This repository contains the source code for LookAhead, an effective and efficient ML-based framework for DeFi attack detection (based on adversarial contracts).
This folder contains custom-designed plugins for Gigahorse, a binary lifter and analysis framework for Ethereum smart contracts. We introduce various extra functional modules to be integrated with the Gigahorse toolkit.
The core functionality is to launch a web server (gigahorse_web_server.py), which is responsible for handling contract data uploads and running Gigahorse tools to perform contract data analysis.
This folder contains code for evaluating the classifier and transformer models employed by LookAhead.
We evaluate the datasets, generate prediction results, measure execution time, and assess the performance of the models.
This folder contains the logic implemented for conducting online testing to measure the real-world performance of the LookAhead system.
- Before performing the detection, we first train local models (logic located under
training). - For detection, we use
contract_feature_handler.pyto extract contract features andclassification_evaluator.pyto load the trained models and produce predictions. An example usage is demonstrated inevaluate.ipynb. (logic located underdetection)
We provide a report file, listing all true positive adversarial contracts detected during both experiment periods described in the paper.
Note
Addresses marked with a * were originally identified as true positives by our research team, but may be questionable after rechecking them post-publication. We include them here for transparency, but recommend treating them with caution.
Our dataset includes benign and adversarial contracts and their associated features and is available in the format of SQLite database files under dataset folder. It also includes a manually curated dataset of address labels that classify the sources of funds.
Benign contracts are collected from Google BigQuery based on unique user interactions during the period from June 1, 2022 to June 30, 2024. The SQL queries used for retrieving addresses and calculating unique user interactions are available under dataset/sql.
LookAhead has been fully tested on Ubuntu 20.04.
conda env create --name lookahead -f environment.yml
conda activate lookaheadYou will also need to install Gigahorse. For information regarding the Gigahorse project, see: https://github.com/nevillegrech/gigahorse-toolchain.
Make sure to install the Souffle addons required by Gigahorse:
# builds all, sets libfunctors.so as a link to libsoufflenum.so
cd decompiler/gigahorse-toolchain/souffle-addon && make WORD_SIZE=$(souffle --version | sed -n 3p | cut -c12,13)Create a dotfile named .env and fill in the required API keys to be used as environment variables:
ETHERSCAN_APIKEY=YOUR_ETHERSCAN_API_KEY
ALCHEMY_APIKEY=YOUR_ALCHEMY_API_KEY
BSC_QUICKNODE_APIKEY=YOUR_BSC_QUICK_NODE_API_KEY
Due to the file size limit of Git, we make our contract feature dataset files available via an alternative storage service, download them by running the following:
cd dataset
wget https://static.ouorz.com/features.dbWe propose the following classifiers and a transformer model to be trained and evaluated:
- XGBoost
- Logistic Regression
- Decision Tree
- Random Forest
- Support Vector Machine
- K-Nearest Neighbor
python -W ignore evaluate_all.pyTo run online_test, follow these steps:
Train local classifier models (trained models are saved under online_test/models)
cd online_test/training
python -W ignore train.pyStart running a Gigahorse decompiler web server in the background:
cd decompiler
python gigahorse_web_server.pyPerform detection tests using the Jupyter Notebook online_test/detection/evaluate_single_address.ipynb.
Published version available at: https://doi.org/10.1145/3729353.
@article{ren2025lookahead,
title={LookAhead: Preventing DeFi Attacks via Unveiling Adversarial Contracts},
author={Ren, Shoupeng and He, Lipeng and Tu, Tianyu and Wu, Di and Liu, Jian and Ren, Kui and Chen, Chun},
journal={Proceedings of the ACM on Software Engineering},
volume={2},
number={FSE},
year={2025},
publisher={ACM New York, NY}
}