How we're building cross-chain ML detection for blockchain validator infrastructure

Our first detector hit ROC = 1.000 across every fold. We knew it was broken before we'd finished reading the report. The model had learned that we'd left a random number in as a sanity check, and that our attack captures had a recording flag set that our benign captures didn't. Two leaks, both invisible until you go looking.

That was V1. We're seven cycles in now. Each cycle starts by writing down, in advance, what would count as success and what would count as failure. Then we train. Then we audit. If the audit fires, we don't tune the model. We stop, write up what leaked, and start the next cycle with that surface closed.

This is how you ship a detector that works on traffic it has never seen, instead of one that benchmarks beautifully and falls over the first time it leaves the lab.

What we do

NullRabbit defends blockchain validator infrastructure. The threat surface is asymmetric resource-consumption attacks at the wire layer. An attacker sends a tiny request; the validator does megabytes of work or sends megabytes back; the operator's bandwidth, CPU or memory budget collapses. These attacks have been disclosed against Sui, Solana, Ethereum, Aptos and CometBFT over the last two years. We've contributed our own - NR-2026-001 against Agave is public; Sui Indexer-Alt unembargoes 2026-06-20.

Everyone else in this space watches the inside of the perimeter. Runtime behaviour, contract logic, host telemetry. That work matters and it's not what we do. We watch the outside - what the traffic looks like on the wire before it hits the validator. That's where the asymmetry shows up first.

The architecture

The shape we're building is the one Hugging Face used. Open format, closed corpus, models on top. The format adoption is where the network effect lives; the corpus is where the moat lives.

Format. Bundle v1 - one packet capture plus five Parquet slots covering RPC pairs, host metrics, app metrics, protocol state, and a reserved slot for embeddings. Every bundle carries a controlled-vocabulary manifest declaring how it was captured, at what fidelity, under what authorisation. MIT-licensed, ships as nr-bundle-spec. Goes public when our disclosure windows close.

Corpus. 2,103 attack and benign bundles across Sui and Solana. Ten attack families, nineteen primitives. Months of localnet capture and reproducer engineering. Twenty sample bundles go to HuggingFace so adopters can see what real ones look like; the full corpus stays internal.

Models. One detector per attack family. Inventory is at eight covering the full Sui primitive set, with the Solana counterparts trained and joint Sui+Solana models hitting 99.95% out-of-fold across both chains. Cosmos/CometBFT is next, then Ethereum. Detectors run in shadow mode against our own validator infrastructure as part of a system called IBSR. The trust ladder from "report" to "act" is governed by a separate framework we published as the Earned Autonomy paper.

The result that matters

We took our V8 detector, trained only on Sui attack traffic, using only seven features visible through TLS without decryption, and pointed it at Solana attacks it had never seen.

51 out of 51. Zero retraining, zero feature engineering, zero manifest changes.

The same test with detectors that depend on host-level telemetry hit 0% on Solana. Different chains run different software with different runtime fingerprints, and a model trained on sui-node has no basis to recognise agave.

The distinction matters. Wire-shape features (bytes in, bytes out, amplification ratios) carry the attack mechanism itself, and the mechanism is chain-agnostic. Byte amplification is byte amplification whether the endpoint is sui_multiGetObjects or getMultipleAccounts. Host-telemetry features carry runtime fingerprints, and those don't transfer.

That distinction is now something we can measure, predict and design around. It's why our detector inventory will port to Cosmos when we get there, and to whatever comes after.

Where this goes

The category is autonomous defence for decentralised networks, with the apparatus designed to generalise horizontally. Bundle format doesn't care whether the protected thing is a validator, a CBDC node or a SCADA controller - anything with an exposed RPC surface fits the shape. The family taxonomy is mechanism-class, not chain-class. The earned autonomy framework governs trust the same way regardless of what's being trusted.

Validator infrastructure is the wedge. Real adversaries, real economic stakes, public CVEs to anchor against, and operators who carry liability when their nodes go down.

Methodology paper at github.com/NullRabbitLabs/nr-substrate-paper. Earned Autonomy at Zenodo DOI 10.5281/zenodo.18406828. NR-2026-001 is live.