This paper presents BlockLens, a supervised, trace-level framework for detecting malicious Ethereum transactions using large language models (LLMs). Unlike prior approaches limited to static features or storage-level abstractions, BlockLens processes complete execution traces, capturing opcode sequences, memory information, gas usage, and call structures to accurately represent the runtime behavior of each transaction. This framework harnesses the exceptional reasoning capabilities of LLMs for long input sequences and is fine-tuned on transaction data. We design a tokenization strategy aligned with Ethereum Virtual Machine (EVM) semantics, mapping execution traces into interpretable tokens. Each transaction captures its complete execution trace through simulated execution and is then sliced into overlapping chunks using a sliding window, allowing for long-range context modeling within memory constraints. During inference, the model outputs both a binary decision and a probability score indicating the likelihood of malicious behavior. We implement the framework based on LLaMA 3.2-1B backbone and fine-tune the model using Low-Rank Adaptation (LoRA). We evaluate it on a curated dataset containing both real-world attacks and normal DeFi transactions. BlockLens outperforms representative baselines, achieving higher F1 scores and recall at top-k thresholds than representative baselines. Additionally, BlockLens offers interpretable chunk-level outputs by localizing suspicious trace segments that enhance explainability, facilitating rapid forensic analysis and actionable decision-making in security-critical environments.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

BlockLens: Detecting Malicious Transactions in Ethereum Using LLM Techniques

  • Chi Feng,
  • Lei Fan

摘要

This paper presents BlockLens, a supervised, trace-level framework for detecting malicious Ethereum transactions using large language models (LLMs). Unlike prior approaches limited to static features or storage-level abstractions, BlockLens processes complete execution traces, capturing opcode sequences, memory information, gas usage, and call structures to accurately represent the runtime behavior of each transaction. This framework harnesses the exceptional reasoning capabilities of LLMs for long input sequences and is fine-tuned on transaction data. We design a tokenization strategy aligned with Ethereum Virtual Machine (EVM) semantics, mapping execution traces into interpretable tokens. Each transaction captures its complete execution trace through simulated execution and is then sliced into overlapping chunks using a sliding window, allowing for long-range context modeling within memory constraints. During inference, the model outputs both a binary decision and a probability score indicating the likelihood of malicious behavior. We implement the framework based on LLaMA 3.2-1B backbone and fine-tune the model using Low-Rank Adaptation (LoRA). We evaluate it on a curated dataset containing both real-world attacks and normal DeFi transactions. BlockLens outperforms representative baselines, achieving higher F1 scores and recall at top-k thresholds than representative baselines. Additionally, BlockLens offers interpretable chunk-level outputs by localizing suspicious trace segments that enhance explainability, facilitating rapid forensic analysis and actionable decision-making in security-critical environments.