ETH Watchtower
Real-Time Heuristics Monitoring & AI-Driven Response
The Problem: Threats Move Faster Than Your Team.
Every block carries risk. Malicious actors deploy exploit contracts, launch sandwich attacks, and manipulate liquidity — all within seconds. Security teams are drowning in data and reacting too late:
- Reaction Lag: By the time your team analyses a suspicious tx, the attacker has already exited.
- Alert Fatigue: Raw mempool data generates noise. Critical signals are buried under thousands of benign events.
- No Automation: Detection without action is just another dashboard. Teams need autonomous response, not more charts.
You need more than monitoring. You need autonomous threat interception.
Core Capabilities
1. Mempool Intelligence
Real-time heuristic stream processing across the entire mempool. Filter, classify, and score 100,000+ transactions per second using deterministic rule sets tuned for EVM threat patterns.
2. ML / AI Analysis Engine
Online inference pipeline trained on labeled exploit data. Feature extraction covers bytecode, call patterns, gas profiling, and temporal sequencing. Confidence-scored classifications with explainable predictions.
- Anomaly Detection: Unsupervised clustering of deviant tx patterns
- Classifier Models: Supervised models trained on 10,000+ verified exploits
- Continuous Retraining: Feedback loop from analyst actions and alert outcomes
3. Multi-Channel Alerting
Route every flagged event through configurable notification pipelines. No event is missed.
- Webhook Gateway: POST JSON payloads to any HTTP endpoint
- Slack / Discord: Rich embed messages with severity, heuristics breakdown, and action buttons
- Telegram / Email / PagerDuty: Tiered escalation for critical and high-severity events
4. AI Agent Actions
Autonomous countermeasures triggered by heuristics and ML confidence thresholds. Agents operate within configurable guardrails.
- Auto-Flag: Tag addresses and contracts across internal and external threat databases
- Auto-Block: Submit txs to flashbot relays / private mempools to prevent execution
- Auto-Report: Generate structured forensic reports and push to case management systems
- Smart Contract Integration: Agents can invoke pausing, freezing, or circuit-breaker functions on whitelisted protocols
Heuristic Detection Engine.
Mempool Manipulation
- Sandwich attack signatures
- Frontrun pattern detection
- MEV extraction heuristics
- Gas price spike anomalies
- Priority order manipulation
Deploy-Time Threats
- Honeypot token deployment
- Hidden mint & fee-on-transfer
- Factory rugpull patterns
- Self-allocation detection
- Fake renounced ownership
Liquidity & Trading
- Liquidity manipulation signals
- Wash trading patterns
- Burst minting inflation
- Approval phishing sequences
- Flash loan abuse detection
Contract Behavior
- Reentrancy call sequences
- Self-destruct trigger paths
- Delegatecall to untrusted targets
- Metamorphic redeployment
- Infinite loop / gas griefing
The Alpha: ML Inference & Autonomous Response Pipeline.
From raw mempool data to automated action in under 2 seconds.
Every transaction is streamed through a multi-stage pipeline that combines deterministic heuristics with ML classifiers. The system doesn't just tell you something is suspicious — it scores, classifies, and acts.
- Feature Extraction: Real-time computation of 200+ features per tx — bytecode n-grams, call graph topology, gas profiling, temporal deltas.
- Model Inference: Ensemble of gradient-boosted trees and lightweight neural nets. Sub-millisecond inference per transaction.
- Agent Dispatch: When confidence exceeds configurable thresholds, AI agents execute predefined playbooks — alert, block, report, or escalate.
- Feedback Loop: Every human review and agent action is logged as training data for the next model iteration.
Monitoring & Response Interface.
Full observability into the heuristic pipeline, ML classifications, and agent actions.

Mempool Stream
Real-time heuristic-scored transaction feed with severity tags.

Threat Cluster Map
ML-classified clusters of related adversarial addresses and contracts.

AI Classification Dashboard
Model confidence scores, feature breakdowns, and explainable predictions.

Agent Action Log
Timeline of autonomous countermeasures and their outcomes.

Threat Heatmap
Real-time visualization of risk concentration across protocols and addresses.

Heuristic Rule Inspector
Per-tx breakdown of triggered heuristic rules and ML feature contributions.
Terminal Platform Interface.
Power-user TUI for advanced forensics and analysis.

List View
Overview of monitored contracts.

Details View
In-depth contract information.

Transaction History
Multi-layered transaction analysis.

ABI Inspector
Contract interface exploration.

Help System
Comprehensive command reference.

