Flipping the Script: Making Evasion Techniques Work for Defenders

Article by Forta Network Oct. 4, 2023

Forta is a real-time detection network for security monitoring of blockchain activity. The decentralized Forta Network scans all transactions and block-by-block state changes, leveraging machine learning to detect threats and anomalies on wallets, DeFi, NFTs, bridges, governance and other Web3 systems. When issues are detected, Web3 infrastructure can respond to prevent attacks via transaction screening and incident response.

This blog and the associated report is a work in progress but represent a comprehensive overview of evasion tactics as of October 2023.

The open-source nature of Web3 is both a boon and a curse. Sure, blockchains offer full transparency, with verifiable contracts and transaction visibility. This openness allows users, for instance, to scrutinize every airdropped token, review the distribution of holders, and generally determine whether a contract is trustworthy. Sounds like a scammer’s worst nightmare, right?

Unfortunately, this is not the case as scammers utilize the openness as an opportunity for deception. Scammers are increasingly adapting, employing what can only be described as digital sleight-of-hand to deceive detection tools, block explorers, wallets, and yes, even you. They masterfully manipulate the information (on-chain tx and contracts, information exposed by block explorers, etc.) you see, leading you to believe that you’re interacting with a benign contract, when in reality, it’s anything but.

Evasion techniques are hardly new; they’ve been plaguing Web2 for years. Think malware hiding in memory or phishing emails mimicking legitimate emails to thwart detection. But in the inherently transparent world of Web3, evasion carries a silver lining—it presents an opportunity for detection.

Web3’s foundational ethos of openness generally makes concealment a red flag. Thus, identifying evasion techniques can serve as a pivotal “tripwire,” flagging malicious activity and better protecting end-users.

Apehex, a key contributor to the Forta Threat Research Initiative, recently led an in-depth study on evasion methods. The research initially sorts out the various targets that scammers aim to evade, and then meticulously outlines the individual evasion strategies. These tactics range from well-documented methods in the threat landscape to those observed in-the-wild, as well as those that are speculated to potentially arise. The research produced the following taxonomy:

Detection Approaches

– Static Analysis: Examining contract code and artifacts.
– Dynamic Analysis: Studying the real-time behavior of contracts, like execution traces.
– Hybrid Analysis: A combination of static and dynamic analyses, often enhanced by statistics and machine learning.

Evasion Techniques Unveiled

– Spoofing: Masquerading malicious entities as benign by mimicking legitimate features.
– Morphing: Changing a smart contract’s behavior based on context.
– Obfuscation: Making harmful code difficult to detect and understand.
– Poisoning: Manipulating legitimate contracts to exploit their authority.
– Redirection: Shifting the execution flow to conceal malicious actions.

The complete report goes over dozens of evasion techniques, but one illustrative example worth mentioning is “Hidden Proxy,” a redirection technique. Here, scammers trick users into believing that a contract’s implementation is benign and located at one address, when it’s actually malicious and hidden at another address. Such maneuvers can be detected by comparing execution traces with statically determined addresses and reporting on differences as seen in the below diagram. Other evasion techniques outlined in the report have similar detection opportunities. These detection processes catch specific forms of hidden proxies by rating the probability that a given contract is a hidden proxy.

Evasion techniques are abundant, and their negative impact is growing. Just like the bad guy’s methods, this report is constantly growing and being updated by the Forta community. The latest version of this report can always be found in Apehex’s Github.

Join the Forta rewards program, help build and improve Forta detection bots through research, get rewarded in FORT, and together, the Web3 ecosystem will become a safer place for everyone.