Pump-and-dump detection model development

We design and develop full-cycle blockchain solutions: from smart contract architecture to launching DeFi protocols, NFT marketplaces and crypto exchanges. Security audits, tokenomics, integration with existing infrastructure.

Blockchain Development Services

Blockchain Development Stages

Latest works

  • image_website-b2b-advance_0.webp
    B2B ADVANCE company website development
    1349
  • image_web-applications_feedme_466_0.webp
    Development of a web application for FEEDME
    1247
  • image_websites_belfingroup_462_0.webp
    Website development for BELFINGROUP
    949
  • image_ecommerce_furnoro_435_0.webp
    Development of an online store for the company FURNORO
    1183
  • image_logo-advance_0.webp
    B2B Advance company logo design
    642
  • image_crm_enviok_479_0.webp
    Development of a web application for Enviok
    921

Development of Pump-and-Dump Detection Model

Pump-and-dump schemes in crypto markets operate far faster than their traditional-finance counterparts: from the initial coordinated buying push to the final dump, the entire cycle can unfold in hours or even minutes. Because all on-chain data is completely public, this creates a unique detection opportunity — we can observe wallet movements, volume concentration, and transaction synchronization in real time, giving protocols and users a meaningful window to respond before losses occur.

At our studio, we build turnkey pump-and-dump detection systems tailored to your token, DEX, or lending protocol. Our service includes data pipeline setup, custom ML model training, and integration with your smart contracts or alert infrastructure. Whether you need a standalone monitoring dashboard or an on-chain risk oracle, contact us to discuss your specific requirements and get an estimate for your project within a few business days.

Task: build a system that detects a P&D scheme during the pump phase, before the dump, so it can warn users or auto-protect the protocol in time.

Anatomy of pump-and-dump scheme

Understanding the mechanics is critical for building the right feature set.

Accumulation phase: organizers gradually buy the token with small orders, trying not to move the price. Signs include growing unique holder addresses with a stagnant price, unusual buy volume during off-hours, and synchronized wallets receiving ETH from a single source.

Pump phase: coordinated buying, usually organized through Telegram or Discord, drives the price up 200–2000% in hours. Volume spikes 10–100x the rolling average. Social media sees a surge of template messages promoting the token.

Dump phase: organizers sell at the peak. Retail buyers attracted by the price rise enter the market and end up holding worthless bags. The price crashes back to pre-pump levels or lower.

Phase Typical duration Key signal
Accumulation Days to 2 weeks HHI rising, price flat
Pump 1–6 hours Volume 10–100x, price +200–2000%
Dump 10–60 minutes Sharp sell-off, price -70–90%

Features for model

On-chain metrics

Volume anomaly score (VAS) = current_volume / rolling_avg_volume_30d. Values above 10 without fundamental news are a strong signal.

Holder concentration delta uses the Herfindahl-Hirschman Index (HHI):

HHI = Σ (balance_i / total_supply)²

Rising HHI means the token is concentrating in fewer addresses — a classic accumulation pattern.

Transaction synchronization coefficient measures how synchronized independent addresses are when making buys in the same time window (±5 minutes). Organic growth shows a uniform distribution; a P&D shows a clear spike.

Wallet clustering uses a graph of address relationships. Addresses receiving ETH from the same source, buying with similar EOAs, or sharing transaction patterns are likely controlled by a single entity. If 60%+ of volume comes from one cluster, that is a strong signal.

Price-volume divergence: healthy growth shows volume rising gradually alongside price. A P&D scheme shows volume spiking first and then a sharp price move — or both synchronized without the normal ramp-up.

Cross-market metrics

DEX vs CEX price discrepancy: if the DEX price is significantly above the CEX price, this may indicate intentional DEX price manipulation.

Liquidity depth change: sharp LP removal before the pump reduces buy resistance — a classic preparation pattern.

New wallet ratio: the percentage of transactions from wallets created less than 7 days ago. A high ratio suggests fresh addresses created specifically for the scheme.

Social signals (optional)

Telegram and Discord monitoring for ticker mentions. A sudden spike in positive sentiment combined with template calls-to-action is a coordinated pump signal.

