Blockchain analysis is not a simple business. Thankfully, Luabase and Forta provide the community with the data that one needs to make sense of blockchain activity and threat relevant information. Answering simple questions like “what is the ERC-20 balance of an account” theoretically involves analyzing every single transaction from the genesis block to the present if one is only working with RPC endpoints.
Blockchain querying services have recognized this gap by indexing blockchain data and making it available through common interfaces, like SQL, Spark, GraphQL, etc. This accessibility makes the answer to questions like the one above instantaneously available.
Today, the Forta Foundation is announcing a partnership with Luabase. Luabase is a critical piece of analytics infrastructure for crypto. The Luabase platform makes it easy for developers to embed blockchain analytics in their own apps or data scientists to run ML and other statistical models in their tool of choice (e.g. Jupyter Notebooks, Google Sheets, etc.). Queries run blazing fast and it is now possible to execute SQL queries across the multiple supported blockchains.
Luabase doesn’t only ingest and index blockchain data, which can be used for heuristics and machine learning in Forta Detection Bots, but can now ingest Forta’s alert data opening the door for powerful analytics and insights. Through Luabase’s Metabase integration, analysts can now access beautiful and insightful dashboarding options. The walkthrough below illustrates this through an example.
One question Forta’s data scientists have been keen to figure out: ‘Is Forta’s scam detector feed bot emitting false positive alerts?’
Some background, the scam detector feed bot identifies EOAs and contract addresses engaged in ice phishing activity. In an ice phishing attack, (See Breaking the Ice: a Phishing Deep Dive for a description of a recent/ongoing ice phishing campaign) an attacker tricks an end user to sign token approval transactions that give the attacker access to the user’s ERC-20/751/1155 assets. The underlying logic of the bot monitors approvals and alerts when approvals are issued from numerous EOAs and assets to a single attacker address.
Approvals are, of course, essential for a functioning crypto ecosystem. Trading through DEXes, for instance, requires issuing approvals to the DEX first, so it can transfer assets to the DEX in case of a swap.
If a new DEX appears, it may exhibit characteristics of an ice phishing attack (its a new contract that receives many token approvals for many digital assets) As the popularity of the DEX increases, it will become apparent that the Scam Detector has raised a false positive as the volume will eventually exceed the volume usually associated with ice phishing attacks.
With Luabase’s integration with Forta, one can now create a dashboard to get insights into the scam detection bot’s performance by joining on-chain transaction data with Forta alert data. Insights like this can be obtained through a query on Luabase.com directly, but can be more powerful through a dashboard. Luabase can be integrated with Metabase, a dashboarding platform (see Metabase’s setup instructions.)
A query is performed via the following steps:
1. Obtain all addresses identified by the scam detector bot that engaged in ice phishing attacks over the last 2 months:
with phishers as (
SELECT MIN(CAST(substring(first_bot_response_at,1,19) as datetime)) as first_alert_time, substring(description,25,40) as address
FROM forta.ethereum_alerts
WHERE bot_id='0x1d646c4045189991fdfd24a66b192a294158b839a6ec121d740474bdacb3ab23'
GROUP BY address),
recent_phishers as (
SELECT first_alert_time, address FROM phishers WHERE DATEDIFF(day, first_alert_time, NOW()) <= 60
),2. In a dashboard there are only so many series that can be visualized, and for the question at hand, one is interested to analyze addresses with many approvals, so the addresses are filtered to the top 10 addresses with most approvals and all other addresses are bucketed into the ‘other’ category:
approvals as (
SELECT substring(input,35,40) AS to, hash, block_timestamp FROM ethereum.transactions WHERE CAST(input AS CHAR) like '0xa22cb465%'
AND DATEDIFF(day, block_timestamp, NOW()) <= 60
UNION DISTINCT
SELECT substring(input,35,40) AS to, hash, block_timestamp FROM ethereum.transactions WHERE CAST(input AS CHAR) like '0x095ea7b3%'
AND DATEDIFF(day, block_timestamp, NOW()) <= 60
),
phisher_approvals as (
SELECT address, COUNT(hash) as approval_count, CAST(block_timestamp as date) as block_day
FROM recent_phishers JOIN approvals ON recent_phishers.address==approvals.to
GROUP BY address, block_day
),
top_ten_addresses as (
SELECT address, COUNT(hash) as approval_count
FROM recent_phishers JOIN approvals ON recent_phishers.address==approvals.to
GROUP BY address
ORDER BY approval_count desc
LIMIT 10
)
3. Finally, once the top 10 addresses with most token approvals have been obtained, one can calculate the number of approvals each address (as well as the ‘other’ category) over time:
SELECT IF(top_ten_addresses.address is null, 'other', address) as address, SUM(approval_count) as approval_count, block_day FROM phisher_approvals LEFT OUTER JOIN top_ten_addresses ON phisher_approvals.address == top_ten_addresses.address GROUP BY address, block_day ORDER BY address ASC
4. Finally, visualizing this in an area graph using a Metabase instance results in an easily consumable dashboard that answers the question at hand. If an address shows a high volume or steeply increasing token approval count over time, the address is likely a false positive. A constant trickle or decrease would indicate a true positive.
Luabase and Forta provide the community with the data that one needs to make sense of blockchain activity and threat relevant information. Through tools, like Metabase, insightful visualizations and dashboards can be created to make this information clear and consumable. Forta’s data scientists look forward to seeing what insights the community can now uncover!
For more details on Luabase access, features, and example queries, please check out the Forta’s docs To protect yourself or your protocol from scams and exploits, consider subscribing to the Scam and Attack Detector Feeds on the Forta App.
Share post