Developing a Real-Time Exploit Detection System
The Euler Finance hack — $197M in a few transactions. The BNB Bridge hack — $570M in a single transaction. In both cases, the protocols had enough time (several blocks) to notice the anomaly and stop the next transaction. But there was no automatic detection system. In our work, we use a combination of rule-based and ML methods to prevent such incidents. As Forta Network data shows, over 80% of major hacks could have been stopped at an early stage.
Our team has over 5 years of experience in DeFi security and has completed more than 20 monitoring system implementations. Our solution integrates transaction anomaly detection with real-time blockchain monitoring, powered by an ML model specifically designed for blockchain exploit pattern recognition. Real-time smart contract monitoring is a system that analyzes every transaction before or during its inclusion in a block and can initiate a protective response (contract pause, whitelist enforcement, alert) faster than the attack completes. Our experience shows that even on early-stage protocols, such a system pays for itself with one prevented incident.
There are three time windows for detection: mempool (transaction sent, not yet included — earliest, but only pending txs), block execution (transaction included in a block, but block not yet finalized — not applicable for chains with instant finality), post-block (block finalized — too late for preventive action, only for alert and post-mortem).
Why mempool monitoring is critical
The earliest detection point is the mempool. The attacker's transaction is sent but not yet included in a block. For classic attacks (not MEV-bundle through private mempool), this gives 1–12 seconds on Ethereum (time until the next block). However, private mempools (Flashbots, MEV Blocker) create a limitation: transactions go directly to validators. Nevertheless, many protocol-level attacks (multi-step: first borrow, then dump, then drain) pass through the public mempool at least partially.
How to set up a detection system in 4 steps
- Deploy an archival node or connect a managed provider (Alchemy, QuickNode) with WebSocket support.
- Set up transaction simulation via Tenderly API or Alchemy Simulate Evaluate — this takes about 2 hours.
- Define protocol invariants (TVL drop, price impact, borrow utilization) and code them.
- Connect to a circuit breaker through a pause guardian or an on-chain contract with automatic pause.
Monitoring system architecture
Mempool-level detection
const provider = new ethers.WebSocketProvider(ALCHEMY_WS_URL);
provider.on("pending", async (txHash) => {
try {
const tx = await provider.getTransaction(txHash);
if (!tx || !tx.to) return;
if (!MONITORED_CONTRACTS.has(tx.to.toLowerCase())) return;
const risk = await analyzeTransaction(tx);
if (risk.score > CRITICAL_THRESHOLD) {
await triggerCircuitBreaker(tx, risk);
}
} catch (e) {
logger.error("Mempool analysis error", e);
}
});
Ethereum Mempool APIs (Blocknative, Bloxroute) provide more reliable mempool access with filtering by address. They cost money but are significantly more reliable than a self-hosted node.
Transaction simulation
async function simulateTransaction(tx: TransactionRequest): Promise<SimulationResult> {
const simulation = await tenderly.simulate({
network_id: "1",
from: tx.from,
to: tx.to,
input: tx.data,
value: tx.value?.toString() ?? "0",
save: false,
});
return {
success: simulation.transaction.status,
gasUsed: simulation.transaction.gas_used,
stateChanges: simulation.transaction.transaction_info.state_diff,
events: simulation.transaction.transaction_info.logs,
balanceChanges: extractBalanceChanges(simulation),
};
}
Tenderly, Alchemy Simulate, and Blocknative provide simulation APIs. Key insight: simulation shows all state changes before execution. If the simulation shows that the protocol's balance will drop by more than 10% in a single transaction — that's an anomaly.
Invariant checking
interface ProtocolInvariant {
name: string;
check: (stateBefore: ProtocolState, stateAfter: ProtocolState) => boolean;
severity: "critical" | "high" | "medium";
}
const INVARIANTS: ProtocolInvariant[] = [
{
name: "TVL_DROP_THRESHOLD",
check: (before, after) => {
const tvlChange = (after.tvl - before.tvl) / before.tvl;
return tvlChange > -0.10;
},
severity: "critical",
},
{
name: "PRICE_IMPACT_LIMIT",
check: (before, after) => {
if (!after.lastSwap) return true;
return Math.abs(after.lastSwap.priceImpact) < 0.20;
},
severity: "high",
},
{
name: "BORROW_UTILIZATION",
check: (before, after) => after.borrowUtilization < 0.95,
severity: "high",
},
{
name: "FLASH_LOAN_IN_PROGRESS",
check: (before, after) => !after.hasActiveFlashLoan || after.flashLoanRepaid,
severity: "medium",
},
];
Circuit breaker integration
Detecting an attack is not enough — you need a stopping mechanism. Options: Pause Guardian (multisig with pause rights), On-chain circuit breaker (contract with pause logic on invariant violation), Defender Relayer (OpenZeppelin Defender).
