Papers
Topics
Authors
Recent
Search
2000 character limit reached

GenDetect: Generalizing Reactive Detection for Resilience Against Imitative DeFi Attack Cascade

Published 28 Apr 2026 in cs.CR and cs.SE | (2604.26094v1)

Abstract: As blockchain ecosystems grow, financially motivated attackers increasingly exploit decentralized finance (DeFi) protocols, causing frequent and severe losses. Unlike conventional cyberattacks, DeFi exploits propagate rapidly due to the transparent and composable nature of smart contracts. We identify a critical pattern, Imitative Attack Cascade: an initial successful exploit is quickly followed by mimicking transactions that reuse attack logic with minor modifications or parameter changes. Our empirical analysis shows that over 69% of DeFi attacks exhibit strong behavioral similarity to earlier incidents, often within hours or days of the initial attack. This exposes a fundamental limitation in current reactive detection. Initial attacks are typically flagged via heuristic alerts (Tornado Cash traces, anomalous nonce usage, exploiter labels), but turning these signals into detection rules requires manual validation and handcrafted trace analysis -- a labor-intensive, slow process that leaves follow-up attacks to spread. Our goal is to ensure that once an attack has been observed, even a single instance, it can be rapidly abstracted into an actionable, generalizable detection rule. We decompose the problem into two challenges: (I) abstracting the semantics of diverse, obscure function signatures, and (II) matching transaction logic in noisy, evasive traces. We leverage two insights: (i) the open-source nature of most DeFi protocols enables high-fidelity semantic classification of function signatures; (ii) contract labels isolate essential logic by filtering irrelevant calls and classifying attack intent. Building on these, we develop GenDetect, which achieves ACC 98%, FPR 1%, FNR 3% and discovers 56 previously unrevealed attacks from the past three years. Source code and dataset: https://github.com/NobodyIsAnonymous/GenDetect_ICSE2026

Summary

  • The paper demonstrates that GenDetect generalizes reactive detection for imitative DeFi attacks, achieving an F1-score of 0.98 with a 1% false positive rate.
  • It details a novel framework combining semantic abstraction via CodeBERT and token type-aware logic matching using the ANSD metric to enhance detection robustness.
  • The paper shows real-time detection capability on Ethereum with sub-second latency and uncovers 56 previously undetected attacks causing over $1.5M in damage.

GenDetect: Generalizing Reactive Detection for Resilience Against Imitative DeFi Attack Cascade

Motivation and Problem Statement

The proliferation of decentralized finance (DeFi) protocols has engendered a corresponding surge in financially driven attacks, exploiting both smart contract logic and compositional vulnerabilities. A salient behavioral pattern in this threat landscape is the Imitative Attack Cascade, where a disclosed attack rapidly spawns numerous copycat incidents leveraging similar transaction logic and semantic signatures. Empirical analysis of the Phalcon and DeFiHackLab datasets demonstrates that approximately 69% of DeFi attack transactions exhibit strong behavioral similarity to prior events, often materializing within hours or days. This underscores a critical limitation in existing detection paradigms, which are largely heuristic-driven, labor-intensive, and fail to generalize beyond initial exploit detection, resulting in excessive detection latency and persistent vulnerability exposure.

The paper formalizes the challenge as the need for Reactive Detection Generalization: upon identifying an unknown attack instance, the system must rapidly produce a generalized detection rule capable of flagging subsequent imitative attacks with high fidelity, minimizing both false positives and negatives, and supporting real-time constraints required by blockchain transaction processing.

Technical Contributions and Framework Design

The GenDetect framework addresses two core challenges: (1) semantic abstraction of diverse, obscure DeFi function signatures, and (2) robust matching of transaction logic in noisy and evasive traces.

Semantic Abstraction leverages open-source smart contract code availability. GenDetect constructs a Function Signature Cheatsheet by clustering function implementations using CodeBERT semantic embeddings, with manual refinement to annotate operational intent (e.g., swap, transfer, borrow). For unseen signatures, the pipeline automatically fetches source code, performs similarity matching against curated codebases, and validates the label via LLM-based reasoning, expanding coverage in real time.

