Detecting Exploits Before Funds Are Lost Using Attack Simulation

Article by Forta Network Jun. 16, 2022

Forta monitors blockchain transactions to identify these attacks in real time. A Forta detection bot could utilize a simulation based approach to mimic the exploit transaction locally before the exploitation occurs on-chain.

Saddle Finance Hack Case Study

The Saddle Finance attack occurred in April 2022, resulting in approximately $11M USD being stolen. When attacks occur, analysis and the insights gleaned are shared broadly to strengthen the detection bot coverage and educate the community around detection approaches and opportunities. This particular attack was a flashloan assisted price manipulation attack that exploited the wrong utilization of the MetaSwapUtils library. 

Forta monitors blockchain transactions to identify these attacks in real time. A Forta detection bot could utilize a simulation based approach to mimic the exploit transaction locally before the exploitation occurs on-chain. This could result in high confidence alerts early such that protocols can fully mitigate the attack before any of the funds in a respective contract are lost. Forta is announcing a new detection bot development contest to develop such a bot and is awarding up to $3,000 USD (paid in FORT) to the winner of this contest. Please refer to the contest page for more details. 

As previously discussed, attacks usually go through 4 distinct stages. As the attack moves towards the right side of these stages, the confidence that an attack occurred increases. Ideally, attacks ought to be identified with high confidence in the first two stages prior to funds being lost. How the Forta Network can be leveraged to do so is the subject of this blog post.

First, let’s capture a few key aspects of this attack:

1) The attacker created a smart contract Etherscan tx

2) This smart contract was invoked using a parameterless function call 0xaf8271f7 Etherscan tx

3) The invocation of this function resulted in the attacker’s account receiving 3375 ETH

The contract creation happened at block 14684300 and the invocation at block 14684307 providing ample time for an automated incident response action (e.g. pausing contracts) given the precision of the Forta alert is high.

The timeline of the attack as well as the corresponding Forta alerts are shown below. Since the attack occurred, the attacker proceeded to launder the funds, which also resulted in a money laundering alert

Forta detection bots analyze transactions in real time to identify evidence in each of the aforementioned stages. The attacker contract creation was appropriately identified as a suspicious contract creation alert.

At this point, opportunities arise to further assess the created suspicious contract. Forta isn’t just able to analyze the transactions, but is able to also simulate transactions using a local instance of Ganache as described here.

Doing so, allows – at block 14684300 – to fork the blockchain and call each of the functions to simulate potential exploitation. This contract had two functions 0xa15db5c5 and 0xaf8271f7.

Note, we know from the actual exploit transaction that the exploit was invoked without any parameters, which lends itself for an exploit simulation within a detection bot. 

This can also be simulated locally with the following code:

1) Start Ganache instance:

ganache-cli -v --fork <rpc_endpoint>@14684301 -p 7777 -d --noVMErrorsOnRPCResponse

2) Execute the following code to assess WETH balance of attacker, invoke the exploit function, assess the WETH balance afterwards:

import json

import hexbytes

from web3 import Web3


w3 = Web3(Web3.HTTPProvider(rpc_endpoint_address))


account = w3.eth.account.from_key('0x4f3edf983ac636a65a842ce7c78d9aa706d3b113bce9c46f30d7d21715b23b1d') #get from ganache output


gas_amount = 5000000

gas_price = 50

attacker_account_address = '0x63341Ba917De90498F3903B199Df5699b4a55AC0'

attacker_contract_address = '0x7336F819775B1D31Ea472681D70cE7A903482191'

val = '0xaf8271f7'

weth_contract = w3.toChecksumAddress('0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2') # WETH contract address

with open('wethABI.json') as f:

info_json = json.load(f)

# assess WETH balance of attacker prior to exploit

contract_abi = info_json

weth = w3.eth.contract(address=weth_contract,abi=contract_abi )

print(weth.functions.balanceOf(attacker_account_address).call())  # 0 WETH prior to the exploit


# invoke the exploit

raw_tx = {

   'chainId': 1,

   'from': account.address,

   'value': 0,

   'gas': gas_amount,

   'gasPrice': w3.toWei(gas_price,'gwei'),

   'nonce': w3.eth.get_transaction_count(account.address),

   'to': attacker_contract_address,

   'data': hexbytes.HexBytes(val)


signed_tx = w3.eth.account.sign_transaction(raw_tx,account.key)

tx = w3.eth.send_raw_transaction(signed_tx.rawTransaction)

receipt = w3.eth.wait_for_transaction_receipt(tx)

# assess WETH balance of the attacker

print(weth.functions.balanceOf(attacker_account_address).call()) # 3375538166306826437272 wrapped wei (or 3375 WETH)

Executing this code will show that the WETH balance of the attacker increased from 0 to 3375 WETH: a clear indication that exploitation has occurred. Given the suspicious nature of the account, the suspicious contract creation, and the verification of the exploitation through simulation shifted high confidence alerting capabilities into the preparation stage. This occurred several blocks prior to the actual exploitation and would have given Saddle Finance the opportunity to pause their smart contracts, analyze the attack in question, and successfully mitigate the attack.

An attack simulation bot will be a great addition to the Forta Network and significantly enhance the ability for protocols to identify and mitigate these attacks. Forta is announcing a new bot development contest to develop such a bot with a contest prize up to $3,000 USD (paid in FORT tokens). Please refer to the contest page for more details.

Start protecting your protocol from attacks like these by subscribing to curated Forta detection bot kits that monitor each of the 4 attack stages. If you have ideas around how to detect attacks, start building detection bots to secure the web3 ecosystem.