Papers
Topics
Authors
Recent
Search
2000 character limit reached

GenDetect: Reactive Detection for DeFi Attacks

Updated 5 July 2026
  • GenDetect is a DeFi security system that generalizes reactive detection by converting a single exploit into a reusable rule to identify imitative attack cascades.
  • It abstracts transaction semantics using source-based classification, contract labeling, and token-type-aware matching to distinguish malicious from benign traces.
  • Empirical evaluations demonstrate high accuracy and F1 scores, outperforming other tools and uncovering previously unrevealed attacks.

Searching arXiv for papers directly associated with “GenDetect” and closely related “GenDet” usages. GenDetect most directly denotes a DeFi security system that generalizes reactive detection from a single observed exploit to future imitative attacks. It is motivated by the pattern the authors call Imitative Attack Cascade: an initial successful exploit is quickly followed by mimicking transactions that reuse attack logic with minor modifications or parameter changes. Empirically, over 69% of DeFi attacks exhibit strong behavioral similarity to earlier incidents, more than 37% of initial attacks have 2–10 follow-up imitations, and these imitations together account for about $2 billion in losses (Cai et al., 28 Apr 2026).

1. Imitative Attack Cascades and the Reactive Detection Gap

GenDetect is framed against the limits of prevailing reactive DeFi monitoring. In the common workflow, an initial exploit is surfaced through heuristics such as Tornado Cash traces, anomalous nonce usage, or exploiter labels; analysts then manually inspect traces and handcraft detection rules. The system is designed for the period after that first exploit has been observed but before imitative attacks have fully propagated. The central claim is that the costly step is not noticing the first incident, but abstracting it fast enough into a reusable rule before copycat transactions spread (Cai et al., 28 Apr 2026).

The formalization distinguishes observed from unobserved attacks under a rule set $P=\{p_1,\dots,p_n\}.Forattacktransactions. For attack transactions A\subset Tandbenigntransactions and benign transactions N=T\setminus A,theobservedsubsetis</p><p>, the observed subset is</p> <p>A_{\text{ob}}(P)=\{t\in A\mid \exists p_i\in P,\ p_i(t)=\text{True}\ \land\ \forall n\in N,\ p_i(n)=\text{False}\},</p><p>andtheunobservedsubsetis</p><p></p> <p>and the unobserved subset is</p> <p>A_{\text{unob}}(P)=A\setminus A_{\text{ob}}(P).</p><p>Reactivedetectiongeneralizationthenasksforanewpattern</p> <p>Reactive detection generalization then asks for a new pattern p^\*suchthat,foranunobservedexploit such that, for an unobserved exploit t\in A_{\text{unob}}(P),</p><p>,</p> <p>p^\*(t)=\text{True}\quad\text{and}\quad \forall n\in N,\ p^\*(n)=\text{False}.$

This formulation is narrower than general anomaly detection and broader than vulnerability-specific heuristics. It targets behavioral recurrence: once one exploit trace exists, the objective is to recover the invariant exploit logic while discarding superficial parameter changes, call reordering, and filler operations.

2. Detection Objective and System Decomposition

GenDetect decomposes the problem into two challenges: abstracting the semantics of diverse function signatures and matching transaction logic in noisy, evasive traces. Its pipeline is organized as four technical stages, denoted T1–T4 in the paper: source-based semantic construction, automatic semantic classification, contract label-based logic extraction, and token type-aware logic matching (Cai et al., 28 Apr 2026).

The system’s first design premise is that the open-source nature of most DeFi protocols permits high-fidelity semantic recovery of function behavior. The second is that contract labels can isolate attacker intent by separating attacker-initiated logic from protocol-internal execution. The resulting detector is not opcode-level and not purely address-based; it operates on semantically abstracted, label-aware transaction logic.

This architecture places GenDetect between classical rule systems and end-to-end statistical detectors. It preserves explicit detection patterns, but those patterns are induced automatically from one exploit trace rather than hand-authored from scratch.

3. Semantic Abstraction and Logic Extraction

The semantic layer begins from 1,272 unique function signatures collected from real attacks in DeFiHackLab and Phalcon. These signatures are mapped to Solidity implementations through Dune’s “Decoded Projects” dataset. CodeBERT embeddings are then clustered with K-means, initially with K=80K=80, followed by manual refinement, producing a Function Signature Cheatsheet of 122 categories: about 60 high-frequency financial or verification roles such as transfer, swap, mint, burn, borrow, repay, beforeDeposit, and afterBorrow, plus about 62 low-frequency or project-specific roles such as emergencyBurn, burnAlp, and airDropReward (Cai et al., 28 Apr 2026).

