HObfNET: Hierarchical Obfuscation Score Surrogate

• HObfNET is a hierarchical neural network surrogate that estimates smart contract obfuscation scores with near parity to ObfProbe (PCC 0.9158, MAPE 8.20%).
• It leverages a four-stage Hierarchical Attention Network combining local and global Transformer encoding to achieve orders-of-magnitude speedup over traditional static analysis.
• The system generalizes across Ethereum, BSC, Polygon, and Avalanche using chain-specific thresholds for accurate audit queueing and incident-response workflows.

HObfNET is an efficient hierarchical neural network designed as a surrogate for ObfProbe, the leading static-analysis tool for quantifying smart-contract obfuscation. It enables scalable, bytecode-driven inference of obfuscation scores across Ethereum, BSC, Polygon, and Avalanche ecosystems, serving operational security teams by powering automated cross-chain audit queueing and incident-response workflows. HObfNET achieves near parity with ObfProbe’s Z-score outputs (PCC 0.9158, MAPE 8.20%) while realizing orders-of-magnitude efficiency gains.

1. Architectural Overview and Surrogate Function

HObfNET targets regression of the canonical obfuscation score $s^{tool}$ (Z-score per ObfProbe) from raw smart-contract bytecode. The architecture employs a four-stage Hierarchical Attention Network (HAN):

1. Normalization and Segmentation: Bytecode inputs are canonicalized (removal of “0x” prefix, compiler metadata, constructor code) and partitioned into $N = 32$ fixed-length segments of $L = 512$ bytes.
2. Local Encoding: Each segment passes through a 2-layer Transformer encoder (dimension $D = 256$, 4 heads, dropout $0.1$) with bytewise embedding and local positional encoding.
3. Global Encoding: Encoded segments are further processed by a global 2-layer Transformer with chunk-level positional embeddings and bidirectional attention to capture cross-segment, contract-level structure.
4. Multi-task Output Head: The pooled contract representation $v_{contract}$, segment-wise reconstructed feature vector $\hat F$, and auxiliary Z-score $\hat y^{tool}$ are fused via an MLP to yield the final obfuscation score $\hat y$.

This surrogate eliminates the reliance on computation-intensive static single-assignment analysis; at training time, labels exist only for Ethereum, but the model generalizes inference to other chains without auxiliary labels (Zhao et al., 24 Jan 2026).

2. Input Feature Processing and Data Management

Bytecode preprocessing enforces canonicalization and mapping each byte to integer tokens ($1$–$255$; pad $0$). The vocabulary size is $257$. Segmentation ensures $N=32$ uniform-length chunks, with a validity mask $M \in \{0,1\}^N$ tracking real-data boundaries.

Key data splits are enforced at the “bytecode-family” cluster level to prevent label leakage via near-duplicates, using a $7:2:1$ train/validation/test split across $\sim$1.04M Ethereum contracts. Cross-chain datasets (BSC, Polygon, Avalanche) lack ObfProbe supervision and are scored by HObfNET only at inference stage.

3. Network Architecture, Optimization, and Loss Formulations

Each segment’s local encoding is

$$H_{local}^{(i)} = \mathrm{Transformer}_{enc}(\mathrm{Embed}(x_i) + P_{local})$$

and the pooled contract representation employs masked mean pooling:

$$v_{contract} = \frac{\sum_{i=1}^N H_{global}^{(i)} \cdot M_i}{\sum_{i=1}^N M_i + \epsilon}$$

Multi-task reconstruction applies

$\hat F = \mathrm{MLP}_{rec}(v_{contract}),$

$$\hat y^{tool} = \sum_{k=1}^K (\hat F_{k} - \mu_k)/\sigma_k,$$

$$\hat y = \mathrm{MLP}_{head}([v_{contract} \oplus \hat F \oplus \hat y^{tool}])$$

The total loss is

$$\mathcal{L}_{total} = \lambda_s \mathrm{MSE}(s^{tool}, \hat y) + \lambda_{aux} \mathrm{MSE}(s^{tool}, \hat y^{tool}) + \lambda_{feature} \sum_{k=1}^K \mathrm{MSE}(F_{gt,k}, \hat F_k)$$

with $$(\lambda_s, \lambda_{aux}, \lambda_{feature}) = (1, 0.1, 0.01)$$.

Optimization employs AdamW (learning rate $5\times10^{-4}$, weight decay $1\times10^{-4}$, batch size $24$, $20$ epochs, gradient clipping $0.5$) on A100-class GPUs.

