Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Towards Effective Detection of Ponzi schemes on Ethereum with Contract Runtime Behavior Graph

Ruichao Liang, Jing Chen, Cong Wu, Kun He, Yueming Wu, Weisong Sun, Ruiying Du, Qingchuan Zhao, Yang Liu

TL;DR

This work tackles the challenge of detecting Ponzi schemes in Ethereum smart contracts, highlighting the limitations of static, rule-based, and transaction-based approaches. It introduces PonziGuard, a runtime-behavior driven detector that builds a contract runtime behavior graph (CRBG) by combining static analysis, transaction sequence generation, and dynamic taint analysis, and then applies graph neural networks for classification. The approach demonstrates strong performance on a ground-truth dataset (e.g., precision 96.9%, recall 98.2%, F1 97.5%) and proves effective on Ethereum Mainnet, identifying 805 Ponzi contracts (including 0-day schemes) and recovering about 281,700 Ether (~$500M) in losses. Key contributions include the CRBG representation, a tailored taint-driven runtime collection, data pruning/joining strategies, and interpretability analyses that reveal the critical role of investment and reward flows in Ponzi behavior. The results indicate that runtime-driven, graph-based detection can achieve robust Ponzi identification with scalable real-world applicability, albeit with notable but manageable overhead from the instrumented EVM.

Abstract

Ponzi schemes, a form of scam, have been discovered in Ethereum smart contracts in recent years, causing massive financial losses. Existing detection methods primarily focus on rule-based approaches and machine learning techniques that utilize static information as features. However, these methods have significant limitations. Rule-based approaches rely on pre-defined rules with limited capabilities and domain knowledge dependency. Using static information like opcodes for machine learning fails to effectively characterize Ponzi contracts, resulting in poor reliability and interpretability. Moreover, relying on static information like transactions for machine learning requires a certain number of transactions to achieve detection, which limits the scalability of detection and hinders the identification of 0-day Ponzi schemes. In this paper, we propose PonziGuard, an efficient Ponzi scheme detection approach based on contract runtime behavior. Inspired by the observation that a contract's runtime behavior is more effective in disguising Ponzi contracts from the innocent contracts, PonziGuard establishes a comprehensive graph representation called contract runtime behavior graph (CRBG), to accurately depict the behavior of Ponzi contracts. Furthermore, it formulates the detection process as a graph classification task on CRBG, enhancing its overall effectiveness. The experiment results show that PonziGuard surpasses the current state-of-the-art approaches in the ground-truth dataset. We applied PonziGuard to Ethereum Mainnet and demonstrated its effectiveness in real-world scenarios. Using PonziGuard, we identified 805 Ponzi contracts on Ethereum Mainnet, which have resulted in an estimated economic loss of 281,700 Ether or approximately $500 million USD. We also found 0-day Ponzi schemes in the recently deployed 10,000 smart contracts.

Towards Effective Detection of Ponzi schemes on Ethereum with Contract Runtime Behavior Graph

TL;DR

This work tackles the challenge of detecting Ponzi schemes in Ethereum smart contracts, highlighting the limitations of static, rule-based, and transaction-based approaches. It introduces PonziGuard, a runtime-behavior driven detector that builds a contract runtime behavior graph (CRBG) by combining static analysis, transaction sequence generation, and dynamic taint analysis, and then applies graph neural networks for classification. The approach demonstrates strong performance on a ground-truth dataset (e.g., precision 96.9%, recall 98.2%, F1 97.5%) and proves effective on Ethereum Mainnet, identifying 805 Ponzi contracts (including 0-day schemes) and recovering about 281,700 Ether (~$500M) in losses. Key contributions include the CRBG representation, a tailored taint-driven runtime collection, data pruning/joining strategies, and interpretability analyses that reveal the critical role of investment and reward flows in Ponzi behavior. The results indicate that runtime-driven, graph-based detection can achieve robust Ponzi identification with scalable real-world applicability, albeit with notable but manageable overhead from the instrumented EVM.

Abstract

Ponzi schemes, a form of scam, have been discovered in Ethereum smart contracts in recent years, causing massive financial losses. Existing detection methods primarily focus on rule-based approaches and machine learning techniques that utilize static information as features. However, these methods have significant limitations. Rule-based approaches rely on pre-defined rules with limited capabilities and domain knowledge dependency. Using static information like opcodes for machine learning fails to effectively characterize Ponzi contracts, resulting in poor reliability and interpretability. Moreover, relying on static information like transactions for machine learning requires a certain number of transactions to achieve detection, which limits the scalability of detection and hinders the identification of 0-day Ponzi schemes. In this paper, we propose PonziGuard, an efficient Ponzi scheme detection approach based on contract runtime behavior. Inspired by the observation that a contract's runtime behavior is more effective in disguising Ponzi contracts from the innocent contracts, PonziGuard establishes a comprehensive graph representation called contract runtime behavior graph (CRBG), to accurately depict the behavior of Ponzi contracts. Furthermore, it formulates the detection process as a graph classification task on CRBG, enhancing its overall effectiveness. The experiment results show that PonziGuard surpasses the current state-of-the-art approaches in the ground-truth dataset. We applied PonziGuard to Ethereum Mainnet and demonstrated its effectiveness in real-world scenarios. Using PonziGuard, we identified 805 Ponzi contracts on Ethereum Mainnet, which have resulted in an estimated economic loss of 281,700 Ether or approximately $500 million USD. We also found 0-day Ponzi schemes in the recently deployed 10,000 smart contracts.
Paper Structure (49 sections, 3 equations, 17 figures, 5 tables, 1 algorithm)

This paper contains 49 sections, 3 equations, 17 figures, 5 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background And Insight
  3. Ethereum Smart Contracts
  4. Ponzi Schemes
  5. Code Example
  6. Criteria
  7. Contract Behaviors and Our Insight
  8. PonziGuard
  9. Overview
  10. Static Code Analysis
  11. Transaction Sequence Generation
  12. Runtime Behavior Collection
  13. Taint Sources and Sinks
  14. Taint Propagation
  15. Raw Graphs
  16. ...and 34 more sections

Figures (17)

  • Figure 1: Opcode Frequency Distributions. The KL divergence between Ponzi and non-Ponzi contracts ranges from 0.011 to 0.018, while the KL divergence between different Ponzi contracts ranges from 0.012 to 0.016.
  • Figure 2: Contract Runtime Behaviors. (a) is obtained from the Ponzi contract in Listing \ref{['lst 1']}, and (b) is obtained from a gambling contract (non-Ponzi contract).
  • Figure 3: Overview of PonziGuard.
  • Figure 4: CRBG Construction. (a) shows the raw graphs from dynamic taint analysis, each graph corresponds to a invocation. (b) is the CRBG with better node embeddings and more comprehensive runtime information. We simplify the graphs by keeping only the nodes representing the taint sources and sinks that capture the main logic of the functions for the convenience of display.
  • Figure 5: Processing raw graphs. ① denotes the pruning of raw graphs. ② denotes the joining of independent subgraphs. ③ denotes the node feature embeddings.
  • ...and 12 more figures