PonziLens+: Visualizing Bytecode Actions for Smart Ponzi Scheme Identification

TL;DR

The paper tackles the detection of smart Ponzi schemes embedded in Ethereum smart contracts by translating bytecode execution into semantically meaningful actions. It introduces PonziLens+, a visual analytics system with three modules (Path Feature, Path Grouping, Execution Detail) and a path-merging strategy to reveal Ponzi-related behaviors at contract, group, and path levels. The approach leverages semantic-action extraction via CFG-based path enumeration and symbolic execution, enabling adaptable, explainable detection beyond fixed-rule classifiers. Two case studies and 12 expert/investor interviews demonstrate improved interpretability, practical usefulness for auditors and investors, and potential application to broader software analysis. Limitations include scalability and off-chain fraud, with plans for extensibility and mobile support.

Abstract

With the prevalence of smart contracts, smart Ponzi schemes have become a common fraud on blockchain and have caused significant financial loss to cryptocurrency investors in the past few years. Despite the critical importance of detecting smart Ponzi schemes, a reliable and transparent identification approach adaptive to various smart Ponzi schemes is still missing. To fill the research gap, we first extract semantic-meaningful actions to represent the execution behaviors specified in smart contract bytecodes, which are derived from a literature review and in-depth interviews with domain experts. We then propose PonziLens+, a novel visual analytic approach that provides an intuitive and reliable analysis of Ponzi-scheme-related features within these execution behaviors. PonziLens+ has three visualization modules that intuitively reveal all potential behaviors of a smart contract, highlighting fraudulent features across three levels of detail. It can help smart contract investors and auditors achieve confident identification of any smart Ponzi schemes. We conducted two case studies and in-depth user interviews with 12 domain experts and common investors to evaluate PonziLens+. The results demonstrate the effectiveness and usability of PonziLens+ in achieving an effective identification of smart Ponzi schemes.

Figures (7)

• Figure 1: The showcase of critical concepts in this study: (A) shows an example source code of a chain-type smart Ponzi scheme with investing behavior (A1) and rewarding (A2) behavior in a loop (A3). (B) and (C) show the bytecode and opcode of a smart contract. (D) demonstrates the control flow graph with execution paths (D1) and basic blocks (D2).
• Figure 2: The framework of PonziLens+. (A) shows the data preparation for the collection of potential execution paths. (B) shows the semantic action extraction that generates semantic action sequences from each execution path. (C) demonstrates three visualization modules in PonziLens+.
• Figure 3: The PonziLens+ interface initially presents the Path Feature Module (A) and Path Grouping Module (B). Upon selecting specific actions of interest, users can access the Execution Detail Module (C), including a scroll bar (C1) to allow users to delve into one single path for more details.
• Figure 4: The visual design of three visualization modules in PonziLens+. Path Feature Module (A) shows the Ponzi feature distribution across all execution paths. Path Grouping Module (B) provides a visual summary of action patterns in each path group, incorporating a path merging strategy (B1-B3) and highlighted Ponzi features (B4). Execution Detail Module (C) shows the detailed action sequences and storage interactions in each execution path.
• Figure 5: A summary of visual encoding used in PonziLens+.