Logic Extraction and Matching exploits address labeling datasets (4Bytes, Phalcon) to isolate attack-relevant transactions, pruning benign or protocol-internal invocations and flattening nested traces. Token type-aware logic matching partitions calls by asset class (core asset tokens vs. protocol-specific tokens) and deploys Asymmetrical Normalized Set Difference (ANSD) to compute similarity. The ANSD metric is robust to call order mutations and noise, focusing solely on preservation or omission of attack-critical logic as established by the initial incident.

Hyperparameter tuning is executed via nested cross-validation, optimizing type weighting and similarity thresholds to maximize F1-score under varying skewed benign-to-malicious transaction ratios and mixed protocol categories.

Evaluation and Empirical Results

Detection Accuracy

On benchmark datasets (DeFiHackLab, Dune Analytics), GenDetect achieves an F1-score of 0.98, with a false positive rate (FPR) of 1% and a false negative rate (FNR) of 3%, outperforming state-of-the-art tools including Forta (FPR: 16%) and DeFiRanger (F1: 0.63). Ablation studies substantiate the criticality of source-based semantic extractionโ€”removal drops F1 to 0.42โ€”and confirm the superiority of set-based metric ANSD over sequence-sensitive LCS, where the latterโ€™s FNR sharply increases due to adversarial mutations.

Generalization and Zero-Shot Coverage

Cross-domain zero-shot evaluations yield coverage of 76%โ€“73% in detecting novel attacks versus 66%โ€“65% by Forta and markedly lower rates by pattern-based systems. GenDetectโ€™s semantic modeling via trace abstraction enables detection under low transparency conditions and mitigates the brittleness of hardcoded rules predominant in the industry and academia.

Discovery of Previously Undetected Attacks

GenDetect uncovers 56 previously undocumented attacks in real-world Ethereum DEX transaction data, collectively causing financial damage in excess of $1.5M. The semantic similarity analysis captures subtle exploits (e.g., mispriced internal accounting attacks via skim()) even when transaction values are modest and attacker behavior is obfuscated, demonstrating high-fidelity detection even for low-visibility threats.

Efficiency and Real-Time Capability

GenDetectโ€™s modular design supports parallel processing: average per-transaction latency is 0.02s for semantic extraction and 0.1s for trace matching, scalable to >2,000 TPS on 96-core infrastructure. Worst-case scenarios (trace length 800) still complete detection within 0.7s, satisfying block interval requirements on Ethereum and BNB; careful parallelization ensures feasibility on higher-throughput chains like Solana.

Limitations and Implications

Key limitations include challenges in achieving real-time guarantees on ultra high-throughput chains (e.g., full block detection on Solanaโ€™s 0.4s interval requires high core count), and inherent vulnerability to first-instance obfuscation, label-compromise attacks, and private-relay (โ€œdark poolโ€) evasion. Current limitations are acknowledged, especially for exploits with no observable on-chain anomalies (e.g., private key leakage). Mitigation strategies involve pre-filtering trivial transactions, formalizing first-instance robustness, and expanding collaboration with relay operators for broader visibility instrumentation.

The practical contributions are significant: GenDetect operates independent of attacker contract transparency, generalizes detection beyond known exploit categories, and enables composable defense strategies against polymorphic DeFi attack cascades. The theoretical implications pertain to the demonstrated effectiveness of code-based semantic representation and trace-level behavioral abstraction in security-critical, rapid-propagation financial systems. Future work may include further automation of semantic grouping, enhanced adversarial robustness, and accelerated similarity computation for ultra high-frequency environments.

Conclusion

GenDetect sets a new standard for reactive detection generalization in the DeFi security domain by operationalizing semantic trace abstraction, robust logic matching, and parallelizable similarity computation. With extensive empirical validation, it achieves high accuracy, practical coverage, and efficient real-time throughput, enabling scalable defense against imitative attack cascades. As DeFi ecosystems evolve, GenDetect provides a robust foundation for interpretable and timely threat detection, with further work required to optimally address high-throughput deployment and advanced evasion tactics (2604.26094).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.