For signatures not already present in the cheatsheet, GenDetect checks whether the contract is verified, retrieves the source when available, finds the nearest semantic category by CodeBERT similarity against a canonical reference codebase, and validates the assignment with GPT-4.1. If the assignment fails validation, a new category is created. Unverified contracts are treated differently: they are regarded as attacker artifacts rather than protocol functions, and are filtered downstream during logic extraction (Cai et al., 28 Apr 2026).

Logic extraction is driven by contract labels from community-maintained 4Bytes data, Phalcon labels, and explorer metadata. Addresses are categorized as protocol contracts or AttackerScript. GenDetect then retains only calls initiated by the transaction sender or by AttackerScript, while pruning calls initiated by protocol contracts. Wrapper layers are flattened by removing outer forwarding calls and promoting their internal subcalls. The output is an Extracted Logic trace that keeps attacker-initiated interactions with core tokens, protocol tokens, and DeFi protocol contracts, while discarding protocol-internal execution noise (Cai et al., 28 Apr 2026).

The consequence is that GenDetect does not compare raw traces. It compares a condensed behavioral representation in which function names have been converted to protocol semantics and irrelevant internal calls have already been removed.

4. Token-Type-Aware Matching and Asymmetrical Similarity

After extraction, GenDetect partitions logic into two token-economic views: core asset operations involving assets such as ETH, WETH, BNB, USDT, USDC, and DAI, and protocol-specific operations involving protocol-native or otherwise local tokens. Similarity is computed separately on these two views and then combined (Cai et al., 28 Apr 2026).

The core matching primitive is the Asymmetrical Normalized Set Difference. For an attack pattern AA and a candidate transaction ATA\subset T0,

ATA\subset T1

and the corresponding similarity is

ATA\subset T2

The asymmetry is deliberate: extra actions present in ATA\subset T3 but not in ATA\subset T4 do not reduce similarity, whereas actions required by ATA\subset T5 but missing in ATA\subset T6 do. This makes the method robust to evasions based on inserted noise or call reordering.

Final similarity is a weighted combination of token-type-specific similarities: ATA\subset T7 with a threshold rule

ATA\subset T8

Nested 4-fold cross-validation selects ATA\subset T9 and N=TAN=T\setminus A0 by F1 maximization (Cai et al., 28 Apr 2026).

This matching strategy is the methodological center of GenDetect. It encodes the intuition that imitative attacks preserve exploit-critical steps while varying peripheral details, and it treats exploit recurrence as partial preservation of a semantic action set rather than exact trace replay.

5. Empirical Performance and Historical Discovery

GenDetect is evaluated on a balanced benchmark with 534 malicious traces from DeFiHackLab and 534 benign traces from Dune DEX transactions, on mixed-category datasets containing 13,300 transactions, on 726 real incidents from Phalcon and DeFiHackLab, and on approximately 3 million Ethereum DEX-related transactions from 2021–2024 (Cai et al., 28 Apr 2026).

On the balanced DEX benchmark, GenDetect achieves N=TAN=T\setminus A1, N=TAN=T\setminus A2, N=TAN=T\setminus A3, and N=TAN=T\setminus A4. Forta reaches N=TAN=T\setminus A5 with N=TAN=T\setminus A6, and DeFiRanger reaches N=TAN=T\setminus A7 with N=TAN=T\setminus A8. In zero-shot cross-domain evaluation, GenDetect attains coverage of about 76.6% on Phalcon and about 72.8% on DeFiHackLab, compared with roughly 65–66% for Forta and about 19–28% for narrow-scope tools such as TxSpector and POMABuster (Cai et al., 28 Apr 2026).

