Share
Security Research
Lego Bots: Modular Threat Detection with Forta
January 10, 2023
•
Forta is a decentralized permissionless network detecting on-chain threats in real time. The Forta community develops and deploys detection bots (based on a heuristic or machine learning model) to identify threats processing transactions and blocks. Hundreds of detection bots have been deployed on the network so far to identify malicious activity across the four stages of a hack: funding, preparation, exploitation and money laundering.
The Forta Network was recently upgraded to allow bot developers to handle alerts/findings in a modular fashion. This functionality allows bots to subscribe and handle alerts other bots emit, allowing a plethora of new detection opportunities. Prior to this upgrade, bots were essentially stuck in their own silo unless a developer used semi-complicated logic with limited functionality. Now, all bots in the network can act as logic legos, each informing each other of their findings. This blog post describes the new functionality and illustrates powerful use cases this new functionality unlocks to further increase the efficacy of the network.
handleAlert
Function
Bot developers, up until recently, have used the handleTransaction or handleBlock function. A scan node would forward transactions or blocks to the bot and the bot would implement its detection logic to identify malicious behavior as bots are able to maintain state across transactions/blocks for more powerful transaction logic. For instance, a bot would identify whether an EOA was funded by Tornado Cash and subsequently alert when this EOA deployed a contract.
Unfortunately, this approach leads to code duplication across the network. If a bot that wants to alert for contract interaction (as opposed to contract creation) of a tornado cash funded account would need to reimplement the Tornado Cash funding logic resulting in the duplication of code across bots.
HandleAlert addresses this issue creating a framework for modular threat detection. HandleAlert
allows a bot to subscribe to alerts and utilize the alert in its logic. In the example above, one could create three different bots:
Bot #1: A Tornado Cash Funding Bot that alerts when an EOA is funded by Tornado Cash.
Bot #2: A suspicious funded account contract creation bot. This bot would subscribe to the Tornado Cash Funding Bot and alert whenever a Tornado Cash funded account creates a contract. Once new bots are created that alert on other suspicious funding sources, the bot merely needs to update its subscription to expand its scope.
Bot #3: A suspicious funded account contract interaction bot. This bot would subscribe to the Tornado Cash Funding Bot and alert whenever a Tornado Cash funded account interacts with a contract.
To subscribe to a bot, a bot developer needs to return a subscription JSON from its initialize function. The subscription JSON specifies the bots subscribes to:
"alertConfig":
{"subscriptions":
{"botId": "0x186f424224eac9f0dc178e32d1af7be39506333783eec9463edd247dc8df8058", "alertId": "FLD_FUNDING"}
}
Once subscribed, the bot’s handleAlert(alert_event: forta_agent.alert_event.AlertEvent)
function is invoked each time the subscribed bot emits an alert. The function is passed passed through the AlertEvent
object, which contains all the properties one would expect of an alert, such as bot id, chain id, alert id, addresses, description, etc.
To test this functionality locally, npm run alert alert_hash
or npm run start
can be used.
Use Cases
The handleAlert
unlocks modular threat detection on the Forta Network. Given the permissionless, community driven nature of the Forta Network, this a powerful development as it allows bot developers to build on top of each other's network contributions to further threat detection capabilities on the network.
Below are a few additional use cases this functionality unlocks:
Machine Learning Features
HandleAlert
operates on alerts, but really it operates on findings, which do not necessarily need to represent a malicious event. This trigger could merely be a piece of information that is useful throughout the network. A bot could emit informational alerts that propagate information about on-chain entities. For instance, a bot could provide information about the on-chain transaction history of a particular account, such as the number of transactions, transaction rate, age of the first transaction, number of large transactions, etc. This essentially represents features that could be utilized by a downstream machine learning bot to reason about an EOA’s actions based on that new data. The modular design of a bot focusing on relaying features opens the door for a wide array of different downstream consumption models. A subscriber could, for instance, implement a supervised model or an anomaly detection model based on the same features.
Cross-Chain Events
HandleAlert
allows the developer to propagate information across chains. Note that up until now, bots operated on a scan node which is tied to a chain. Even with the ability to retain state over a set of transactions and blocks, it was difficult to obtain visibility across multiple chains and implement logic based on what happens across chains. With handleAlert
, this is now possible and opens up opportunities to identify threat conditions that emerge when inspecting transactions across multiple chains. A clear use case relevant to the area of threat detection is bridges. With handleAlert
, it is now possible to monitor two sides of the bridge by subscribing to bots that monitor deposits and withdrawals across the multiple chains (the AlertEvent contains the chain_id property to assess from what chain the alert came from).
Hierarchical Bots
As described above, HandleAlert
unlocks modular design on the Forta Network to reuse code and build on top of existing bots. Code reuse is only one advantage of this approach. The ability to refine detection logic can be very powerful when combining alerts to increase precision/recall. If a bot could consume a broad range of alerts, it could then group them by common EOAs and emit a highly precise alert if multiple alerts have been observed. Attack Detector V2 implements this logic. Further, it enables powerful modular clustering logic that can be utilized in a bot. For instance, the Entity Clustering Bot emits alerts when addresses seem to be controlled by the same person. A subscriber can utilize this information to treat multiple addresses as one and the same when processing emitted alerts.
False Positive logic
False positives are an unfortunate reality in the area of threat detection. A bot developer usually implements some false positive mitigation logic in their bot. For example, a bot developer could ignore alerts from addresses that are older and have a transaction count above a certain threshold. With the handleAlert
functionality, this now can be modularized in dedicated FP mitigation bots that emit an alert once an EOA has been deemed safe. A bot that identifies malicious behavior can subscribe to these FP mitigation bots to filter alerts prior to emitting a finding. This allows specialization of bot developers to focus on FP mitigation and threat detection. Today, there are several bots that implement FP mitigation logic: Positive Reputation, MEV account, and Victim Identification Bot.
The new handleAlert
functionality is a powerful addition to the Forta Network. It enables modular threat detection design allowing bot developers to specialize and build detection logic leveraging each other's contributions to the network. It creates efficiencies through code reuse as well as unlocking new use cases that previously were not possible, such as cross-chain bridge monitoring.
Take a look at the handleAlert documentation. When developing a detection bot, think about the high level components a bot requires and deconstruct your bot into reusable components. Take a look at which bots already exist on the network through the bot search page to see which logic you could leverage. This can and will speed up the development of your own Forta detection bots. By enabling modular functionality in bots, the Forta community is brought closer together, allowing for the further decentralization and development of cutting edge threat detection systems.
Subscribe to Forta’s News
Stay updated on the latest Forta news and announcements.