Signal Source Model weight
Volume anomaly VAS > 10 On-chain 0.35
Cluster concentration > 60% On-chain 0.30
New wallet ratio > 40% On-chain 0.15
DEX–CEX spread > 15% Cross-market 0.12
Social spike + templates Off-chain 0.08

Detection system architecture

Data pipeline

  1. Connect to Blockchain RPC (geth or erigon) via WebSocket
  2. Stream Transfer and Swap events into Kafka or RabbitMQ
  3. Feature extractor (Python) computes all on-chain metrics per 5-minute window
  4. Push features to Redis (real-time) and PostgreSQL (historical, 90-day rolling)
  5. ML model runs inference and outputs a probability score 0–1
  6. Alert engine triggers notifications or oracle updates based on configured thresholds

Real-time blockchain connection via WebSocket:

from web3 import Web3, AsyncWeb3
import asyncio

async def stream_swaps(token_address: str, callback):
    w3 = AsyncWeb3(AsyncWeb3.AsyncWebsocketProvider('wss://mainnet.infura.io/ws/v3/KEY'))

    transfer_filter = await w3.eth.filter({
        'address': token_address,
        'topics': [Web3.keccak(text='Transfer(address,address,uint256)').hex()]
    })

    while True:
        events = await transfer_filter.get_new_entries()
        for event in events:
            await callback(event)
        await asyncio.sleep(0.1)

Feature extraction

Full feature extraction implementation (Python)
@dataclass
class TokenFeatures:
    token_address: str
    timestamp: float
    volume_anomaly_score: float
    new_wallet_ratio: float
    transaction_sync_score: float
    holder_hhi_delta: float
    liquidity_depth_change: float
    price_velocity: float

def compute_sync_score(
    transactions: pd.DataFrame,
    window_seconds: int = 300
) -> float:
    """How synchronized are independent addresses in buys"""
    tx_times = transactions['timestamp'].values
    unique_senders = transactions['from'].nunique()
    if unique_senders < 2:
        return 0.0

    bins = np.arange(tx_times.min(), tx_times.max() + window_seconds, window_seconds)
    hist, _ = np.histogram(tx_times, bins=bins)

    if hist.mean() == 0:
        return 0.0
    cv = hist.std() / hist.mean()
    return max(0, 1 - cv / 2)

ML model

For P&D detection, XGBoost or LightGBM on tabular features work well. Both are interpretable via SHAP values, fast at inference time, and robust to missing data. Historical labeled datasets typically contain 300–1,000 confirmed P&D events sourced from on-chain analytics providers and community-labeled datasets.

import xgboost as xgb
from sklearn.model_selection import TimeSeriesSplit

tscv = TimeSeriesSplit(n_splits=5)

model = xgb.XGBClassifier(
    n_estimators=500,
    max_depth=6,
    learning_rate=0.01,
    subsample=0.8,
    colsample_bytree=0.8,
    scale_pos_weight=neg_count / pos_count,
    eval_metric='aucpr',
    early_stopping_rounds=50
)

Evaluation metrics: precision-recall is more important than raw accuracy due to strong class imbalance. The goal is precision above 0.7 at recall above 0.6. False positives (false alarms) annoy users; false negatives (missed P&D events) cause serious reputation damage.

Alerting implementation

Thresholds and confidence levels

The system outputs a probability score rather than a binary label:

  • Score above 0.8: high confidence, immediate alert
  • Score 0.6 to 0.8: medium confidence, warning
  • Score below 0.6: monitoring only, no alert sent

Integration with protocol

For protocols that need on-chain protection: a trading contract can read the risk score via an oracle. If the risk score is high, the protocol can apply increased slippage tolerance or pause a specific pool automatically.

Why Is Early Detection Critical for Protocol Security?

Catching a pump-and-dump during the accumulation or early pump phase — not after the dump — is what separates a useful system from an audit report. Our team brings 5+ years of experience building on-chain monitoring tools across 30+ DeFi and CEX projects, and we guarantee that the detection pipeline goes live fully integrated, with documented APIs and a 30-day support period after delivery.

What Makes Our Approach More Reliable Than Rule-Based Alerts?

Rule-based systems (for example, "alert if volume > 10x") are trivially bypassed by sophisticated organizers who split orders or use proxy wallets. Our ML model is trained on labeled historical P&D events, cross-validated with 5-fold time-series splits, and continuously monitored for concept drift. This proven approach adapts to evolving manipulation patterns in ways that static thresholds cannot.

