Following Devils' Footprint: Towards Real-time Detection of Price Manipulation Attacks
Bosi Zhang, Ningyu He, Xiaohui Hu, Kai Ma, Haoyu Wang
TL;DR
This paper tackles the problem of price manipulation in DeFi by shifting focus to attacker contracts and proposing SMARTCAT, a bytecode-level static analyzer that detects price manipulation attacks in real time. SMARTCAT constructs a cross-function callsite graph (xFCG) and a token flow graph (TFG) from decompiled bytecode, using an argument-recovery strategy and semantic templates to identify token operations like transfers, swaps, and flashloans. It introduces sensitive-path filtering and formal detection rules to efficiently and accurately flag both direct and indirect price manipulation behaviors, achieving recall $91.7\%$ and precision $99.975\%$ on a ground-truth dataset, and revealing $616$ attack contracts with $9.25$ million in losses across large real-world deployments. Real-time deployment on Ethereum and BSC demonstrates practical impact, raising alarms within an average of $99$ seconds after contract deployment and highlighting the approach’s potential to mitigate on-chain financial risks. The work also discusses limitations (path feasibility, obfuscation, multi-transaction attacks) and outlines avenues for extending analysis speed and coverage.
Abstract
Price manipulation attack is one of the notorious threats in decentralized finance (DeFi) applications, which allows attackers to exchange tokens at an extensively deviated price from the market. Existing efforts usually rely on reactive methods to identify such kind of attacks after they have happened, e.g., detecting attack transactions in the post-attack stage, which cannot mitigate or prevent price manipulation attacks timely. From the perspective of attackers, they usually need to deploy attack contracts in the pre-attack stage. Thus, if we can identify these attack contracts in a proactive manner, we can raise alarms and mitigate the threats. With the core idea in mind, in this work, we shift our attention from the victims to the attackers. Specifically, we propose SMARTCAT, a novel approach for identifying price manipulation attacks in the pre-attack stage proactively. For generality, it conducts analysis on bytecode and does not require any source code and transaction data. For accuracy, it depicts the control- and data-flow dependency relationships among function calls into a token flow graph. For scalability, it filters out those suspicious paths, in which it conducts inter-contract analysis as necessary. To this end, SMARTCAT can pinpoint attacks in real time once they have been deployed on a chain. The evaluation results illustrate that SMARTCAT significantly outperforms existing baselines with 91.6% recall and ~100% precision. Moreover, SMARTCAT also uncovers 616 attack contracts in-the-wild, accounting for \$9.25M financial losses, with only 19 cases publicly reported. By applying SMARTCAT as a real-time detector in Ethereum and Binance Smart Chain, it has raised 14 alarms 99 seconds after the corresponding deployment on average. These attacks have already led to $641K financial losses, and seven of them are still waiting for their ripe time.