Deciphering Complex Data Structures with LLMs

Forta is the largest network of security intel in Web3. The decentralized Forta Network leverages machine learning and a community of security researchers to detect exploits, scams and other threats.       

The Forta Network pioneered the utilization of AI and ML to secure the web3 ecosystem, with the deployment of cutting edge models on the decentralized protocol that can detect and predict incoming attacks, exploits and scams. In this blog we will explore the Forta community’s innovative use of Large Language Models (LLMs) like ChatGPT to decipher and explain security alerts in human-readable formats. In the conversations surrounding smart contract exploit prevention and early detection, one topic that is often forgotten is how to improve the user experience (UX) in the event of an incoming threat alert. These AI-driven models can easily understand and process complex technical data, translating it into a simple, easy-to-understand format. This functionality is invaluable when every second counts. 

The Forta Network aims to provide an early warning system for projects and protocols, helping them to preemptively address vulnerabilities and prevent exploits. Threat intel data from threat feeds deployed on the protocol can be consumed through a pull method by querying the API or through a push method through smart contract management platforms like OpenZeppelin Defender or Hacken Extractor. A feature that is currently being explored in the Forta ecosystem is the integration of LLMs to interpret and explain security alerts. Traditionally, security alerts can be complex and difficult to understand, requiring a high level of technical expertise to decipher as well as making sure the right response is taken to prevent an exploit from occurring or quickly stop the bleeding. This complexity may lead to delays in response times, increasing the risk of damage from exploits. Additionally, understanding the often very complex nature of a scam transaction can be detrimental to protecting end users. 

Integrating LLM’s into the Forta dApp or potentially into smart contract management platforms like Defender or Extractor changes the game by translating these technical alerts into simple, human-readable formats. Once a potential threat is detected, the model describes the nature of the threat, its potential impact, and suggested actions for mitigation. Users can quickly grasp the nature and severity of potential threats without trudging through technical jargon. This accessibility not only empowers project owners and developers but also enhances community engagement with security practices and alerts.

Early detection is critical in the web3 space, where exploits can lead to substantial financial losses in a matter of minutes. The Forta Network’s decentralized approach, therefore, plays a crucial role in enhancing the overall resilience of the web3 ecosystem. By taking a community first approach to threat detection research and development the use of machine learning models ensures that solutions built on Forta are on the cusp of threat detection. Through making security information more accessible, the Forta Network fosters a culture of collective vigilance. Community members can contribute to security monitoring and threat detection, creating a decentralized and robust defense mechanism against malicious actors. 

This approach not only enhances the usability of security systems but also strengthens early detection and prevention mechanisms. As the web3 landscape continues to grow and evolve, the role of open platforms like the Forta Network in ensuring the security and integrity of decentralized networks will become increasingly critical. In conclusion, LLMs are enhancing web3 security by making real-time threat monitoring more user friendly, opening up on-chain research to an even larger audience. By providing simple, human-readable alerts for incoming threats, smart contract exploits, and ongoing scams, these models are contributing to a safer web3 ecosystem and enhancing the overall user experience. 

Forta Alert Demystifying Agent

To fully understand the how helpful the deciphering of complex data can be in the context of security, here is an example of how Forta’s “Alert Demystifying Agent” (coming soon) handled real Forta data.

{
  "anomalyScore": "0.0006006149532412497",
  "asset": "native",
  "blockNumber": "18928527",
  "contract": "0x01d1f55d94a53a9517c07f793f35320faa0d2dcf",
  "initiators": "0xf78e050479e3d59e4c67722b6f5a5349a55c293c",
  "postDrainBalance": "0",
  "preDrainBalance": "13364536702022070041",
  "txHashes": "0xdfac9f8df45cd1bf909995cd20cf8cad17f47abdfed0556717e5756bb459ab4b"
}

Let's break down this alert for you in an easy-to-understand way!

Anomaly Score: 0.0006006149532412497 - This score is quite low (highly anomalous), indicating that the behavior detected might be alarming in the context of the blockchain's normal activities.

Asset: Native - This means the activity involved the native cryptocurrency of the blockchain (like ETH for Ethereum).

Block Number: 18928527 - This is the specific block on the blockchain where the transaction occurred.

Contract Address: 0x01d1f55d94a53a9517c07f793f35320faa0d2dcf - This is the smart contract involved in the alert. Smart contracts are self-executing contracts with the terms of the agreement directly written into code.

Initiator: 0xf78e050479e3d59e4c67722b6f5a5349a55c293c - This address is the one that initiated the transaction. It could be a user or another contract.

Post-Drain Balance: 0 - After the transaction, the balance of the asset involved went down to 0. This indicates that all the assets were moved out of the contract.

Pre-Drain Balance: 13364536702022070041 (which is approximately 13.3645 ETH) - This was the balance before the transaction. The entire amount was drained by the transaction.

Transaction Hash: 0xdfac9f8df45cd1bf909995cd20cf8cad17f47abdfed0556717e5756bb459ab4b - This is a unique identifier for the transaction on the blockchain. It can be used to look up the details of the transaction on blockchain explorers.

In plain English, this alert is telling us that a transaction took place where the entirety of the assets (about 13.3645 ETH) was moved out from a specific smart contract to another address, leaving the contract's balance at zero. The low anomaly score suggests that this might not be a highly unusual pattern for this particular contract, but the draining of all funds could be a point of concern and warrants further investigation. This could be a case of a planned withdrawal or something more nefarious like a security breach or scam, depending on the context of the contract's intended use and operations.

• Share post