What's Included

The turnkey delivery package includes everything needed to go from zero to a production-ready monitoring system:

  • Feature engineering pipeline (Python, deployable on your infrastructure or cloud)
  • Trained XGBoost or LightGBM model with SHAP explainability reports
  • Real-time WebSocket connection to on-chain data sources
  • Redis and PostgreSQL feature store with 90-day rolling history
  • Alert engine with configurable probability thresholds and webhook notifications
  • Integration with your smart contracts or front-end dashboard
  • Technical documentation, API reference, and deployment guide
  • 30-day post-launch support and model performance monitoring

Typical project investment ranges from 12,000 USD to 35,000 USD depending on token coverage (single token vs multi-pool) and the number of required integrations. Contact us with your use case and we will prepare a detailed estimate within 3 business days.

Limitations and disclaimers

A detection system does not eliminate pump-and-dump — it warns. Organizers adapt to detection algorithms over time through adversarial techniques. Model quality degrades and requires periodic retraining on fresh data to remain effective.

On the legal side, automatic trading blocks based on ML predictions carry legal risks depending on jurisdiction. The safer approach is to warn users rather than automatically restricting trades.

Development timeline

Data collection and labeling: 3–4 weeks. Model training and validation: 2–3 weeks. Infrastructure and alerting setup: 3–5 weeks. Testing and protocol integration: 2 weeks.

Total: 8–14 weeks depending on the scope and number of integrations required.

How Do We Find What the Compiler Misses?

When a protocol loses $197M through a flash loan attack on a function that auditors reviewed live — it's not an accident. It's a systemic gap in methodology. Our experience shows: vulnerabilities live in a contract for over a year, while the compiler remains silent. We restructured the audit process to catch such cases before deployment.

What Static Analysis Won't Find?

Slither is the standard first tool. It finds reentrancy, integer overflow (in older Solidity versions), improper use of tx.origin, variable shadowing, uninitialized storage. On a real project, Slither produces dozens of warnings, of which critical ones are 0‑2. The rest is informational noise.

Slither won't find logical vulnerabilities. If withdraw correctly checks balance and correctly updates state, but business logic allows double deduction through two different code paths — Slither stays silent.

Mythril uses symbolic execution: builds a graph of all possible execution paths and searches for reachable states violating properties. Works well on isolated contracts. On a protocol of 20 contracts with cross‑contract calls — path explosion, analysis hangs or returns false positives.

Both tools are mandatory as a first pass. But they don't replace manual analysis.

Fuzzing: Where Echidna and Foundry Find Real Bugs

Echidna is a property‑based fuzzer from Trail of Bits. The idea: formulate contract invariants as Solidity functions (echidna_invariant), Echidna generates random call sequences and tries to break the invariant.

Example invariant for a lending protocol:

function echidna_total_assets_ge_liabilities() public view returns (bool) {
    return totalAssets() >= totalLiabilities();
}

Echidna will find a sequence deposit → borrow → liquidate → repay that violates this invariant. You can't build such a case manually — too many combinations.

Foundry fuzzing (forge test --fuzz-runs 100000) is easier to integrate if the team is already on Foundry. Supports stateful fuzzing via invariant tests. In a real project: auditing a vault contract, Foundry fuzzed for 40 minutes and found an edge case where maxWithdraw returned a value larger than actual balance at a specific shares/assets ratio after several donations. Hardhat unit tests missed it — they didn't have that combination of parameters.

Medusa (from Trail of Bits, newer than Echidna) supports corpus‑guided fuzzing and runs faster on large contracts. If the codebase exceeds 5000 lines of Solidity — we look at Medusa.

How Invariants Help Identify Critical Vulnerabilities

Formal verification proves that the contract satisfies specifications for all possible inputs — not for N random ones, but mathematically for all. Tools: Certora Prover, K Framework, Halmos.

Certora works with CVL (Certora Verification Language): write rules and invariants, the Prover translates them into SMT formulas and checks via Z3/CVC5. MakerDAO, Aave, Uniswap use Certora in CI/CD pipeline — every PR is automatically verified.

Limitations: doesn't work with unbounded loops, struggles with hash functions and signature verification. For contracts with simple math (AMM, lending) — excellent. For contracts with arbitrary external calls — difficult to write sufficiently complete specifications.

Formal verification makes sense for contracts that: manage over $50M, are rarely updated, have clearly formalizable invariants. For fast‑iterating products — the cost‑benefit ratio doesn't favor verification.

What Attack Vectors Do Junior Auditors Miss?

Storage collision in proxy pattern. Transparent proxy and UUPS use specific slots for implementation address (EIP‑1967). If an implementation accidentally declares a variable in slot 0 that overlaps with proxy storage — we get silent override. Slither won't catch this if proxy and implementation are in different files.

