Build, improve precision and recall by building Forta Detection Bots. Total: 31 ****In order to strengthen the Network’s detection capabilities, members will: create new bots, improve existing bots, evaluate existing bots, and prototype new DS models.
Note, the list isn’t prioritized. Generally, the ones with the most attack analysis reference links is likely to be the most important gaps to close.
Bots need to identify the desired behavior with high precision and recall. A bot should emit:
| Gap Name | Date | Gap Description | Attack Analysis Reference | Priority (1 being the highest) | Claimed By | Claimed On | Completed |
|---|---|---|---|---|---|---|---|
| Bad Seaport Orders | |||||||
| 1/27/2023 | Identify when an attacker is able to create an seaport offer that is well below floor price to then turn around and sell the item at floor price once it has been obtained. | https://zengo.com/offline-signatures-can-drain-your-wallet-this-is-how-part-1-2/ |
https://etherscan.io/nft/0xae99a698156ee8f8d07cbe7f271c31eeaac07087/6262 | 0 | kayaba | 1/31/2023 | https://explorer.forta.network/bot/0xd9584a587a469f3cdd8a03ffccb14114bc78485657e28739b8036aee7782df5c | | Phishing ML Model | 3/1/2023 | Productize the Kaggle competition ML model | | 0 | Mariko | 3/1/2023 | | | End User Attack ML Model | 2/23/2023 | Build a ML classifier that consumes base bot alerts to identify end user attacks. | | 0 | Christian | 2/23/2023 | | | Spam bot | 1/17/2023 | NFT and token spam is a problem particularly on Polygon. A bot should identify airdrop spam (e.g. tokens that airdrop to many users at the same time and/or tokens that by default are owned by a large user base by default) The tricky part will be to differentiate between legitimate vs spam airdrops. | | 0 | Kovart | 1/26/2023 | | | Address Poisoning Bot | 1/27/2023 | Identify attackers slipping into the address history by inserting 0 value transactions of similar addresses.
An alert of different severity can be emitted if the transfer of 0 tokens is a one off or bundled through a contract (see part 2 of the coinbase blog)
The bot could also cluster contracts together to identify these malicious contracts even before they become active. | https://mirror.xyz/x-explore.eth/cL3d_CyNujXq8XY7ueP4omNXx_IY1EG5Dz0FD0vJ90M
https://www.coinbase.com/blog/zero-transfer-phishing-investigation-part-2-phishing-campaigns?utm_source=substack&utm_medium=email | 0 | Trevor Forsyth | 1/27/2023 | https://explorer.forta.network/alert/0xce6b1d4a978b3a8f47a6722ce53bea301839068fd94df9c4ed6aa616342045ce | | Positive Reputation Contract Bot | 2/1/2023 | Identify what contracts are good | | 0 | Christian | 2/1/2023 | | | End User Key Compromise | 2/22/2023 | When an end user key is compromised, we would observe transfers from end-users into an attacker wallet. It should be a star shaped graph that results in all/most assets from one user to another.
If the key is compromised upon wallet creation, one would see immediate transfers upon a deposit. Even often the first deposit. | na | 1 | Nethermind | 3/6/2023 | | | Non-zero value address poisoning | 3/24/2023 | Address poisoning can happen in multiple forms. 0 value is the mode common and covered by an existing bot.
At times, scammers dust wei to victims. Further, at times, the scammers will create an impersonation token (e.g. USDC) and transfer similar amounts to what the user has transferred in the past. | https://twitter.com/MetaSleuth/status/1638765390355628033?t=Tm1qGVLaLhli2L_IE5MvQw&s=19 | 1 | Trevor | 3/24/2023 | | | Native Ice Phishing | 3/2/2023 | Users are tricked into signing a tx that transfer native assets to the scammer directly. Similar to end user key compromise, we would observe a star pattern, but only native assets are transferred.
