Attacks and Associated Bots

Last Updated Fri. 19 August, 2023

Protocol Attacks

These are attacks in which the economic properties of a protocol are manipulated in a way such that funds can be stolen from a protocol. For instance if a protocol relies on an oracle for price information and attackers can manipulate the price (e.g. through a flashloan) tokens may appear more expensive or cheaper to the protocol than they actually are. In a collateralized lending protocol this may allow an attacker to obtain an uncollateralized loan. This bot detects flashloan attacks, a type of economic attack

This is a way for attackers to submit transactions directly to the validator/minor in a privacy preserving manner. This way the transaction is not temporarily queued in the mem pool and be at risk of front running the transaction. This bot detects flashbot attacks.

This is a temporary loan an attacker can obtain that has to be paid back in the same transaction. This allows an attacker to obtain large amounts of assets that can then subsequently be used to perform an economic attack (e.g. manipulate the price of a token). This bot detects flashloan attacks.

This is a vulnerability where the input a user provides is not sufficiently checked against malicious code. For instance a contract may expect and execute an approval transaction as a parameter but if the input is not sufficiently checked an attacker may pass a transfer transaction as a parameter. A vulnerable contract will execute what the attacker may provide blindly without proper input validation. This bot detects if a contract has had 99% or more of one of its assets drained within a block, an indication of insufficient input validation.

These are pieces of code that take advantage of a smart contract vulnerability to manipulate the flow of execution to the advantage of an attacker. Some examples of known vulnerabilities are incorrect default visibilities entropy illusion constructor typos reentrancy over/underflows uninitialized storage pointers etc. This bot is Forta’s Attack Detector, which serves as an indicator of a smart contract exploit in progress

This is an exploit that recursively calls into a vulnerable contract without it updating state properly. For instance a withdraw function may be called multiple times before updating the user’s balance. This could lead to an attack draining all assets from the vulnerable smart contract. This bot detects reentrancy attacks.

This is a contract deployed by an attacker to execute an attack. Certain attacks can not be executed through a transaction alone. The attacker needs a contract. For instance reentrancy is an attack for which a malicious smart contract is needed. This bot detects malicious smart contracts using advanced machine learning.

End user attacks

This is a special type of phishing attack in which a user is not tricked into disclosing private information but rather is tricked into signing an on-chain transaction that gives an attacker control over the user's digital assets. This often involved signing an approval transaction. Once the transaction is signed and incorporated into a block the attacker can proceed to transfer a user’s digital assets to their own wallet. This bot detects ice phishing attacks.

These are projects that - after users invested into the project - run off with the user’s funds. There are two types of rug pulls: soft and hard rug pulls. This bot detects generic rug pulls.

Rug pulls are when there is no intentional malicious purpose incorporated into the code of the project. For example the price of a token may organically increase. At a certain point in time the creators of the token may decide to sell all their tokens causing the overall price to plummet to zero. Users end up with a worthless token and the project owners cashed out. This bot detects soft rug pulls.

This is a broad term for a broad array of attacks from phishing to rug pull projects or simply lying about the value of a project/ token. Ultimately a scam involves the user purchasing some asset that ends up being worthless. This bot is Forta’s Scam Detector, which serves as an indicator of a scam in progress.

This are malicious programs a user is tricked into installing on the device their wallet and private key reside on. Malware may steal the private key or modify transactions just before a user signing them. The impact of this malware usually results in users losing all digital assets in their wallet.

Seaport is a protocol to trade tokens. Seaport allows users to create offers by merely signing a transaction and not submitting it on-chain (it is structured this way as a gas saving measure). Traditionally, users think signing a transaction and not submitting it on-chain is a safe operation. This is not the case. In this attack, the scammer tricks the user into signing an offer that offers their digital assets (e.g. a set of NFT) for a value well below market price. The scammer then executes the order on the users behalf causing the user to lose their digital assets. This bot detects fraudulent NFT orders.

In this attack the scammer examines the transaction history of the user and submits 0 value transfers to or from the user from an address that looks similar to an address in the user's history. Since the value is 0, it does not require any approvals. The end result is that the transaction history for a user's wallet is now poisoned with addresses the attacker controls. A user may accidentally transfer tokens or native assets to those attacker controlled addresses (some variations of the attack exist where the attacker transfers a small amount as opposed to 0 amount to the user). This bot detects address poisoning.

This is similar to ice phishing, but does not involve a token contract. Here the user is simply tricked in signing and submitting a transaction on-chain that transfers assets to the scammer. A variation of this attack often includes input data fields in the transaction that map to function names, such as 'SecurityUpdate' or 'ClaimTokens' increasing the likelihood that a user signs and submits such a transaction. This bot detects native ice phishing.

