Scam Detection Lab
A scientific field guide to how this app detects sketchy Ethereum behavior, explained like you are five where it helps ๐งช๐ง .
Method
- Heuristics = quick pattern alarms โก
- Verifiable on-chain checks = provable evidence from chain data ๐งพ
Score model:
finalScore = heuristicScore * 0.45 + verifiableScore * 0.55
ELI5: your friend says "hmm weird" and the camera confirms it. We trust the camera a bit more ๐ท
Verdict Bands
Signal Matrix (Scientific layout, ELI5 text)
| Signal | Check (ELI5) | Type |
|---|---|---|
| Counterparty concentration | Most activity keeps flowing to a tiny group, like all candy going to one kid. | Heuristic |
| Wallet age anomaly | A brand-new wallet starts moving big money right away. | Heuristic |
| Failed transaction spike | Many recent transactions fail, like someone trying the wrong keys over and over. | Heuristic |
| Proxy upgradeability risk | We check whether this contract can secretly swap its brain later. | Verifiable |
| Approval -> drain correlation | You gave spending permission, then funds left quickly right after. | Verifiable |
| Event log anomaly | The transaction says success, but expected transfer-style breadcrumbs are missing. | Verifiable |
| Bytecode similarity risk | The contract code looks very similar to known drainer patterns. | Verifiable |
Example RPC proof primitives: eth_getCode, eth_getStorageAt, eth_getTransactionReceipt
Confidence and Evidence
Each indicator stores confidence and chain evidence.
- Low: weak clue ๐ค
- Medium: useful clue ๐งฉ
- High: strong clue ๐ฏ
- Verified: chain-proven fact ๐
Evidence examples: tx hash, selector, storage slot, log topic, contract address.
Engine Pipeline
- Fetch transactions and contract metadata.
- Run fast heuristics.
- Run on-chain verification calls.
- Attach confidence + evidence.
- Compute weighted score and verdict.
- Stream progress and deep counterparty analysis.
ELI5: quick look -> detective look -> microscope look ๐๐ต๏ธโโ๏ธ๐ฌ
Methods Appendix (Exact Thresholds)
| Rule | Current Value | Where Used |
|---|---|---|
| Counterparty concentration | > 0.60 with at least 6 counterparties |
Portfolio heuristic |
| Wallet age anomaly | wallet age <= 7 days and any tx >= 10 ETH |
Portfolio heuristic |
| Failed transaction spike | failed ratio > 0.40 with at least 6 tx |
Portfolio heuristic |
| Approval-drain window | outflow within 15 min and value >= 0.5 ETH |
Verifiable correlation |
| Bytecode template risk | bytecode string length < 260 |
Verifiable contract profile |
| Tx scan cap (receipt checks) | first 80 tx only |
Performance guardrail |
| Contract scan cap | first 20 distinct contract addresses |
Performance guardrail |
| Proxy slot | 0x360894a13ba1...d382bbc (EIP-1967 implementation slot) |
Verifiable proxy check |
| High-risk selector flag | input starts with 0xb6f9de95 |
Selector anomaly check |
Score multipliers by confidence: Low=0.6, Medium=1.0, High=1.25, Verified=1.5.
Last synced from analyzer logic in
src/HazMeBeenScammed.Core/Services/ScamAnalyzer.cs
and model metadata in
src/HazMeBeenScammed.Core/Domain/Models.cs.