Read‑only reentrancy. Classic reentrancy guard protects against state changes during recursive calls. But if an external contract reads state via a view function mid‑transaction — guard doesn't help. Years ago, Curve pools became an attack vector precisely through this: an external protocol read get_virtual_price during a reentrancy‑vulnerable state of Curve.

Oracle manipulation via TWAP. Spot price is a standard target for flash loan attack. TWAP is harder to manipulate, but not impossible: on low‑liquidity Uniswap v2 pairs, TWAP can be shifted over several blocks with enough capital. Proper protection: use Chainlink as primary oracle with TWAP as fallback, with deviation threshold check.

Gas griefing on unbounded loop. A function iterates over an array of users. Attacker adds thousands of addresses with zero balances — the function's gas cost rises to the gas limit, making it inaccessible. Protection: pull pattern instead of push, limit array lengths, batch processing with position tracking.

Front‑running on MEV. Transaction is visible in mempool before inclusion in block. MEV bot sees addLiquidity for a significant amount, inserts its own swap before it (sandwich attack). For AMM this is part of the model. For protocols with price functions — require minAmountOut / deadline parameter and its mandatory verification.

Structure of a Full Audit

  1. Scope definition and automated analysis (1‑2 days). Fix commit hash, compiler version, list of out‑of‑scope items. Run Slither, Mythril, Aderyn. Triage: separate real critical bugs from false positives. Build contract dependency map.

  2. Manual analysis (5‑15 days). Each contract line by line. Special attention: all external and public functions, all transfer/call/delegatecall, all places where state changes before a check or after an external call, all math operations with user inputs. On average, 95% of found vulnerabilities are logical, not technical.

  3. Fuzzing and testing (2‑5 days). Echidna or Foundry invariant tests for critical invariants. Fork mainnet tests — verify behavior in real environment with real oracles. For example, in 4 days fuzzing finds on average 3 edge cases not covered by unit tests.

  4. Report and mitigation. Report with severity (Critical/High/Medium/Low/Informational), attack vector description, PoC code for Critical/High. Developers fix, auditors perform re‑audit of fixes.

Severity Examples Requires re‑audit?
Critical Drain funds, unauthorized ownership transfer Always
High Manipulation, DoS on key functions Always
Medium Incorrect behavior on edge cases Recommended
Low Gas inefficiency, typos in events Optional

Audit in CI/CD

Common practice for mature protocols: Slither and Aderyn run in GitHub Actions on every PR. Certora Prover — on merge to main. This doesn't replace a full audit before deployment, but catches regressions.

# .github/workflows/audit.yml
- name: Run Slither
  uses: crytic/[email protected]
  with:
    target: 'src/'
    slither-args: '--filter-paths "test|mock|script"'
Checklist of mandatory checks before deployment
  • All external functions have access controls (onlyOwner, onlyRole)
  • Use SafeERC20 for external tokens
  • No delegatecall to unknown addresses
  • Reentrancy check in all functions with external calls
  • Presence of minAmountOut and deadline in AMM functions
  • Use of a trusted oracle (Chainlink) with deviation threshold

Audit Tools Comparison

Tool Type of Analysis What It Finds Limitations
Slither Static Reentrancy, integer overflow, access control Misses logical vulnerabilities
Mythril Symbolic execution Reachable states violating properties Path explosion on large codebases
Echidna Fuzzing (property‑based) Invariant violations Requires writing invariants
Certora Formal verification Mathematical proof of properties Doesn't work with hashes/signatures

Deliverables

  • Full report in PDF with CVSS scores for each vulnerability
  • PoC code for all Critical and High (reproducible in test environment)
  • Remediation recommendations with code examples
  • Re‑audit after fixes (up to two iterations)
  • Brief guide for developers on ongoing operation
  • Post‑deployment support for 30 days (consultations and incident analysis)

Timeline

Audit of a simple token or NFT contract — 3‑5 business days. DeFi protocol with lending/AMM — 2‑4 weeks. Full stack with multiple protocols, cross‑chain, proxy upgrades — 4‑8 weeks. Re‑audit of fixes — 3‑7 days separately.

Our team has 7+ years of experience in smart contract security, having audited over 100 projects. We guarantee we won't miss any known attack vectors — we use licensed versions of Slither and best fuzzer configurations. Assess your project — we will analyze your code for free and provide a commercial offer within 2 days. Order an audit with quality guarantee and get a discount on re‑audit for repeat customers.