This study addresses the challenge of imitative cascading attacks in decentralized finance (DeFi), which frequently evade existing passive detection systems due to their inability to rapidly derive generalized rules from initial attack instances, thereby allowing subsequent exploits to succeed. To overcome this limitation, the authors propose an automated rule-extraction method based on semantic abstraction and transaction logic matching. By integrating open-source protocol semantics with contract labeling for the first time, the approach enables high-fidelity abstraction of attack logic and robust matching even under noisy transaction traces. Evaluated on real-world data, the method achieves 98% accuracy, a 1% false positive rate, and a 3% false negative rate, demonstrating significantly enhanced generalization capability. Furthermore, it successfully uncovers 56 previously undisclosed attack incidents over the past three years.

As blockchain ecosystems grow, financially motivated attackers increasingly exploit decentralized finance (DeFi) protocols, causing frequent and severe losses. Unlike conventional cyberattacks, DeFi exploits propagate rapidly due to the transparent and composable nature of smart contracts. We identify a critical pattern, Imitative Attack Cascade: an initial successful exploit is quickly followed by mimicking transactions that reuse attack logic with minor modifications or parameter changes. Our empirical analysis shows that over 69% of DeFi attacks exhibit strong behavioral similarity to earlier incidents, often within hours or days of the initial attack. This exposes a fundamental limitation in current reactive detection. Initial attacks are typically flagged via heuristic alerts (Tornado Cash traces, anomalous nonce usage, exploiter labels), but turning these signals into detection rules requires manual validation and handcrafted trace analysis -- a labor-intensive, slow process that leaves follow-up attacks to spread. Our goal is to ensure that once an attack has been observed, even a single instance, it can be rapidly abstracted into an actionable, generalizable detection rule. We decompose the problem into two challenges: (I) abstracting the semantics of diverse, obscure function signatures, and (II) matching transaction logic in noisy, evasive traces. We leverage two insights: (i) the open-source nature of most DeFi protocols enables high-fidelity semantic classification of function signatures; (ii) contract labels isolate essential logic by filtering irrelevant calls and classifying attack intent. Building on these, we develop GenDetect, which achieves ACC 98%, FPR 1%, FNR 3% and discovers 56 previously unrevealed attacks from the past three years. Source code and dataset: https://github.com/NobodyIsAnonymous/GenDetect_ICSE2026