Duplicate the "evasion" bot and keep only the "metamorphic" detection…

… logic

metamorphic-contracts-py/Dockerfile

@@ -0,0 +1,25 @@
+# Build stage: compile Python dependencies
+FROM python:3.9-alpine as builder
+ENV PIP_ROOT_USER_ACTION=ignore
+RUN apk update
+RUN apk add alpine-sdk
+RUN python3 -m pip install --upgrade pip
+COPY requirements.txt ./
+RUN python3 -m pip install --user -r requirements.txt
+
+# Final stage: copy over Python dependencies and install production Node dependencies
+FROM node:12-alpine
+# this python version should match the build stage python version
+RUN apk add python3 py3-pip
+COPY --from=builder /root/.local /root/.local
+ENV PATH=/root/.local:$PATH
+ENV NODE_ENV=production
+ENV PIP_ROOT_USER_ACTION=ignore
+# Uncomment the following line to enable agent logging
+LABEL "network.forta.settings.agent-logs.enable"="true"
+WORKDIR /app
+COPY ./src ./src
+COPY package*.json ./
+COPY LICENSE.md ./
+RUN npm ci --production
+CMD [ "npm", "run", "start:prod" ]

metamorphic-contracts-py/LICENSE.md

@@ -0,0 +1,40 @@
+**Forta Detection Bot License 1.0**
+
+This Detection Bot License (“Agreement”) governs your use of the detection bot script and associated documentation files made available by each applicable Developer (as defined below) through the Forta Network (“Detection Bot”). The “Forta Network” means
+the collection of smart contracts found at [https://github.com/forta-network/forta-contracts](https://github.com/forta-network/forta-contracts) that are in production on the Polygon blockchain from time to time.
+
+1. Detection Bot License.
+
+   a) The legal person or entity controlling the blockchain address listed as the “Owner” of the Detection Bot (“Developer”) hereby grants you a perpetual (subject to Sections 2 and 6), worldwide, non-exclusive, non-transferable, non-sublicensable, right to access and use the Detection Bot solely in connection with participating in the Forta Network, including, without limitation, to run the Detection Bot on a node in the Forta Network, in accordance with the terms of this Agreement.
+
+   b) The Developer hereby grants you a perpetual (subject to Sections 2 and 6), worldwide, non-exclusive, non-transferable, sublicensable, right to access and use any alerts or other data generated by the Detection Bot (the “Detection Bot Results”), in accordance with the terms of this Agreement.
+
+   c) This license shall apply to the Detection Bot so long as it is registered in the Forta Network bot registry smart contract, currently found at the blockchain address 0x61447385B019187daa48e91c55c02AF1F1f3F863, as may be updated from time to time, and has sufficient FORT staked in the Forta Network staking contract, currently found at 0xd2863157539b1D11F39ce23fC4834B62082F6874, as may be updated from time to time.
+
+   d) The foregoing licenses are contingent on the payment of applicable fees, if any, published or stated at docs.forta.network. You agree to comply with the terms and conditions of any subscription level or fee tier you select and for clarity, any breach thereof shall constitute a material breach of this Agreement and the licenses contained in this Agreement shall immediately terminate in accordance with Section 6 below. For the avoidance of doubt, you are not authorized to make the Detection Bot available to third parties or to sell or otherwise distribute the Detection Bot Results, other than in accordance with your subscription level or fee tier.
+
+   e) You acknowledge that the Detection Bot and Detection Bot Results, and all intellectual property rights therein, including those rights now known or hereafter developed or discovered, are the exclusive property of Developer or its licensors and that the license contemplated herein grants you no title or rights of ownership in the Detection Bot or Detection Bot Results or any components thereof or any other right or license to the foregoing, other than as explicitly set forth herein. Notwithstanding anything to the contrary in this Agreement, the Detection Bot may include software components provided by a third party that are subject to separate license terms, in which case those license terms will govern such software components.
+
+2. Availability of the Detection Bot.
+
+   Developer reserves the right to change, revise, update, suspend, discontinue, or otherwise modify the Detection Bot at any time, which may impact the Detection Bot Results. You agree that Developer has no liability whatsoever for any loss or damage caused by your inability to access or use the Detection Bot or Detection Bot Results. Nothing in this Agreement will be construed to obligate Developer to maintain or support the Detection Bot or to supply any corrections, updates, or releases in connection therewith.
+
+3. Assumption of Risk.
+
+   a) You acknowledge that there are risks associated with the Detection Bot, including that the Detection Bot Results may not be accurate, and you expressly acknowledge and assume all risks. You further acknowledge that Developer cannot confirm the accuracy of the Detection Bot Results and Developer therefore is not responsible for any consequences related to or negative impacts arising from inaccurate, false, or incomplete Detection Bot Results. You understand and agree that the Detection Bot and Detection Bot Results are offered on a purely non-reliance basis and at your own risk. You further acknowledge that the Detection Bot and Detection Bot Results are offered through the Forta Network, which is a decentralized network of independent node operators and other bot developers that interact on a public blockchain over which Developer has no control.
+
+   b) You acknowledge that the regulatory regime governing blockchain technologies is uncertain and continually evolving, and new laws, regulations or policies may negatively impact the potential utility of the Detection Bot or Detection Bot Results, and you assume such risk.
+
+4. Release.
+
+   You hereby release Developer from any liability, loss or damage of any nature arising from any risk you assume pursuant to this section, as well as from any liability, loss or damage arising from use of the Detection Bot or reliance on the Detection Bot Results.
+
+5. Limitation of Liability.
+
+   a) DISCLAIMER. THE DETECTION BOT AND DETECTION BOT RESULTS ARE EACH PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. YOU AGREE THAT YOUR USE OF THE DETECTION BOT AND DETECTION BOT RESULTS WILL BE AT YOUR SOLE RISK. TO THE FULLEST EXTENT PERMITTED BY LAW, DEVELOPER DISCLAIMS ALL WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, IN CONNECTION WITH THE DETECTION BOT AND THE DETECTION BOT RESULTS AND YOUR USE THEREOF, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT OR TECHNICAL OPERATION OR PERFORMANCE. DEVELOPER ALSO MAKES NO WARRANTIES OR REPRESENTATIONS ABOUT THE ACCURACY OR COMPLETENESS OF THE DETECTION BOT RESULTS.
+
+   b) NO CONSEQUENTIAL DAMAGES. IN NO EVENT SHALL DEVELOPER BE LIABLE TO YOU UNDER THIS AGREEMENT (WHETHER IN TORT, IN STRICT LIABILITY, IN CONTRACT, OR OTHERWISE) FOR ANY (I) INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES, INCLUDING DAMAGES FOR LOST PROFITS, EVEN IF DEVELOPER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR (II) DAMAGES THAT EXCEED $100. THE EXISTENCE OF MORE THAN ONE CLAIM WILL NOT ENLARGE OR EXTEND THESE LIMITS.
+
+6. Termination.
+
+   If you materially breach this Agreement or if you violate any applicable law or regulation, you acknowledge you are prohibited from using the Detection Bot or Detection Bot results thereafter, even if you may be acting on behalf of a third party.

