Security Research

Making Sense of Alert Noise

October 26, 2023

Forta is the largest network of security intel in Web3. The decentralized Forta Network leverages machine learning to detect exploits, scams and other threats.     

In the quest to bolster blockchain security, alert noise is becoming a pressing concern. Earlier, the "Future of Threat Prevention" piece offered insights on safeguarding protocols against protocol attacks. As platforms like OpenZeppelin’s Defender 2.0 emerge, one can start utilizing streamlined automated incident response workflows! Successful solutions start with Forta’s Attack Detector's early exploit detection and end with configured mitigative actions, like a pause of the protocol, before funds are being stolen.

However, with the Attack Detector churning out hundreds of alerts monthly, discerning genuine threats from false positives becomes imperative. Could relying on Attack Detector alerts inadvertently cause disruptions to your protocol operations? Let's delve deeper.

Decoding Forta’s Attack Detector Mechanism

The Attack Detector meticulously scans transactions in real-time across every facet of an attack: the funding phase, preparation, exploitation, and even money laundering. Every alert unravels the web of addresses interwoven in the attack scenario. This doesn’t only spotlight the victim protocol’s addresses but also those that attackers frequently leverage, like flash loan providers, privacy protocols such as Tornado Cash, and DEXes. These alerts often feature token addresses prevalent in attacks, like wrapped native tokens and stable coins.

If your protocol is a favorite among attackers, it's plausible that you'll notice an influx of alerts with your addresses. Conversely, if your protocol isn't part of their toolkit, you'll witness a serene alert landscape devoid of your addresses. A recent deep dive revealed that 80% of publicly disclosed protocol attacks witnessed zero false positives in the 60 days leading up to the breach. Translating this, had these protocols harnessed an automated response mechanism to halt their operations, interventions would have been exclusively during genuine threats, potentially preventing catastrophic losses.

Is Forta's Attack Detector Right for Your Protocol?

The next logical question is, how can you ascertain your protocol's position in this landscape? Thanks to the analytical prowess of Forta community member Olugbenga2000, there is a tool tailored for this very purpose. It cross-references the Attack Detector's alerts from the past 60 days against your protocol addresses. Here's your steps one needs to take:

1. Access Data: Secure a plan granting you access to the Attack Detector alert data here.
2. SetUp: Clone the repository from this link and set up the FORTA_KEY variable in the .env file.
3. Compile Your Addresses: Author a .csv file compiling all your protocol addresses.
4. Execute: Run the tool with python3 index.py <path to csv>.

The output offers a comprehensive list of Attack Detector alert hashes containing your protocol address. For instance, while the USDC address on Ethereum had multiple alerts, the ApeDAO attack showed none for its addresses 0xB47955B5B7EAF49C815EBc389850eb576C460092 and 0xee2a9D05B943C1F33f3920C750Ac88F74D0220c3. Hence, while ApeDAO could seamlessly integrate with an automated incident response system, USDC might warrant a more nuanced approach due to its frequent use by attackers.

In the complex world of blockchain security, the precision of your defense mechanisms can make or break your protocol's reputation and operations. By understanding the nuances of Forta's Attack Detector, you can ascertain the right strategy for your protocol and sail smoother in turbulent waters.

Share