Negation Logic

Using system.noMatches() to detect when expected events or functions do NOT occur

Learning Objective

Master negation patterns for detecting missing actions, incomplete sequences, and anomalous behavior

Function Without Expected Event

watchRule:

{
  "expressions": [
    "system.invoked(tx1.USDC.F.transfer) && system.noMatches(system.emitted(tx1.USDC.E.Transfer))"
  ]
}
Concept: Function without expected event

Detects when transfer function is called but Transfer event is not emitted - indicates potential malicious contract behavior

Event Without Expected Function

watchRule:

{
  "expressions": [
    "system.emitted(tx1.DAI.E.Approval) && system.noMatches(system.invoked(tx1.DAI.F.transferFrom))"
  ]
}
Concept: Event without expected function

Detects when Approval event is emitted but transferFrom is not called - may indicate unused approvals or front-running setup

Incomplete Multi-Step Process (Comma-Separated)

watchRule:

{
  "expressions": [
    "system.invoked(tx1.AavePool.F.flashLoan)",
    "system.noMatches(system.emitted(tx1.AavePool.E.FlashLoanRepaid))"
  ]
}
Concept: Incomplete multi-step process (comma-separated)

Flash loan initiated but repayment event not emitted - indicates potential flash loan attack or failed repayment

Missing Cleanup Function

watchRule:

{
  "expressions": [
    "system.noMatches(system.invoked(tx1.TempContract.F.cleanup)) && system.emitted(tx1.TempContract.E.OperationCompleted)"
  ]
}
Concept: Missing cleanup function

Operation completed but cleanup function not called - may indicate resource leaks or incomplete state management

Incomplete Flash Loan Sequence

watchRule:

{
  "expressions": [
    "system.invoked(tx1.AavePool.F.flashLoan) && system.noMatches(system.invoked(tx1.itx1.AavePool.F.repayFlashLoan))"
  ]
}
Concept: Incomplete flash loan sequence

Flash loan initiated but repayment function not called in expected internal transaction - indicates potential exploit attempt

High-Risk Sender Without Reputation Building

watchRule:

{
  "expressions": [
    "system.uintCompare(tx1.ReputationSystem.riskscore, >, ${suspiciousThreshold}) && system.noMatches(system.emitted(tx1.ReputationSystem.E.ReputationEarned))"
  ]
}

options:

{
  "literalDefs": {
    "suspiciousThreshold": "70"
  }
}
Concept: High-risk sender without reputation building

High-risk score sender performs transactions and has never built positive reputation - indicates potential bad actor who hasn't engaged in trust-building activities