metamorphic-contracts-py/README.md

@@ -0,0 +1,104 @@
+# Detecting Metamorphic Contracts
+
+## Description
+
+Implementation for the detection techniques described in the [report about smart contract evasion techniques][report-web3-evasion] by the [Forta TRi][forta-threat-research-initiative].
+
+Here, "evasion" refers to any tactic that deceives end-users or circumvents defense mechanisms.
+
+More specifically, the bot is focused on contrats that are able to change their bytecode while staying at the same address.
+These contracts are said to be "metamorphic". 
+
+## Support
+
+The bots use the transaction traces, so they only runs on Ethereum for now.
+
+## Table of Contents
+
+- [Alerts](#alerts)
+  - [Metamorphic Contracts](#metamorphic-contracts)
+  - [Red Pill Contracts](#red-pill-contracts)
+- [Options](#options)
+- [Implementations](#implementations)
+- [Development](#development)
+  - [Changelog](#changelog)
+  - [Todo](#todo)
+  - [Performances](#performances)
+- [Credits](#credits)
+- [License](#license)
+
+## Alerts
+
+The metamorphic contracts are spotted when created to perform static analysis on the bytecode:
+
+- `EVASION-METAMORPHISM-FACTORY-DEPLOYMENT`:
+    - the factory address is attached as a label
+- `EVASION-METAMORPHISM-MUTANT-DEPLOYMENT`:
+    - the mutant address is attached as a label
+
+For all the alerts:    
+
+- Type is always set to `Suspicious`
+- Severity is always `Info`
+- Metadata:
+  - `confidence`: the estimated probability of a given detection
+  - `chain_id`: the chain id
+  - `from`: the transaction sender
+  - `to`: the transaction recipient
+  - `anomaly_score`: the alert rate for this combination of bot / alert type
+
+## Options
+
+The bot settings are located in `src/options.py`:
+
+```python
+MIN_CONFIDENCE = 0.7 # probability threshold
+ALERT_HISTORY_SIZE = 16384 # in number of transactions recorded
+```
+
+The bot only fires alerts when the probability score for a given threat is above `MIN_CONFIDENCE`.
+
+It keeps a local history of all the alerts raised to compute stats.
+The history size is set by `ALERT_HISTORY_SIZE`.
+
+## Implementations
+
+All the detection processes are [detailed in the report][report-web3-evasion].
+
+## Tests
+
+The bots use the libraries [`forta-toolkit`][github-apehex-toolkit] and [`ioseeth`][github-apehex-ioseeth], which come with extensive unit tests.
+
+They can be run in the root directory of each of these packages with `python -m pytest`.
+
+## Development
+
+Contributions welcome!
+
+### Changelog
+
+See [CHANGELOG](.github/CHANGELOG.md).
+
+### TODO
+
+See [TODO](.github/TODO.md).
+
+### Performances
+
+## Credits
+
+Original work by [apehex](https://github.com/apehex).
+
+Relies on the packages:
+
+- [`ioseeth`][github-apehex-ioseeth] for the detection logic 
+- [`forta-toolkit`][github-apehex-toolkit] for the data wrangling
+
+## License
+
+See [LICENSE.md](LICENSE.md).
+
+[forta-threat-research-initiative]: https://forta.org/blog/investing-in-applied-academic-threat-research/
+[github-apehex-ioseeth]: https://github.com/apehex/web3-threat-indicators
+[github-apehex-toolkit]: https://github.com/apehex/forta-toolkit
+[report-web3-evasion]: https://github.com/apehex/web3-evasion-techniques/blob/main/report/web3-evasion-techniques.pdf