Ablations isolate the contribution of each stage. Removing semantic extraction drops performance to N=TAN=T\setminus A9, Aob(P)={tApiP, pi(t)=True  nN, pi(n)=False},A_{\text{ob}}(P)=\{t\in A\mid \exists p_i\in P,\ p_i(t)=\text{True}\ \land\ \forall n\in N,\ p_i(n)=\text{False}\},0, and Aob(P)={tApiP, pi(t)=True  nN, pi(n)=False},A_{\text{ob}}(P)=\{t\in A\mid \exists p_i\in P,\ p_i(t)=\text{True}\ \land\ \forall n\in N,\ p_i(n)=\text{False}\},1. Removing logic extraction yields Aob(P)={tApiP, pi(t)=True  nN, pi(n)=False},A_{\text{ob}}(P)=\{t\in A\mid \exists p_i\in P,\ p_i(t)=\text{True}\ \land\ \forall n\in N,\ p_i(n)=\text{False}\},2. Removing token-type awareness yields Aob(P)={tApiP, pi(t)=True  nN, pi(n)=False},A_{\text{ob}}(P)=\{t\in A\mid \exists p_i\in P,\ p_i(t)=\text{True}\ \land\ \forall n\in N,\ p_i(n)=\text{False}\},3. Replacing ANSD with LCS yields Aob(P)={tApiP, pi(t)=True  nN, pi(n)=False},A_{\text{ob}}(P)=\{t\in A\mid \exists p_i\in P,\ p_i(t)=\text{True}\ \land\ \forall n\in N,\ p_i(n)=\text{False}\},4 and increases Aob(P)={tApiP, pi(t)=True  nN, pi(n)=False},A_{\text{ob}}(P)=\{t\in A\mid \exists p_i\in P,\ p_i(t)=\text{True}\ \land\ \forall n\in N,\ p_i(n)=\text{False}\},5 to 0.13. These results make the system’s dependence on semantic abstraction and asymmetric matching explicit rather than incidental (Cai et al., 28 Apr 2026).

The historical search over roughly 3 million DEX transactions identifies 682 previously public incidents, 1,862 MEV transactions, 79 false positives, and 56 newly identified attacks with total financial damage above $1.5M. A highlighted cluster comprises ten attacks resembling the known pSeudoEth-style skim() exploit pattern. The paper also states that GenDetect discovers 56 previously unrevealed attacks from the past three years (Cai et al., 28 Apr 2026).

6. Limitations, Deployment Profile, and Broader Context

GenDetect assumes open-source or otherwise verifiable protocol logic for best semantic fidelity, depends on label availability and label quality, and requires decoded transaction traces. The authors also discuss three residual evasion channels: obfuscating the very first attack so that the stored pattern is itself noisy, compromising label repositories, and routing transactions through completely closed private relays. These are presented as open problems rather than solved cases (Cai et al., 28 Apr 2026).

Operationally, the reported per-trace latency is about 0.1s on average and about 0.7s in the worst case for extremely complex traces. The paper argues that this is compatible with Ethereum-like and BNB-like block times, while higher-throughput environments such as Solana would require more aggressive filtering and scaling. Reported throughput exceeds 2,000 TPS across cores on the evaluation hardware (Cai et al., 28 Apr 2026).

In contemporary arXiv usage, the exact title “GenDetect” refers to this DeFi system. A plausible broader implication is that the name also resonates with a wider detection motif in recent work: the use of discrepancy learning, generation, or routing to improve robustness under shift. In AI-generated image detection, the related GenDet treats unseen-generator detection as anomaly detection through an adversarial teacher–student discrepancy-aware framework on CLIP features (Zhu et al., 2023). In anomaly detection, G2D explicitly converts one-class detection into binary classification by using intermediate GAN states as an “irregularity generator” (Pourreza et al., 2020). In AI-generated text detection, DoGEN uses a domain classifier to gate a top-Aob(P)={tApiP, pi(t)=True  nN, pi(n)=False},A_{\text{ob}}(P)=\{t\in A\mid \exists p_i\in P,\ p_i(t)=\text{True}\ \land\ \forall n\in N,\ p_i(n)=\text{False}\},6 ensemble of domain-specialized experts for out-of-domain robustness (2505.13855). These systems are domain-specific and methodologically distinct, but they collectively suggest a broader research trajectory in which detection quality is improved by abstracting from raw observations to more transferable latent structure.

GenDetect’s specific contribution within that trajectory is sharply defined: it operationalizes reactive rule generalization for DeFi by converting one observed exploit into a semantic, label-aware, noise-tolerant detector for imitative attack cascades.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to GenDetect.