On-chain Security - Zettablock x Forta
Train an ML model with historical data and detect on-chain scams as they happen.
Forta
Forta is a real-time detection network for the security monitoring of blockchain activity. The decentralized Forta Network scans all transactions and block-by-block state changes, leveraging machine learning to detect threats and anomalies on wallets, DeFi, NFTs, bridges, governance, and other Web3 systems.
On-chain monitoring
Let’s say that for the sake of simplicity, we want to build a simple heuristic-based model, using Forta and Zettablock, to capture any large ETH value transfers from wallets into contracts.
First, we get some test data (historical on data lake) to investigate the time horizon we might be interested in.
Run the following query on Data Lake:
with top_level_query AS (
SELECT
from_address AS wallet_address,
to_address AS contract_address,
CAST(value AS double)/POW(10,18) AS eth_amount
FROM
ethereum_mainnet.native_token_transfers
WHERE block_date >= CURRENT_DATE - interval '40' day
AND block_date <= CURRENT_DATE - interval '10' day
AND from_address = from_address_tx -- msg.signer sent funds, not in-between trace calls
)
SELECT
tlq.wallet_address,
tlq.contract_address,
AVG(tlq.eth_amount) avg_eth_amount,
COUNT(*) as count_transfer_calls
FROM top_level_query tlq
GROUP BY 1,2
HAVING COUNT(*) > 1
ORDER BY 4 DESC
LIMIT 10000
The above query will show us how much Ether has moved on average between one address and another in a 30-day window (testing space).
From that exploration, we can then define that the average threshold we are interested in monitoring is any transfers above 0.0025 Ether. This is how we would now write a real-time query to feed our Forta bot with data that will post an event on the decentralized Forta network once this condition is met.
Run the following query on Database (realtime):
SELECT
block_date AS date,
from_address AS wallet_address,
to_address AS contract_address,
avg(CAST(value AS numeric)/POW(10,18)) AS avg_eth_amount,
COUNT(*) as count_transfer_calls
FROM
ethereum_mainnet.native_token_transfers
WHERE block_date >= CURRENT_DATE
AND from_address = from_address_tx -- msg.signer sent funds, not in-between traces
AND CAST(value AS numeric)/POW(10,18) > 0.0025
GROUP By 1,2,3
ORDER BY 5 DESC
LIMIT 10000;
The above query will provide us with the last date worth of transfer aggregates, assuming a single transfer exceeded our threshold (0.0025 ETH).
This is a very simple example to highlight the general usage of both Zettablock and Forta. With the Forta network, you can do a lot more!
Extended monitoring with Forta Network
Malicious contracts
With Forta’s decentralized network, you can subscribe to hooks and listen to new flagged contract addresses that are possibly malicious, then set up a trigger to query Zettablock’s real-time data to get the wallets this contract has interacted with as well as the eth or erc20 or other token transfer amount information and get altered via slack, telegram or any other option of your choosing.
Machine learning heuristics
With the power of Zettablock’s data lake offering you can train your machine-learning model using historical Ethereum data, then fetch data from Zettablock’s real-time offering to feed your Forta Network bot’s model, which will predict whether or not this address or interaction should be flagged and the incident reported to the network or not.
Learning Materials
If you are interested in testing out any of the above, please refer to the following learning resources to help with your journey:
Updated 9 months ago