Home

On-chain Security - Zettablock x Forta

Train an ML model with historical data and detect on-chain scams as they happen.

Suggest Edits

Forta

Forta is a real-time detection network for the security monitoring of blockchain activity. The decentralized Forta Network scans all transactions and block-by-block state changes, leveraging machine learning to detect threats and anomalies on wallets, DeFi, NFTs, bridges, governance, and other Web3 systems.

On-chain monitoring

Let’s say that for the sake of simplicity, we want to build a simple heuristic-based model, using Forta and Zettablock, to capture any large ETH value transfers from wallets into contracts.

First, we get some test data (historical on data lake) to investigate the time horizon we might be interested in.

🚧

Run the following query on Data Lake:

with top_level_query AS (
  SELECT
    from_address AS wallet_address,
    to_address AS contract_address,
    CAST(value AS double)/POW(10,18) AS eth_amount
  FROM
    ethereum_mainnet.native_token_transfers
  WHERE block_date >= CURRENT_DATE - interval '40' day
    AND block_date <= CURRENT_DATE - interval '10' day
    AND from_address = from_address_tx -- msg.signer sent funds, not in-between trace calls
)
SELECT
  tlq.wallet_address,
  tlq.contract_address,
  AVG(tlq.eth_amount) avg_eth_amount,
  COUNT(*) as count_transfer_calls
FROM top_level_query tlq
GROUP BY 1,2
HAVING COUNT(*) > 1
ORDER BY 4 DESC
LIMIT 10000

The above query will show us how much Ether has moved on average between one address and another in a 30-day window (testing space).

From that exploration, we can then define that the average threshold we are interested in monitoring is any transfers above 0.0025 Ether. This is how we would now write a real-time query to feed our Forta bot with data that will post an event on the decentralized Forta network once this condition is met.

🚧

Run the following query on Database (realtime):

SELECT
  block_date AS date,
  from_address AS wallet_address,
  to_address AS contract_address,
  avg(CAST(value AS numeric)/POW(10,18)) AS avg_eth_amount,
  COUNT(*) as count_transfer_calls
FROM
  ethereum_mainnet.native_token_transfers
WHERE block_date >= CURRENT_DATE
  AND from_address = from_address_tx -- msg.signer sent funds, not in-between traces
  AND CAST(value AS numeric)/POW(10,18) > 0.0025
GROUP By 1,2,3
ORDER BY 5 DESC
LIMIT 10000;

The above query will provide us with the last date worth of transfer aggregates, assuming a single transfer exceeded our threshold (0.0025 ETH).

This is a very simple example to highlight the general usage of both Zettablock and Forta. With the Forta network, you can do a lot more!

Extended monitoring with Forta Network

Malicious contracts

With Forta’s decentralized network, you can subscribe to hooks and listen to new flagged contract addresses that are possibly malicious, then set up a trigger to query Zettablock’s real-time data to get the wallets this contract has interacted with as well as the eth or erc20 or other token transfer amount information and get altered via slack, telegram or any other option of your choosing.

Machine learning heuristics

With the power of Zettablock’s data lake offering you can train your machine-learning model using historical Ethereum data, then fetch data from Zettablock’s real-time offering to feed your Forta Network bot’s model, which will predict whether or not this address or interaction should be flagged and the incident reported to the network or not.

Learning Materials

📘

If you are interested in testing out any of the above, please refer to the following learning resources to help with your journey:

Updated about 2 months ago