ETH Watchtower | Real-Time Heuristics Monitoring & AI-Driven Response

7 min read Original article ↗
ETH Watchtower Logo

ETH Watchtower

Real-Time Heuristics Monitoring & AI-Driven Response

The Problem: Threats Move Faster Than Your Team.

Every block carries risk. Malicious actors deploy exploit contracts, launch sandwich attacks, and manipulate liquidity — all within seconds. Security teams are drowning in data and reacting too late:

  • Reaction Lag: By the time your team analyses a suspicious tx, the attacker has already exited.
  • Alert Fatigue: Raw mempool data generates noise. Critical signals are buried under thousands of benign events.
  • No Automation: Detection without action is just another dashboard. Teams need autonomous response, not more charts.

You need more than monitoring. You need autonomous threat interception.

Core Capabilities

1. Mempool Intelligence

Real-time heuristic stream processing across the entire mempool. Filter, classify, and score 100,000+ transactions per second using deterministic rule sets tuned for EVM threat patterns.

2. ML / AI Analysis Engine

Online inference pipeline trained on labeled exploit data. Feature extraction covers bytecode, call patterns, gas profiling, and temporal sequencing. Confidence-scored classifications with explainable predictions.

  • Anomaly Detection: Unsupervised clustering of deviant tx patterns
  • Classifier Models: Supervised models trained on 10,000+ verified exploits
  • Continuous Retraining: Feedback loop from analyst actions and alert outcomes

3. Multi-Channel Alerting

Route every flagged event through configurable notification pipelines. No event is missed.

  • Webhook Gateway: POST JSON payloads to any HTTP endpoint
  • Slack / Discord: Rich embed messages with severity, heuristics breakdown, and action buttons
  • Telegram / Email / PagerDuty: Tiered escalation for critical and high-severity events

4. AI Agent Actions

Autonomous countermeasures triggered by heuristics and ML confidence thresholds. Agents operate within configurable guardrails.

  • Auto-Flag: Tag addresses and contracts across internal and external threat databases
  • Auto-Block: Submit txs to flashbot relays / private mempools to prevent execution
  • Auto-Report: Generate structured forensic reports and push to case management systems
  • Smart Contract Integration: Agents can invoke pausing, freezing, or circuit-breaker functions on whitelisted protocols

Heuristic Detection Engine.

Mempool Manipulation

  • Sandwich attack signatures
  • Frontrun pattern detection
  • MEV extraction heuristics
  • Gas price spike anomalies
  • Priority order manipulation

Deploy-Time Threats

  • Honeypot token deployment
  • Hidden mint & fee-on-transfer
  • Factory rugpull patterns
  • Self-allocation detection
  • Fake renounced ownership

Liquidity & Trading

  • Liquidity manipulation signals
  • Wash trading patterns
  • Burst minting inflation
  • Approval phishing sequences
  • Flash loan abuse detection

Contract Behavior

  • Reentrancy call sequences
  • Self-destruct trigger paths
  • Delegatecall to untrusted targets
  • Metamorphic redeployment
  • Infinite loop / gas griefing

The Alpha: ML Inference & Autonomous Response Pipeline.

From raw mempool data to automated action in under 2 seconds.

Every transaction is streamed through a multi-stage pipeline that combines deterministic heuristics with ML classifiers. The system doesn't just tell you something is suspicious — it scores, classifies, and acts.

  • Feature Extraction: Real-time computation of 200+ features per tx — bytecode n-grams, call graph topology, gas profiling, temporal deltas.
  • Model Inference: Ensemble of gradient-boosted trees and lightweight neural nets. Sub-millisecond inference per transaction.
  • Agent Dispatch: When confidence exceeds configurable thresholds, AI agents execute predefined playbooks — alert, block, report, or escalate.
  • Feedback Loop: Every human review and agent action is logged as training data for the next model iteration.

Monitoring & Response Interface.

Full observability into the heuristic pipeline, ML classifications, and agent actions.

Live stream

Mempool Stream
Real-time heuristic-scored transaction feed with severity tags.

Network Graph

Threat Cluster Map
ML-classified clusters of related adversarial addresses and contracts.

Entity View

AI Classification Dashboard
Model confidence scores, feature breakdowns, and explainable predictions.

HUD

Agent Action Log
Timeline of autonomous countermeasures and their outcomes.

Heatmap

Threat Heatmap
Real-time visualization of risk concentration across protocols and addresses.

Contract Analysis

Heuristic Rule Inspector
Per-tx breakdown of triggered heuristic rules and ML feature contributions.

Terminal Platform Interface.

Power-user TUI for advanced forensics and analysis.

List View

List View
Overview of monitored contracts.

Details View

Details View
In-depth contract information.

Transaction History

Transaction History
Multi-layered transaction analysis.

ABI Inspector

ABI Inspector
Contract interface exploration.

Help System

Help System
Comprehensive command reference.

Real-time Statistics

Real-time statistics
Live monitoring and analytics.

Read more about the TUI here.