4. Performance Evaluation and Ablation Analysis

On a held-out test set of $\sim$104,000 Ethereum contracts, HObfNET achieves:

• MAPE: $8.20\%$
• MAE: $0.6341$
• MSE: $1.4477$
• PCC: $0.9158$

Ablation results underscore the value of the hierarchical and multi-task design. The following table compares architecture variants:

Model	MAPE %	MAE	MSE	PCC
Standard Transformer	16.29	0.9521	2.7147	0.8466
HAN w/ GRU	14.28	0.8794	2.4511	0.8484
HAN w/o multi-task	13.02	0.8359	2.3371	0.8619
HAN (full HObfNET)	8.20	0.6341	1.4477	0.9158

HObfNET’s scoring throughput is $8$–$9$ ms/contract (batch size $200$; $8.67$ ms for BSC). Compared to ObfProbe (median $41$ s, mean $19.66$ s per contract, single-threaded), the model enables $2.3\mathrm{k}$–$5.2\mathrm{k} \times$ speedup, allowing million-scale audit pre-filtering.

5. Threshold Methodology and Chain-Specific Tail Analysis

Audit candidate selection is thresholded at chain-specific percentiles. For chain $b$ and score distribution $F^b$, percentile cutoffs are defined as:

$\tau_b^q = \inf\{s : F^b(s) \geq q/100\}$

Observed p99 and p99.9 thresholds (rounded):

Chain	p99	p99.9
Ethereum	18.07	22.69
BSC	16.82	19.74
Polygon	18.72	20.51
Avalanche	19.18	20.67

Direct transfer of Ethereum thresholds to other chains produces queue inflation or deflation due to score drift (e.g., BSC: only $0.48\%$ above ETH p99; Avalanche: $2.32\%$). This motivates chain-specific stratified queues.

6. Audit Queueing, Structural Triage, and Cross-Chain Linkage

HObfNET enables a two-tier audit queue for each chain:

1. Main Queue: $s \geq \tau_b^{99}$
2. Emergency Queue: $s \geq \tau_b^{99.9}$

Further triage within queues leverages structural cues:

• Low signature density (signatures per KB)
• Enriched external-call opcodes: e.g., DUP8–DUP11, STATICCALL, RETURNDATASIZE/COPY, GAS
• Rare selectors: selector lift $10$–$50\times$ over baseline
• Proxy indicator enrichment: BSC main queue proxy fraction $1.03\%$ (background $0.25\%$)

Cross-chain linkage is enacted once high-score clusters (identical bytecode hashes) are flagged, triggering immediate lookup across chains. Tail Jaccard $1.5$–$2\times$ that of overall contract reuse; directional diffusion favors small-to-large chain propagation.

For incident samples, all publicly alignable cases fall within the p99 queue. For example:

• Transit Swap DEX Hack (2022-10-02): p99.74
• New Free DAO Flash Loan (2022-09-08): p99.21 Both are in the main queue, not the extreme (p99.9) queue.

7. Mathematical Formalisms and Metrics

Canonical formulas underpin HObfNET’s operation:

• ObfProbe Z-score:

$$s_c^{tool} = \sum_{k=1}^K (F_{c,k} - \mu_k)/\sigma_k$$

• Masked mean pooling:

$$v_{contract} = \frac{\sum_{i=1}^N H_{global}^{(i)} \cdot M_i}{\sum_{i=1}^N M_i + \epsilon}$$

• Multi-output fusion:

$$\hat y = \mathrm{MLP}_{head}([v_{contract} \oplus \hat F \oplus \hat y^{tool}])$$

• Composite loss function:

$$\mathcal{L}_{total} = \lambda_s \mathrm{MSE}(s^{tool}, \hat y) + \lambda_{aux} \mathrm{MSE}(s^{tool}, \hat y^{tool}) + \lambda_{feature} \sum_{k=1}^K \mathrm{MSE}(F_{gt,k}, \hat F_k)$$

• MAPE (mean absolute percentage error):

$$\mathrm{MAPE} = \frac{1}{n}\sum_{i=1}^n\, \left|\frac{y_i - \hat{y}_i}{y_i}\right| \times 100\%$$

• PCC (Pearson correlation coefficient):

$$\mathrm{PCC} = \frac{\sum_i (y_i - \bar y)(\hat{y}_i - \overline{\hat{y}})}{\sqrt{\sum_i (y_i - \bar y)^2} \sqrt{\sum_i (\hat{y}_i - \overline{\hat{y}})^2}}$$

8. Practical and Research Implications

HObfNET establishes a tractable pipeline for operationalizing obfuscation signals at scale, supporting multi-chain security audits, queueing, and forensic linkage. The efficiency and cross-chain generalization suggest actionable prioritization for security incident response. The approach reveals protocol-level score drift and tail characteristics (opcode enrichments, rare selectors) relevant for both automated and manual asset triage. All results and methodologies derive from (Zhao et al., 24 Jan 2026).