Runtime Detection & Forensics
Execution Property Graphs for Smart Contract Security
Smart contract monitoring usually breaks down because runtime behavior is hard to express in a form detectors can reuse. This paper proposes a better intermediate representation for the job.
The core contribution is the Execution Property Graph, introduced through the Clue framework. Rather than treat each transaction as a flat trace, the paper captures runtime facts in a graph structure that lets detection logic reason across the execution in a more systematic way.
- A reusable execution model. Execution Property Graphs capture critical runtime information from EVM executions in a unified representation.
- Built for hard-to-model attack patterns. Clue uses graph traversal to detect attacks such as read-only reentrancy and price manipulation.
- Operational, not just academic. The evaluation reports strong detection performance and positions the approach for both forensic analysis and real-time intrusion detection.
Why this matters
Security tooling gets bottlenecked by its internal representation. If the runtime model is weak, every detector built on top of it inherits that weakness.
- Security tooling needs better primitives. A more expressive execution model lets detection systems reason about behavior instead of chasing ad hoc heuristics.
- Forensics and monitoring can share the same foundation. The same representation is useful after an incident and while one is still unfolding.
- This is productizable research. The paper points toward security systems that can explain behavior, not just score anomalies.
This line of work points toward monitoring that explains what happened instead of only flagging that something looks wrong. For incident response support and live exploit intelligence, reach us at [email protected].