In this attack, the attacker obtains the private key/ seed phrase of a user's wallet. This allows the attacker to act as the user and transfer digital assets from the user's wallets. These keys can be obtained through phishing or malware on the user's device.

Sleep minting is a fraudulent activity where a scammer mints or creates new NFTs in the name a known creator or artist without their permission or knowledge. Once the fake NFTs are minted, the attacker may sell or distribute them as if they were created by this creator or artist, whereas in reality, they were not involved in creation of those NFTs. This bot detects Sleep Minting attacks.

Wash trading refers to a deceptive and manipulative practice where an individual or entity simultaneously buys and sells the same asset to create an illusion of increased trading volume, liquidity, and high price. This is typically done to manipulate the market and attract other traders or investors, as higher trading volume can be perceived as a sign of a popular and trustworthy asset. This misleading appearance of activity can lead to increased market attention, allowing the wash trader to profit from the resulting price increase. This bot detects wash trading attacks.

  • An airdrop is a marketing strategy used by blockchain projects to distribute free tokens or cryptocurrencies to a specific group of users, often to create awareness, encourage adoption, or reward loyal customers. These tokens are usually sent to the recipients' wallets without any cost.
  • Airdrop hunting refers to the act of proactively seeking out and participating in various airdrops to accumulate free tokens. This is usually done by joining multiple communities, following social media channels, or using specialized platforms to track upcoming airdrops.
  • Some users take this to the extreme and utilize multiple accounts controlled by the same entity (a sybil attack) to maximize the number of received airdrop tokens. This bot detects airdrop hunting attacks.

Rake Tokens are tokens that institute a trading fee that goes to the token deployer or the token contract itself. These fees are usually not apparent when a user acquires the token and can represent a significant percentage. This bot detects Rake Tokens attacks

Sleep Dropping is a technique used by scammers to drive traffic to websites where a secondary scam is executed. A sleep drop is a spam token, which is distributed via an airdrop, and it contains a web link that directs the user to visit for some purpose (e.g., to claim a reward).

The link may be visible in the name of the token or may be exposed once the user tries to interact with the token (e.g., sell it). In a sleep drop, the way the token is distributed to users is unique. It appears to be coming from a legitimate contract. This is done by the scammer to increase the credibility of the sleep-dropped token.

Pig butchering is a social engineering scams in which victims are groomed over a long period of time to invest cryptocurrency tokens into an investment platform that promises high returns. Victims may even be lured with some actual returns as a way for them to invest more into the platform. Often, stablecoins are uses in this scam and the scammer utilizes approvals to gain.

Gas price is subject to variation, largely due to network congestion. This characteristic, together with a mechanism for gas refunds, led to the emergence of what are known as gas tokens. These tokens can be generated, or 'minted', when gas prices are low, and subsequently 'redeemed' when prices escalate. However, this mechanism has been exploited by scammers, who trick users into inadvertently minting gas tokens when they engage with a deceptive smart contract. This is usually achieved by setting approvals to the scammer’s token, which the unwitting user revokes through an approval transaction. However, with the introduction of EIP-3529, which effectively eliminated gas refunds, this specific type of scam is no longer possible on the Ethereum network, but remains a risk on other Layer 2 networks such as Binance Smart Chain (BSC) and Polygon.

Attack Stages

The funding stage is the initial stage of the attack when an attacker requires funds to pay gas, execute trades, or use as collateral for borrowing in order to execute the attack. With many centralized exchanges having instituted KYC, attackers often turn to privacy oriented protocols, like Tornado Cash. This bot detects Tornado Cash funding, a critical early warning sign of an attack.

The second phase of an attack is preparation where, depending on the type of attack, the attacker may need to set up a few things prior to moving to the exploitation stage. For instance, when exploiting an reentrancy attack, the attacker needs to set up a contract; when executing an ice phishing attack, the attacker needs to trick users into token approvals. This bot detects malicious smart contracts using machine learning, a new and accurate method to predict attacks

The third stage is exploitation, in this stage, the attacker actually drains the funds from smart contracts or users. The approaches in this stage are broad and can range from logic bugs, flash loans, reentrancy attacks, etc. This bot detects a reentrancy attack, a commonly used exploit.

The final stage is money laundering, where once the funds have been obtained with the previous stage, an attacker proceeds to launder these funds so they can actually be used again turning to privacy oriented protocols. This bot detects money laundering with Tornado Cash.

By looking at all the stages as they happen from a birds eye view, the certainty of an attack rises as the attacker moves through the stages. Via an automated process, attacks can be a detected with high precision and often before exploitation. Forta’s Attack Detector which serves an indicator of exploitation based on a number of bots looking for an indication of an exploit or expected exploit, by combining alerts from the previous stages.