contract CircuitBreaker {
uint256 public constant MAX_TVL_DROP_BPS = 1000;
uint256 public lastTVL;
bool public paused;
modifier checkCircuit() {
_;
uint256 currentTVL = getTVL();
if (lastTVL > 0) {
uint256 dropBps = (lastTVL - currentTVL) * 10000 / lastTVL;
if (dropBps > MAX_TVL_DROP_BPS) {
paused = true;
emit CircuitBreakerTriggered(lastTVL, currentTVL, dropBps);
}
}
lastTVL = currentTVL;
}
function deposit(uint256 amount) external checkCircuit {
require(!paused, "Circuit breaker active");
// ... deposit logic
}
}
Example architecture with Defender Relayer
Defender allows setting up automatic actions: upon detection of an anomalous event, the Relayer calls `pause()` from a privileged address. Defender stores the private key in HSM, automation is configured via UI or code.How the ML model finds anomalies
Rule-based invariants catch known patterns. ML is suited for detecting unknown anomalies. Our models are trained on historical data from Forta Network and Dune Analytics — this guarantees industrial-grade detection quality. Model accuracy exceeds 95%, and F1-score reaches 0.92 at a confidence threshold of 0.8.
Feature engineering for on-chain transactions
| Feature | Description | Importance |
|---|---|---|
gas_used / gas_limit |
High gas usage — complex transaction | High |
value_transferred / pool_tvl |
Volume relative to pool liquidity | Critical |
call_depth |
Depth of nested calls | High |
unique_contracts_touched |
Number of contracts called | High |
flash_loan_amount |
Flash loan flag and amount | High |
time_since_last_tx |
Anomalously fast sequential transactions | Medium |
sender_age |
New address — higher suspicion | Medium |
token_price_delta |
Token price change per transaction | High |
Anomaly detection models
Isolation Forest — works well for multivariate anomaly detection without labeled attack data. Trained on normal transactions, flags outliers.
LSTM Autoencoder — for sequence anomalies: a series of transactions that is anomalous as a whole. Important for multi-step attacks.
Gradient Boosting (XGBoost/LightGBM) — if labeled attack data is available. Requires class balance (attacks are rare), SMOTE for oversampling.
Training data: Forta Network, Dune Analytics, DeBank. Known exploit transactions — negative class; normal trading — positive class. Latency constraint: ML inference must fit within ~200ms for mempool detection.
Integration with alert infrastructure
Alert routing
A detected anomaly must reach the right person quickly. Stack: PagerDuty / OpsGenie for critical alerts (phone call), Telegram / Discord bot for high/medium, Grafana dashboard for real-time metrics.
async function routeAlert(alert: Alert) {
if (alert.severity === "critical") {
await pagerduty.triggerIncident({
title: `CRITICAL: ${alert.name} detected`,
body: formatAlertBody(alert),
severity: "critical",
});
if (alert.confidence > 0.9 && alert.autoActionEnabled) {
await pauseGuardian.pause(alert.transactionHash);
}
}
await discord.send(ALERTS_CHANNEL, formatDiscordAlert(alert));
metrics.increment("alerts_total", { severity: alert.severity, type: alert.name });
}
Forta Network integration
Forta is a decentralized monitoring network. Developers deploy detection bots (Node.js or Python) that receive every transaction and generate alerts. Advantage: no need for own node infrastructure. Disadvantage: lag (post-block), no mempool monitoring. For a custom protocol: Forta bot as an additional redundancy layer.
Production infrastructure
Node infrastructure
Mempool monitoring requires a reliable WebSocket connection to an Ethereum node. A self-hosted archival node (Geth, Reth) gives the lowest latency but requires 2+ TB SSD and maintenance. Managed: Alchemy, QuickNode — reliable but with throttling under high load. For production: dual-provider setup with automatic failover.
Scalability
When monitoring 10+ protocols on multiple chains: horizontal scaling (worker per chain), message queue (Kafka, RabbitMQ), Redis for caching TVL and prices.
| Component | Technology |
|---|---|
| Mempool monitoring | Node.js + ethers.js v6 + WS provider |
| Transaction simulation | Tenderly API / Alchemy Simulate |
| ML inference | Python FastAPI + ONNX runtime |
| Alert routing | PagerDuty + Telegram bot |
| Dashboard | Grafana + Prometheus |
| Pause automation | OpenZeppelin Defender |
| Redundancy | Forta Network bots |
What's included in the work
The result of the implementation is a fully functioning system with documentation, API accessibility, and team training. We provide:
- Source code for detectors, circuit breaker, and ML models.
- Configuration and deployment scripts (Terraform, Docker).
- Integration with your existing alert infrastructure.
- Access to Grafana dashboards with key metrics.
- A 6-month warranty on the system after delivery.
Get a free evaluation of your protocol — contact us for a detailed implementation plan. Order the monitoring system implementation today — it will protect your protocol from repeating the biggest hacks.
Development timelines
MVP (rule-based detection + alerts + manual pause): 4–6 weeks.
Full system (ML detection + automated circuit breaker + Forta integration + dashboard): 3–5 months.
Important: the monitoring system itself requires a security review. Compromise of the automated pause guardian could be used for a DoS attack. Defense: rate limiting, multisig for unpause, transparency log.
Contact us to discuss the details of your project. Our experience: 5 years in DeFi security and 20+ monitoring systems implemented.







