What counts as malware
In Web3, malware is not just a file on your device. It can be a contract that traps funds, a script that changes your transaction destination, or a fake UI that tricks you into unlimited approvals. ChainGuard treats these behaviors as malware because they lead to loss or control of assets.Detection focus
- Contract bytecode patterns associated with traps or ownership abuse
- Token approval flows that exceed normal behavior
- Script injection attempts that modify wallet actions
Analysis flow
- Decode and classify contract calls.
- Evaluate permissions and potential value movement.
- Compare to known malicious behavior signatures.
Your outcome
- A clear warning before you interact
- An explanation of the specific risk
- Guidance to proceed or cancel
Static and dynamic checks
Static checks look at bytecode and signatures without executing the contract. Dynamic checks simulate the transaction in a controlled environment to observe side effects like fund drains or hidden fees. You get a combined decision that favors safety when results are uncertain.What you can do when alerted
- Stop the interaction and verify the contract address.
- Compare the UI to the official project site.
- Use the transaction simulation view to see exact fund movement.
Next steps
- Learn how scores are calculated in Risk scoring.
- Review end-to-end behavior in Threat detection.