Real-time statistics
Live monitoring and analytics.
Read more about the TUI here.
Case Studies: AI in Action.
1. Autonomous Sandwich Block
Scenario: A MEV bot deployed a sandwich attack targeting a large Uniswap swap.
Watchtower Detection: Mempool heuristics flagged the frontrun + victim + backrun tx sequence. ML classifier scored it at 0.94 confidence.
Agent Action: Alert dispatched to Telegram and Discord within 800ms. High-confidence threshold triggered auto-submission to flashbots relay — sandwich blocked before execution.
Outcome: Victim swap executed without MEV extraction. Estimated $12,000 in user value protected.
2. ML-Identified Rugpull Factory
Scenario: 6 contracts deployed from a fresh EOA within 3 minutes. Each had unique names but identical bytecode.
Watchtower Detection: Bytecode clustering flagged the factory pattern. ML model classified as "coordinated rugpull deployment" at 0.97 confidence based on historical deployer behavior features.
Agent Action: All 6 addresses auto-flagged across integrated threat databases. Webhook pushed forensic report to the team's case management system. Escalation sent to PagerDuty on-call.
Outcome: Team investigated and confirmed before any liquidity was added. Potential $340k loss prevented.
Technology: Built for Speed, Automation & Privacy.
Heuristic Stream Processor
Low-latency rule engine processing mempool events through 200+ configurable heuristics with sub-millisecond evaluation.
ML Inference Pipeline (ONNX / TensorRT)
Quantized model deployment for real-time inference. Ensemble of lightweight classifiers running on CPU with ~500µs per prediction.
AI Agent Framework
Modular agent runtime supporting custom playbooks, conditional logic, and integration with on-chain and off-chain actions. Compatible with LangGraph and custom agent chains.
Webhook Gateway & Alert Router
Configurable routing with retry, deduplication, and rate-limiting. Supports Slack, Discord, Telegram, PagerDuty, email, and any HTTP(S) endpoint.
High-Throughput Go API
Custom backend services for historical data aggregation, cross-chain signal normalization, and agent state management.
Local-First Forensics
All case data, alert history, and agent logs stored locally. We don't see your alpha.
Modular Design
Decoupled pipeline stages — swap heuristic sets, swap ML models, swap agent playbooks without rebuilding.
Our Philosophy.
Autonomous security should be transparent, explainable, and in your control.
We believe automated threat response doesn't have to be a black box. Every heuristic rule is inspectable. Every ML prediction includes feature attribution. Every agent action is logged and auditable.
By putting real-time intelligence and autonomous action in the hands of security teams — rather than behind proprietary walls — we're building a safer, more transparent cryptoeconomic ecosystem where threats are intercepted before they cause harm, not investigated after the fact.
Project Tiers.
1. Security Researcher
Open Source / Free
- Full heuristic monitoring dashboard
- Basic ML classification
- Webhook alerting (single endpoint)
- Local-first privacy
2. Pro Analyst / Team
Hosted SaaS
- Advanced ML models + custom training
- Multi-channel alerting (Slack, Discord, Telegram, PagerDuty)
- AI agent playbooks (auto-flag, auto-report)
- Team collaboration & case management
3. Enterprise Protocol
Institutional
- Custom heuristic rules & ML models
- On-chain agent actions (pause, freeze, circuit-breaker)
- Flashbots relay integration for tx blocking
- SLA support, dedicated infrastructure
Support the Project.
Help us build the future of autonomous blockchain threat response.
ETH/ERC20
0x968cC7D93c388614f620Ef812C5fdfe64029B92d
BTC
bc1qkmzc6d49fl0edyeynezwlrfqv486nmk6p5pmta
Every contribution helps us improve detection models, add new heuristics, and expand agent capabilities.
Frequently Asked Questions.
What heuristics does the system monitor?
The engine evaluates 200+ configurable heuristics across categories including mempool manipulation (sandwich, frontrun, MEV), deploy-time threats (honeypot, rugpull patterns), liquidity & trading signals (wash trading, burst minting, flash loan abuse), and contract behavior (reentrancy, self-destruct, delegatecall risks).
How are the ML models trained?
Models are trained on a continuously growing dataset of 10,000+ verified on-chain exploits. Training uses labeled transaction data with feature vectors extracted from bytecode, call sequences, temporal patterns, and economic impact. The ensemble combines gradient-boosted trees for interpretability with lightweight neural networks for edge-case coverage.
What notification systems are supported?
Our multi-channel alert router supports webhooks (any HTTP endpoint), Slack, Discord, Telegram, email, PagerDuty, and custom integrations via our API. Each channel has configurable severity thresholds, deduplication, and rate-limiting.
Can AI agents take on-chain actions?
Yes. Enterprise-tier deployments can configure agents to submit transactions to flashbots relays (for tx blocking), invoke protocol-level pause/freeze functions on whitelisted contracts, and interact with private mempools. All agent actions are logged, auditable, and bounded by configurable guardrails.
Initialising forensic document...