Forta releases Attack Detector 2.0 with BlockSec and Nethermind

Article by Forta Network Nov. 15, 2023

Forta is the largest network of security intel in Web3. The decentralized Forta Network leverages machine learning and a community of security researchers to detect exploits, scams and other threats.   

Forta’s Attack Detector is a collection of Forta bots that monitor and detect smart contract exploits using a combination of heuristics and machine learning. The Attack Detector is used by leading DeFi protocols and investors to alert about attacks in real-time. 

After six months of amazing work from the Forta Foundation and members of the Forta community, the Attack Detector 2.0 is officially launching. Attack Detector 2.0 adds two new core development teams, improved performance, and integrations with complimentary security tools. 

Leveraging the Community

Forta’s differentiator and strength is its community, and the Attack Detector 2.0 takes advantage of these factors by incorporating two new core development teams to work alongside the Forta Foundation and community security researchers: BlockSec and Nethermind. BlockSec is a longstanding Forta contributor with deep experience in threat detection. They are contributing proprietary detection logic that will increase the precision and recall of the Attack Detector. Nethermind, also a longstanding Forta contributor, will focus on Attack Detector bot maintenance and upgrades. 

The addition of these new core development teams means more comprehensive threat coverage and faster upgrade cycles to ensure the Attack Detector keeps pace with the evolving threat landscape.

Improved Performance

The most important aspect of any threat detection solution is performance, and the Attack Detector 2.0 boasts improved precision and recall. As a refresher, precision measures accuracy (what percentage of alerts were true positives), while recall measures completeness (what percentage of total exploits were detected). Both measures are important in the context of an exploit because you want to detect as many actual attacks as possible, while minimizing false positives/noise. 

By incorporating BlockSec, recall has improved such that the Attack Detector 2.0 is now detecting a majority of smart contract exploits. AD 2.0 also features improved false positive mitigation using a combination of positive reputation and machine learning, such that 83% of attacked protocols would not have received a single false positive alert in the 60 days before their attack. 

Low false positive rates are particularly important for protocols considering taking automated action based on alerts. For example, it might encourage a protocol to automatically pause their contracts in the event of an attack, as opposed to using a manual multisig.

A specific hack of note, the $197M Euler exploit, was detected before exploitation by the Attack Detector. If Euler had an automated prevention mechanism in place, the hack could have been prevented. The Attack Detector also flagged the recent Balancer, Curve, Yearn, and SushiSwap hacks as well as dozens of other major attacks resulting in the loss of tens of millions of users’ funds.

Integration with Monitoring and Prevention Tools

Exploit detection tools like the Attack Detector are a key component of any protocols’ security program, but making the alerts actionable is equally important. To this end, OpenZeppelin and Hacken, two leading Web3 security teams, will be integrating the Attack Detector 2.0 into their Defender and Extractor solutions respectively. OpenZeppelin Defender users will be able to add Attack Detector support within the Monitoring module and configure alerts to trigger automated actions like pause functionality. Hacken Extractor users will be able to view Attack Detector alerts within the Extractor dashboard without additional setup, and they can implement manual or fully automated protection mechanisms with the assistance of the Hacken team.

Attack Detector 2.0 alerts will remain in the same format; the only difference being that alerts will now feature a “bot source” field in the metadata that will specify “BlockSec” if the exploit was detected by BlockSec’s bot, and “Forta Base Bots” if the exploit was detected by the Forta Foundation bots. 

Users integrating from the API or accessing data via subscribing to alert notifications can expect a typical Attack Detector alert containing the following:

The alertID mapping to the algorithm utilized for raising the alert
Alert description containing information about the attacker and potential victim – if available
Metadata includes information about the underlying alert hashes (which map to transactions), information of the anomaly scores, all addresses involved in the underlying transactions, victim information if available, bot source (BlockSec/Forta base bots)

Additional information, such as loss information is contained in the base bot alerts.


The first iteration of the Attack Detector was previously available under the Forta Network’s General Subscription plan for 250 FORT/month. The Attack Detector 2.0 has been elevated to a premium feed available for $399/month. Subscription revenue is split evenly between the Forta Foundation and BlockSec.

To learn more about the Attack Detector and purchase access, click here.