exposure.
The paper formalizes the challenge as the need for Reactive Detection Generalization: upon identifying an unknown attack instance, the system must rapidly produce a generalized detection rule capable of flagging subsequent imitative attacks with high fidelity, minimizing both false positives and negatives, and supporting real-time constraints required by blockchain transaction processing.
Technical Contributions and Framework Design
The GenDetect framework addresses two core challenges: (1) semantic abstraction of diverse, obscure DeFi function signatures, and (2) robust matching of transaction logic in noisy and evasive traces.
Semantic Abstraction leverages open-source smart contract code availability. GenDetect constructs a Function Signature Cheatsheet by clustering function implementations using CodeBERT semantic embeddings, with manual refinement to annotate operational intent (e.g., swap, transfer, borrow). For unseen signatures, the pipeline automatically fetches source code, performs similarity matching against curated codebases, and validates the label via LLM-based reasoning, expanding coverage in real time.
Logic Extraction and Matching exploits address labeling datasets (4Bytes, Phalcon) to isolate attack-relevant transactions, pruning benign or protocol-internal invocations and flattening nested traces. Token type-aware logic matching partitions calls by asset class (core asset tokens vs. protocol-specific tokens) and deploys Asymmetrical Normalized Set Difference (ANSD) to compute similarity. The ANSD metric is robust to call order mutations and noise, focusing solely on preservation or omission of attack-critical logic as established by the initial incident.
Hyperparameter tuning is executed via nested cross-validation, optimizing type weighting and similarity thresholds to maximize F1-score under varying skewed benign-to-malicious transaction ratios and mixed protocol categories.
Evaluation and Empirical Results
Detection Accuracy
On benchmark datasets (DeFiHackLab, Dune Analytics), GenDetect achieves an F1-score of 0.98, with a false positive rate (FPR) of 1% and a false negative rate (FNR) of 3%, outperforming state-of-the-art tools including Forta (FPR: 16%) and DeFiRanger (F1: 0.63). Ablation studies substantiate the criticality of source-based semantic extractionโremoval drops F1 to 0.42โand confirm the superiority of set-based metric ANSD over sequence-sensitive LCS, where the latterโs FNR sharply increases due to adversarial mutations.
Generalization and Zero-Shot Coverage
Cross-domain zero-shot evaluations yield coverage of 76%โ73% in detecting novel attacks versus 66%โ65% by Forta and markedly lower rates by pattern-based systems. GenDetectโs semantic modeling via trace abstraction enables detection under low transparency conditions and mitigates the brittleness of hardcoded rules predominant in the industry and academia.
Discovery of Previously Undetected Attacks
GenDetect uncovers 56 previously undocumented attacks in real-world Ethereum DEX transaction data, collectively causing financial damage in excess of $1.5M. The semantic similarity analysis captures subtle exploits (e.g., mispriced internal accounting attacks via skim()) even when transaction values are modest and attacker behavior is obfuscated, demonstrating high-fidelity detection even for low-visibility threats.
Efficiency and Real-Time Capability
GenDetectโs modular design supports parallel processing: average per-transaction latency is 0.02s for semantic extraction and 0.1s for trace matching, scalable to >2,000 TPS on 96-core infrastructure. Worst-case scenarios (trace length 800) still complete detection within 0.7s, satisfying block interval requirements on Ethereum and BNB; careful parallelization ensures feasibility on higher-throughput chains like Solana.
Limitations and Implications
Key limitations include challenges in achieving real-time guarantees on ultra high-throughput chains (e.g., full block detection on Solanaโs 0.4s interval requires high core count), and inherent vulnerability to first-instance obfuscation, label-compromise attacks, and private-relay (โdark poolโ) evasion. Current limitations are acknowledged, especially for exploits with no observable on-chain anomalies (e.g., private key leakage). Mitigation strategies involve pre-filtering trivial transactions, formalizing first-instance robustness, and expanding collaboration with relay operators for broader visibility instrumentation.
The practical contributions are significant: GenDetect operates independent of attacker contract transparency, generalizes detection beyond known exploit categories, and enables composable defense strategies against polymorphic DeFi attack cascades. The theoretical implications pertain to the demonstrated effectiveness of code-based semantic representation and trace-level behavioral abstraction in security-critical, rapid-propagation financial systems. Future work may include further automation of semantic grouping, enhanced adversarial robustness, and accelerated similarity computation for ultra high-frequency environments.
Conclusion
GenDetect sets a new standard for reactive detection generalization in the DeFi security domain by operationalizing semantic trace abstraction, robust logic matching, and parallelizable similarity computation. With extensive empirical validation, it achieves high accuracy, practical coverage, and efficient real-time throughput, enabling scalable defense against imitative attack cascades. As DeFi ecosystems evolve, GenDetect provides a robust foundation for interpretable and timely threat detection, with further work required to optimally address high-throughput deployment and advanced evasion tactics (2604.26094).