Preventing Smart Contract Exploits with Automatic Pausing

Article by Forta Network Jan. 4, 2024

Forta is the largest network of security intel in web3. The decentralized Forta Network leverages machine learning and a community of security researchers to detect exploits, scams and other threats.  

In the rapidly evolving world of web3, security is often a difficult topic of conversation. Finding solutions to existing problems is tricky while maintaining privacy, a permissionless nature, and decentralization. While best practices are continuously being established and improved upon, the industry still faces daily headlines of a new protocol exploits with millions of dollars in user losses. Thankfully, Forta’s Attack Detector, developed in partnership with BlockSec and Nethermind, is now available to prevent exploits in a native web3 approach in which risks are mitigated through community based consensus mechanism.

At Forta, the goal of the community is to research and build solutions that mitigate and prevent malicious on-chain behavior. At its core, the Attack Detector is a culmination of these efforts to further protect the decentralized economy. By monitoring on-chain transactions, analyzing patterns and identifying anomalies, the Attack Detector offers a proactive defense mechanism unlike any other solution in the market.

What sets the Attack Detector apart is its ability to not just alert on threats, but to predict them. Through continuous monitoring of blockchain transactions, it can identify suspicious activities that may indicate a looming attack. This predictive capability is crucial for protocols that deal with large volumes of user funds. By integrating the Attack Detector, protocols or DAOs can significantly enhance the security of their smart contracts, ensuring the integrity of their operations. 

Responding to potential incoming or ongoing threats as quickly as possible is vital to protect vulnerable contracts. In the distributed world of web3, making any changes to a contract can be a very difficult or even impossible task. While manual incident response is a fantastic step to take to secure a protocol, it is no silver bullet. Contrasted with automated incident response, manual incident response is reactive rather than active, requiring protocol owners to directly activate a pause mechanism in a timely manner to evade an attack. Many obstacles can stand in the way of that activation, for instance, a multisig requires the authorization of several on-call users that might not even reside in the same time zone. This is all to say that functional automated incident response is a holy grail for security experts, enabling 24/7 always-on protection from hackers.

Setting Up Automated Incident Response with Defender

Here, the idea of automated incident response is explored in the context of pause functionality, which if implemented in a contract plays a crucial role in protecting funds. Forta’s Attack Detector was built to be easily implemented into smart contract management platforms like OpenZeppelin’s Defender platform that can perform actions based on threat intelligence. To curate relevant alerts to protocol, Defender’s Monitor module can be used to filter for protocol or DAOs specific contracts a user wishes to protect. The auto pause mechanism can then act swiftly, in the preliminary stages of the attack before funds are drained thanks to the Attack Detector’s predictive alerts. Upon receiving specific alerts from the Attack Detector, Defender then can automatically initiate a shutdown of specified contracts being targeted. This immediate response is crucial in preventing further exploitation and minimizing damage by cutting hackers down at the source.

Currently, any OpenZeppelin Defender user can access the Attack Detector for free. Start by selecting the Attack Detector Monitor from the Monitor Templates. 

A sample example of JS code that you can implement in Defender’s Actions section is as follows: 

const { ethers } = require("ethers");

const { DefenderRelaySigner } = require("@openzeppelin/defender-relay-client/lib/ethers")

// Set up ABI

const ABI = [

    // Add only the function signatures needed for pausing

    "function pause() public",

    "function unpause() public",

    "function paused() public view returns (bool)"


// Function to pause the contract

async function pauseContract(contract) {

if (!(await contract.paused())) {

    console.log("Pausing contract...");

    const pauseTx = await contract.pause();

    await pauseTx.wait();

    console.log("Contract paused.");

}else {

console.log("Contract is already paused.");



//Main Autotask handler

exports.handler = async function(credentials) {

    const provider = new DefenderRelayProvider(credentials);

    const signer = new DefenderRelaySigner(credentials, provider, {speed: "fast"});

    const contract = new ethers.contract("0x123")

    await pauseContract(contract);


The above code snippet would allow OpenZeppelin Defender to automatically take action and pause your smart contract given a certain trigger, in this case a relevant Forta alert. For further information on using Defender, click here to read their documentation.

Turning the Tide on Bad Actors

Almost all exploits can be broken down into four stages: Funding, Preparation, Exploitation, and Money Laundering. The Attack Detector can send out a variety of alerts based on its findings throughout any of these four stages. In order to have a successful pause on a victim contract, early detection in the funding and preparation stages is where the value of the Attack Detector can really be appreciated. This is where a foundation of heuristics and machine learning work together to provide users with actionable early detection.

The continued operation and decentralized nature of protocols’ contracts is paramount to ensure community confidence. Concerns about false positives often result in a hesitancy to adopt automated solutions so the Attack Detector has been built and fine tuned to minimize such a scenario. Thanks to the Attack Detector’s industry leading precision and recall, less than 1% of all protocols would have ever been paused by the Attack Detector due to a false positive. 

Understanding that every protocol has unique security needs, the auto-pause functionality is completely customizable. Some protocols may want to pause their entire protocol based on an indication of an incoming attack while others may just want to pause specific contracts or isolated functions. Users can set the firing mechanism up based on the specific alerts and thresholds defined in the Attack Detector. This flexibility ensures that protocols can tailor the security measures to fit their specific requirements. If automated incident response is not an option for your protocol, the same workflow can function similarly for manual incident response where users may want to receive a push notification or initiate another custom function based on the filtered alerts.

As the web3 landscape continues to rapidly evolve, threats to these new innovations will continue to proliferate. This is why security is paramount to protect and prevent the would-be bad actors from successfully running off with millions of dollars of stolen assets. With this solution, Forta provides the community with an open source option to protect protocols while maintaining composability, and decentralization. When combined with Defender or another smart contract platform, the Attack Detector is the first and most comprehensive solution to mitigate successful exploitation. For protocols, DAOs, and marketplaces alike, implementing the Attack Detector means taking a proactive stance in securing the future of web3. Click here to learn more about the Attack Detector and sign up for a free trial today!