Anomaly transactions

Anomaly transactions can be classified into seven types: Anomaly Gas, Large Volume, Asset Drained, Re-entrancy, Text Messaging, High Value Transactions, and Flashloan. We'll delve into each type of threat in more detail below.

Anomaly gas (Severity: Low)

High gas prices or high gas usage can be a warning sign of frontrunning attacks. In such an attack, someone sees a pending transaction and tries to get their own transaction processed faster by paying a higher gas price. This way, their transaction gets prioritized over the original one.

The attacker benefits from this by acting on the information or affecting the market before the original transaction happens. This can lead to losses for the person who initiated the original transaction and create an unfair market. Monitoring high gas prices or usage can help detect these attacks and protect users from potential harm.

Large volume (Severity: Low)

Large volumes of transactions (borrowing or deposits) can be a warning sign for attacks because they may indicate unusual activity on a protocol or within the market. Sudden spikes in transaction volumes can point to potential manipulation or exploitation attempts.

Attackers might employ various strategies, such as flash loan attacks, pump-and-dump schemes, or attempts to exploit vulnerabilities in smart contracts. They may use large volumes of transactions to distort market prices, manipulate liquidity, or trigger unexpected behavior in DeFi protocols. By monitoring for these unusual patterns, users can identify potential threats early and take appropriate actions to protect their investments.

Asset drained (Severity: High)

An asset drained alert can be a warning sign for an attack because it indicates that a significant portion of a contract's funds have been withdrawn in an extremely short period (Note: A contract's fund has been withdrawn more than 99% within a block). This unusual activity may suggest that an attacker has found a vulnerability in the smart contract or has manipulated the market in a way that allows them to withdraw a large amount of assets quickly.

Such rapid and large-scale withdrawals can destabilize the contract, disrupt market prices, and potentially lead to losses for other users.

Re-entrancy (Severity: High)

Re-entrancy can be a warning sign for an attack because it's a common vulnerability in smart contracts that can be exploited by malicious actors. Re-entrancy occurs when a function in a smart contract allows for external calls to other contracts before the initial function has completed execution. This can enable an attacker to repeatedly call the function in a recursive manner before the state of the contract is updated, allowing them to drain funds or manipulate data.

For example, consider a smart contract that processes withdrawal requests. An attacker could exploit a re-entrancy vulnerability by initiating a withdrawal request while the first one is still in progress. Since the contract state has not been updated yet, the attacker could effectively withdraw funds twice, potentially draining the contract's balance.

Text messaging (Severity: Low)

Text messaging in transactions can be a warning sign for an attack, especially in the context of DeFi exploits. Ordinarily, transactions do not include text messages, so the presence of such a message is unusual and raises suspicion.

Hackers who have successfully stolen funds from a protocol may intentionally leave a message within the transaction, demanding that the protocol admin pay a ransom to have the funds returned. These text messages can serve as a means for hackers to communicate their ransom demands or to signal their successful exploitation of the protocol.

High value transaction (Severity: Low)

High value transactions can be a warning sign for an attack because they may indicate unusual or suspicious activity within a DeFi protocol. Sudden, large transactions that deviate from the typical transaction patterns could suggest that a hacker is attempting to exploit a vulnerability or has already succeeded in doing so.

For example, a high-value transaction could represent a significant deposit into a liquidity pool, which might be indicative of a potential price manipulation or an attempt to create false market depth. In other cases, a large transaction could be part of a more complex attack, where the hacker is trying to initiate a series of transactions to exploit vulnerabilities in smart contracts, such as triggering a flash loan or exploiting an oracle to manipulate the price feed.

Flashloan (Severity: Medium)

Flash loans in transactions can be a warning sign for an attack because they are often used as a key component in various DeFi exploits. While flash loans are a legitimate feature of some DeFi platforms and can serve useful purposes, they have also been leveraged by hackers to carry out attacks due to their unique characteristics.

A flash loan allows a user to borrow a large amount of assets with no collateral, as long as the borrowed amount is returned within the same transaction. This feature enables hackers to manipulate the DeFi ecosystem in a short period, exploiting vulnerabilities and discrepancies across different platforms to generate profit.

For example, hackers can use flash loans to carry out price oracle manipulations, where they artificially alter the price of an asset on one platform, causing another platform to react to the false price information. This can lead to a cascade of events, enabling the hacker to profit from the price discrepancies.

Last updated