Case Studies: AI in Action.

1. Autonomous Sandwich Block

Scenario: A MEV bot deployed a sandwich attack targeting a large Uniswap swap.

Watchtower Detection: Mempool heuristics flagged the frontrun + victim + backrun tx sequence. ML classifier scored it at 0.94 confidence.

Agent Action: Alert dispatched to Telegram and Discord within 800ms. High-confidence threshold triggered auto-submission to flashbots relay — sandwich blocked before execution.

Outcome: Victim swap executed without MEV extraction. Estimated $12,000 in user value protected.

2. ML-Identified Rugpull Factory

Scenario: 6 contracts deployed from a fresh EOA within 3 minutes. Each had unique names but identical bytecode.

Watchtower Detection: Bytecode clustering flagged the factory pattern. ML model classified as "coordinated rugpull deployment" at 0.97 confidence based on historical deployer behavior features.

Agent Action: All 6 addresses auto-flagged across integrated threat databases. Webhook pushed forensic report to the team's case management system. Escalation sent to PagerDuty on-call.

Outcome: Team investigated and confirmed before any liquidity was added. Potential $340k loss prevented.

Technology: Built for Speed, Automation & Privacy.

Heuristic Stream Processor
Low-latency rule engine processing mempool events through 200+ configurable heuristics with sub-millisecond evaluation.

ML Inference Pipeline (ONNX / TensorRT)
Quantized model deployment for real-time inference. Ensemble of lightweight classifiers running on CPU with ~500µs per prediction.

AI Agent Framework
Modular agent runtime supporting custom playbooks, conditional logic, and integration with on-chain and off-chain actions. Compatible with LangGraph and custom agent chains.

Webhook Gateway & Alert Router
Configurable routing with retry, deduplication, and rate-limiting. Supports Slack, Discord, Telegram, PagerDuty, email, and any HTTP(S) endpoint.

High-Throughput Go API
Custom backend services for historical data aggregation, cross-chain signal normalization, and agent state management.

Local-First Forensics
All case data, alert history, and agent logs stored locally. We don't see your alpha.

Modular Design
Decoupled pipeline stages — swap heuristic sets, swap ML models, swap agent playbooks without rebuilding.

Our Philosophy.

Autonomous security should be transparent, explainable, and in your control.

We believe automated threat response doesn't have to be a black box. Every heuristic rule is inspectable. Every ML prediction includes feature attribution. Every agent action is logged and auditable.

By putting real-time intelligence and autonomous action in the hands of security teams — rather than behind proprietary walls — we're building a safer, more transparent cryptoeconomic ecosystem where threats are intercepted before they cause harm, not investigated after the fact.

Project Tiers.

1. Security Researcher

Open Source / Free

  • Full heuristic monitoring dashboard
  • Basic ML classification
  • Webhook alerting (single endpoint)
  • Local-first privacy

2. Pro Analyst / Team

Hosted SaaS

  • Advanced ML models + custom training
  • Multi-channel alerting (Slack, Discord, Telegram, PagerDuty)
  • AI agent playbooks (auto-flag, auto-report)
  • Team collaboration & case management

3. Enterprise Protocol

Institutional

  • Custom heuristic rules & ML models
  • On-chain agent actions (pause, freeze, circuit-breaker)
  • Flashbots relay integration for tx blocking
  • SLA support, dedicated infrastructure

Support the Project.

Help us build the future of autonomous blockchain threat response.

ETH QR Code

ETH/ERC20

0x968cC7D93c388614f620Ef812C5fdfe64029B92d

BTC QR Code

BTC

bc1qkmzc6d49fl0edyeynezwlrfqv486nmk6p5pmta

Every contribution helps us improve detection models, add new heuristics, and expand agent capabilities.

Frequently Asked Questions.

What heuristics does the system monitor?

The engine evaluates 200+ configurable heuristics across categories including mempool manipulation (sandwich, frontrun, MEV), deploy-time threats (honeypot, rugpull patterns), liquidity & trading signals (wash trading, burst minting, flash loan abuse), and contract behavior (reentrancy, self-destruct, delegatecall risks).

How are the ML models trained?

Models are trained on a continuously growing dataset of 10,000+ verified on-chain exploits. Training uses labeled transaction data with feature vectors extracted from bytecode, call sequences, temporal patterns, and economic impact. The ensemble combines gradient-boosted trees for interpretability with lightweight neural networks for edge-case coverage.

What notification systems are supported?

Our multi-channel alert router supports webhooks (any HTTP endpoint), Slack, Discord, Telegram, email, PagerDuty, and custom integrations via our API. Each channel has configurable severity thresholds, deduplication, and rate-limiting.

Can AI agents take on-chain actions?

Yes. Enterprise-tier deployments can configure agents to submit transactions to flashbots relays (for tx blocking), invoke protocol-level pause/freeze functions on whitelisted contracts, and interact with private mempools. All agent actions are logged, auditable, and bounded by configurable guardrails.

Initialising forensic document...

Screenshot Preview