Some scammers are using tactics to make the transaction appear benign. This one causes the string SecurityUpdate() to be shown in their wallets: https://twitter.com/evilcos/status/1593806480670527488 (https://etherscan.io/tx/0x9ff2cf6597a99114b02cf92961e82ff6e13da075b671d31ee9014f770551658a) | na | 1 | Nethermind | 3/6/2023 | | | Scam Notifier Bot | 2/14/2023 | Some addresses are tagging scammers on chain about scam contracts they deploy. This bot should monitor these messages and emit an alert on the scam contract associated with the to address the scam notifier sends messages to. | https://etherscan.io/tx/0xe5b57fd6c5b8376ce2fb1ace5688dd719db977c8e658dd582dedc5ede19687bd | 1 | Gitcoin bounty | | | | Scammer NFT Trader | 2/28/2023 | Phishers/scammers that steal NFTs eventually need to sell them. This bot should identify NFT traders. Scammers vs legitimate users can probably be distinguished by how quickly they sell an NFT they obtained as well as how close/below of the floor price they are. | https://etherscan.io/token/0x064f9547a78bd5ba35a7aeb2221de69b86cd6307?a=78 | 1 | Kayaba (David) | 3/22/2023 | | | Fraudulent LooksRare Orders | 2/28/2023 | See https://etherscan.io/tx/0x1e34191a7a23897262766e64f1e9298b2e5fbf0067c4309bdbb8a29a47c21478 where NFT is sold for very little. This is the LooksRate protocol.
This isnt a fraudent one, but I wonder whether looksrare is abused that way. To be investigated to determine whether this would be a valuable bot. | | 1 | | | | | Victim Identification Bot | 2/1/2023 | Victims of scams are likely suseptible to other scams. As such, given a victim list, could other scam projects be identified (e.g. an unknown contract sees a high percentage of victims interacting with it)
This bot also provides context on who victims are and the losses incurred. | | 1 | David | 3/15/2023 | | | Contract similarity bot | 2/23/2023 | Scammers likely utilize templates in their scams. A token contract from scammer 1 is likely similar to another token contract from the same scammer. This bot should identify similar contracts based on code as well as information on how the contract is created and utilized. | na | 1 | Gitcoin bounty (Soptq) | 3/15/2023 | Yes | | Soft Rug Pull | 2/3/2023 | Soft rug pull in which a token gets created, liq pool established, shortly advertised, and then all liquidity removed from the pool.
The liquidity pool that is being created likely has the following characteristics:
One needs to assess whether the liquidity pool of scam tokens are different from the initial version of liquidity pools of legitimate tokens. | https://etherscan.io/dex/uniswapv2/0xD716aAC36933d4725f071a21BEc4a729aB856209
https://etherscan.io/address/0x39741522d210b23efea51635a93b84cb368b6669 | 1 | Gitcoin bounty (Xolá) | | | | Wash trading | 2/1/2023 | Wash trading is the practice of selling NFTs to oneself at higher prices, such that in the trading history, the price appears elevated. Some wash trading bots already exist. Need to create a generic version. | | 1 | Gitcoin Bounty (Andrew) | | Yes | | Rug pull techniques | 12/26/2022 | Lots of techniques described in the report. | https://8990222.fs1.hubspotusercontent-na1.net/hubfs/8990222/Solidus Labs 2022 Rug pull report.pdf?utm_source=substack&utm_medium=email | 1 | UCSB | | | | ChangeNow funding bot | 10/7/2022 | Alert on change now funding activity (new accounts/ low amounts). | https://docs.google.com/document/d/11LkWATAUCXeXGrWoZF7o7ZJOs-3oh5NIBWzbna8r14Y/edit#heading=h.mad3g6xe3vsk | 1 | Trevor Forsyth | | Yes | | Rake Token | 12/6/2022 | Identify tokens which implement a fee rake that goes to hard coded address/ deployer (e.g. https://etherscan.io/address/0xe6545ae93a57186faddb725bee23390887302c6d) | N/A | 1 | Gitcoin bounty (Sprtd) | | | | Protocol anomaly detection bot | 10/7/2022 | Bot should learn the execution profile of a contract (what functions are invoked/ parameter ranges) and alert on deviations from normal behavior (could also utilize execution trace to make that assessment)
This could also be a heuristic (e.g. functions that are publicly exposed are suddenly called. This could also be used for vulnerability discovery) | https://docs.google.com/document/d/11LkWATAUCXeXGrWoZF7o7ZJOs-3oh5NIBWzbna8r14Y/edit#heading=h.mad3g6xe3vsk
