Detection principles
- Prefer local checks for speed and privacy.
- Require multiple signals for high-impact blocks.
- Explain every warning in human terms.
Signals we analyze
- URL structure and redirect behavior
- Page scripts and wallet connection flows
- Smart contract bytecode and function selectors
- Transaction intent, value movement, and approvals
- Reputation data for addresses and domains
Detection flow
- Fast checks run locally for immediate warnings.
- A deeper analysis runs when higher risk is suspected.
- A final decision is made from combined signals.
Response actions
- Warn when signals are suspicious but unconfirmed
- Block when evidence is high confidence
- Explain why a risk was surfaced so you can decide
Model safety
Models are used for classification, but every decision is constrained by rule-based safeguards so false positives do not automatically block actions.Confidence levels
ChainGuard assigns a confidence score alongside risk. A medium confidence warning suggests you should review details, while a high confidence block indicates multiple independent signals confirm malicious behavior.Handling false positives
If you believe a warning is incorrect, report it directly from the extension. This feeds back into signal validation and helps the system improve without reducing baseline protection.Next steps
- See how results are summarized in Risk scoring.
- Learn about the model pipeline in AI engine.