To address the challenge of real-time defense against price manipulation attacks in DeFi, this paper proposes, for the first time, a proactive pre-attack identification paradigm: threat assessment is performed immediately after malicious contract deployment but before attack execution. Methodologically, it abandons conventional reliance on source code or runtime transaction traces, instead constructing a lightweight Token Flow Graph (TFG) solely from bytecode—integrating control and data flows for cross-contract static analysis—and incorporates path pruning and sensitive-path focusing techniques. Its core innovation lies in shifting the detection perspective from victims to attackers, enabling on-chain real-time alerting. Evaluation shows 91.6% recall and ≈100% precision; 616 field-deployed attack contracts were identified, associated with potential losses of $9.25M; average alert latency is only 99 seconds on Ethereum and BSC, and seven pending attacks have been successfully intercepted.

Price manipulation attack is one of the notorious threats in decentralized finance (DeFi) applications, which allows attackers to exchange tokens at an extensively deviated price from the market. Existing efforts usually rely on reactive methods to identify such kind of attacks after they have happened, e.g., detecting attack transactions in the post-attack stage, which cannot mitigate or prevent price manipulation attacks timely. From the perspective of attackers, they usually need to deploy attack contracts in the pre-attack stage. Thus, if we can identify these attack contracts in a proactive manner, we can raise alarms and mitigate the threats. With the core idea in mind, in this work, we shift our attention from the victims to the attackers. Specifically, we propose SMARTCAT, a novel approach for identifying price manipulation attacks in the pre-attack stage proactively. For generality, it conducts analysis on bytecode and does not require any source code and transaction data. For accuracy, it depicts the control- and data-flow dependency relationships among function calls into a token flow graph. For scalability, it filters out those suspicious paths, in which it conducts inter-contract analysis as necessary. To this end, SMARTCAT can pinpoint attacks in real time once they have been deployed on a chain. The evaluation results illustrate that SMARTCAT significantly outperforms existing baselines with 91.6% recall and ~100% precision. Moreover, SMARTCAT also uncovers 616 attack contracts in-the-wild, accounting for $9.25M financial losses, with only 19 cases publicly reported. By applying SMARTCAT as a real-time detector in Ethereum and Binance Smart Chain, it has raised 14 alarms 99 seconds after the corresponding deployment on average. These attacks have already led to $641K financial losses, and seven of them are still waiting for their ripe time.