Address Lists

Address list filtering for whitelist/blacklist functionality in FailSafe expressions

Learning Objective

Understand how to implement address-based filtering using ruleScope configuration

Whitelist Mode - EOA Filtering

watchRule:

{
  "expressions": [
    "system.invoked(tx1.CompoundCToken.F.*)"
  ]
}

options:

{
  "ruleScope": {
    "contractName": "CompoundCToken",
    "groupId": "trusted_addresses",
    "member": false
  }
}
Concept: Whitelist mode - EOA filtering

Detects Compound cToken function calls from addresses NOT in the trusted list (alerts on untrusted addresses) - uses transaction 'from' field for EOA filtering to monitor Compound interactions from untrusted wallets

Blacklist Mode - Event Monitoring

watchRule:

{
  "expressions": [
    "system.emitted(tx1.UniswapV2Pair.E.*)"
  ]
}

options:

{
  "ruleScope": {
    "contractName": "UniswapV2Pair",
    "groupId": "suspicious_addresses",
    "member": true
  }
}
Concept: Blacklist mode - event monitoring

Detects Uniswap V2 pair events from addresses that ARE in the suspicious list (alerts on blacklisted addresses) - uses transaction 'from' field for EOA filtering to monitor Uniswap activity from known malicious addresses

Internal Transaction Address Filtering

watchRule:

{
  "expressions": [
    "system.invoked(tx1.itx1.AavePool.F.*)"
  ]
}

options:

{
  "ruleScope": {
    "contractName": "AavePool",
    "groupId": "authorized_contracts",
    "member": false
  }
}
Concept: Internal transaction address filtering

Detects Aave pool internal function calls from contracts NOT in the authorized list - uses internal transaction 'internal_from' field for contract filtering to monitor Aave interactions from unauthorized contracts

Revert Detection with Address Filtering

watchRule:

{
  "expressions": [
    "system.reverted(tx1.LendingPool.F.*)"
  ]
}

options:

{
  "ruleScope": {
    "contractName": "LendingPool",
    "groupId": "high_risk_addresses",
    "member": true
  }
}
Concept: Revert detection with address filtering

Detects reverted lending pool functions from addresses that ARE in the high-risk list - uses transaction 'from' field for EOA filtering to monitor failed transactions from high-risk addresses

Combined Function and Comparison with Address Filtering

watchRule:

{
  "expressions": [
    "system.uintCompare(tx1.AavePool.F.deposit.amount, >, ${largeDeposit})"
  ]
}

options:

{
  "ruleScope": {
    "contractName": "AavePool",
    "groupId": "vip_depositors",
    "member": false
  },
  "literalDefs": {
    "largeDeposit": 1e+24
  }
}
Concept: Combined function and comparison with address filtering

Large Aave deposits from addresses NOT in the VIP list - combines address filtering with parameter validation where system.invoked() is filtered by address list, but system.uintCompare() works normally

Multi-Contract Address Filtering

watchRule:

{
  "expressions": [
    "system.emitted(tx1.USDC.E.Transfer) || system.emitted(tx1.DAI.E.Transfer)"
  ]
}

options:

{
  "ruleScope": {
    "contractName": "USDC",
    "groupId": "monitored_addresses",
    "member": true
  }
}
Concept: Multi-contract address filtering

Transfer events from USDC or DAI where sender IS in monitored list - demonstrates OR logic with address filtering where address filtering applies to both contracts when they share the same ruleScope

Reentrancy Detection with Address Filtering

watchRule:

{
  "expressions": [
    "system.reentrant(tx1.itx1.WETH.F.withdraw)"
  ]
}

options:

{
  "ruleScope": {
    "contractName": "WETH",
    "groupId": "attack_contracts",
    "member": true
  }
}
Concept: Reentrancy detection with address filtering

Reentrancy in WETH withdraw from addresses that ARE in the attack contracts list - focuses reentrancy detection on known malicious contracts using internal transaction 'internal_from' field for contract filtering