https://docs.google.com/document/d/1BlLP_JCC9LQ1Ns66pUQyUwTueh1_RCL0DTKWlJDfqfY/edit?usp=sharing
https://docs.google.com/document/d/1MgBbMvOhYTXRp7IlOr-o8b16NQDYKu2wMvG7xlK6sUA/edit?usp=sharing | 2 | Gitcoin bounty (hhio618) | | | | Depegging Bot | 2/1/2023 | A bot to identify depegging events in crypto pairs (e.g. stEth/Eth) or stable coins. Should utilize price info from specific pools to identify issues with pools, but also external data feeds (like coingecko/ coinmarketcap) to identify issues with the actual token. Should utilize time series analysis (e.g. prophet library) to take natural variance into account. | | 2 | Gitcoin bounty (Lyle) | | | | Contract deployment and attack on the same tx | 1/31/2022 | Hackers often put all the logic code on the contract constructor; some alerts only pick up the first transfers leaving all the others ones out. Create a bot that detects a new contract deployment that also makes swaps and trigger special alerts. See UF Dao Attack Research | https://docs.google.com/document/d/1rQSGcps6D9r5oRKN5WCNfTC3WzkfiEntUB__yFO30v8/edit | 2 | Trevor | 2/21/2023 | | | Role transfer bot | 10/31/2022 | Alert when role transfers occur | https://docs.google.com/document/d/1HGLp1eP_I-VmzyiWjQSljFKy2GVvBf_ePP9ygovS-JQ/edit#heading=h.mad3g6xe3vsk | 2 | Trevor Forsyth | 1/11/2023 | Yes | | Flee into native tokens | 10/7/2022 | Money laundering when ERC-20 tokens are stolen usually involves swapping them quickly into native tokens. The bot should identify that acitivty. | https://docs.google.com/document/d/11LkWATAUCXeXGrWoZF7o7ZJOs-3oh5NIBWzbna8r14Y/edit#heading=h.mad3g6xe3vsk
https://docs.google.com/document/d/1biBCIPuzq5ryMbwe2-jZQCmh0P461j_MN0GDDeRg09w/edit?usp=sharing
https://docs.google.com/document/d/1BlLP_JCC9LQ1Ns66pUQyUwTueh1_RCL0DTKWlJDfqfY/edit?usp=sharing | 2 | Gitcoin - Olugbenga | 3/8/2023 | | | Airdrop hunters | 2/1/2023 | Airdrop hunters essentially sybil attack the airdrop process. But due to poor opsec, they may make mistakes, such as transferring tokens to a central entity before cashing out. An example is the Forta Airdrop Bot (https://explorer.forta.network/bot/0x8e65d893e6d1a8d82acba3ba61dc6ec1ded413ed73c7c8d6ecefef8d31e7af9c). A generic version should be created. | | 2 | Gitcoin Bounty - Logan Ross | 2/21/2023 | | | Profantiy Bot | 9/20/2022 | The profanity vulnerability has resulted in several accounts being compromised. Bot should identify accounts hat have been vulnerable. Given this is sensitive information, the bot should encrypt the information and not report on the actual tx. | https://docs.google.com/document/d/1LdfKRwx6uw0tDeubEnp5bv2rs1RyQekHoK2G-auKHXE/edit#heading=h.oyu63dstg0ww
https://docs.google.com/document/d/1D6dC96VF8ctGmZ9XPkkbsAdQtmzWUqUhm3T9kRpUOK4/edit?usp=sharing
https://docs.google.com/document/d/1X1XrUdO-EOoJ4YsQHt_9EjrNGhy9Xyho_zhVTscKZWM/edit | 2 | https://gitcoin.co/issue/29672itcoin - paused | | | | Fingerprint addresses’ wallets | 3/7/2023 | Create a bot that outputs the wallet a user is likely using. One way to do that is to look whether the user has tx for a wallet DEX or on/off ramps | | 2 | Mindtree | | | | EOA Positive Reputation Bot | 1/17/2023 | Emit an alert when an address has positive reputation. Positive reputation can have low recall (so coverage is low), but should be highly precise (not assign positive reputation to a malicious/scammer address) | | 2 | | | | | Funding by pop contract deployer | 12/28/2022 | Deployers may be private key compromised; in those cases, often the attacker account gets funded by the deployer | ANKR | 2 | | | | | Token Bridge Bot | 1/3/2023 | A bot that listens to bridge transactions. Currently, there’s no bot that listens and fires alerts for transactions that bridge to other networks. With this alert, the receiving network can lend a hand and respond to the attack by using possible measures. | | 3 | Kunal Arora | 2/10/2023 | | | Funding & Money Laundering bots | 12/7/2022 | To send ERC20 tokens to mixers, attackers need to perform an Approval transaction. By detecting this action, we can predict the attacker's further actions and publish an alert about the interaction with the mixer before the tokens are actually transferred to it. This will reduce the attack detection time. | https://docs.google.com/document/d/1FX_ax3BUY5IyWkuM5Nq8ObFPToZDWUJRi5ptfLRg-p0/edit | 3 | | | |