The more popular cryptocurrency and blockchain technology become, the more they draw the attention of hackers. According to recent research by Carbon Black, a total of $1.1 billion in cryptocurrencies was stolen in the first half of 2018. In approximately 35 percent of cases, the main targets of hackers were regular users and private businesses. And a significant part of these attacks were related to hacking smart contracts or stealing private keys from user accounts.
Once attackers get ahold of a legitimate user account’s private keys or hack a smart contract, they can get access to all the funds that the compromised account has access to. In this post, we take a detailed look at how to track suspicious transactions on the blockchain and prevent hackers from stealing your funds. To make this overview more informative, we’ll focus on detecting suspicious activity on the Ethereum blockchain.
Attacks on different blockchain networks and digital currency exchanges are common these days. The majority of cryptocurrency-related attacks proceed in a similar manner, illustrated in Figure 1 below.
The process usually consists of three steps:
- A hacker finds a vulnerability in a victim’s computer system or in one of their smart contracts and exploits it.
- After exploiting the vulnerability, the hacker gets access to all the victim’s funds.
- The hacker takes the money and disappears.
There are a couple of ways to prevent steps 1 and 2 from happening. First, you should follow commonly used security best practices when developing a smart contract. Second, you should keep the majority of your funds in a secure offline storage device, like a cold wallet.
While these preventive measures may lessen the chances of hackers getting ahold of your cryptocurrency, they can’t guarantee a high level of security for at least three reasons:
- You can’t permanently store all of your cryptocurrency in offline storage. At least some part of your funds (the part that’s actively used for trading) needs to be available online and accessed quickly.
- Any smart contract can have zero-day vulnerabilities that haven’t been fixed yet and, therefore, may be exploited by hackers.
- Sometimes, tools like digital wallets or blockchain clients may introduce accidental vulnerabilities in software updates. Theoretically, these vulnerabilities can also be exploited by hackers.
It’s nearly impossible to fully protect your cryptocurrency from theft and prevent hackers from getting access to your funds. The good news is that there might be an effective way to not let the attackers leave with your money.
As you probably know, one of the signature features of the majority of blockchain networks is the full publicity and transparency of every single transaction. This means that even if hackers manage to get access to your account, you can find the details of every single transaction they make in the blockchain. This gives you a chance to track suspicious transactions and catch the thieves before they get away with your money.
Furthermore, it’s just as trivial to monitor new transactions as they appear and detect any suspicious activity related to your funds. So even if a hack happens, you can track the culprit’s every move and action while also working with the community to prevent the laundering of any stolen currency.
Sometimes, if a smart contract allows it, you can simply block all of your stolen tokens and stop the attack altogether. Earlier in 2018, Bancor used this opportunity when their BNT tokens got hacked.
Here is the latest update on the recent security breach: pic.twitter.com/JroypFvBri— Bancor (@Bancor) July 9, 2018
Generally, there are two ways you can monitor transactions on a blockchain:
- Manually, by looking at particular transactions
- Automatically, by using the blockchain network’s APIs
Next, we take a more detailed look at each of these approaches.
If you wanted to read several particular transactions from a personal wallet or a small-scale contract, the easiest way would be to do it manually. Just remember that in order to convert block data to a human-readable format, you need to use a special tool called a block explorer.
A block explorer allows you to explore the details of each transaction and follow any transfers of any currency. Note that there are specific block explorers for every major cryptocurrency. Here are some examples for Bitcoin Core, Ethereum, Ripple, Bitcoin Cash, Litecoin, NEO, and EOS. It’s also noteworthy that the Ethereum block explorer supports ERC20 tokens as well.
While this approach works well for monitoring personal wallets and small-scale smart contracts from time to time, it’s not suitable for full-scale 24/7 monitoring. If you need to monitor a large number of wallets and smart contracts on a regular basis, then it’s better to use automatic monitoring.
To access transaction data automatically, you need to use a network’s Application Programming Interface, or API. Every network has its own API for accessing blockchain data. Since our focus in this article is on the Ethereum network, we’ll describe how to work with this network’s API in particular.
Blockchain: Cyber Security Pros and Cons
Here’s a function that can be used to get a single transaction:
This function contains two special values that can be used instead of the block number in the first parameter: latest and pending. The latest block refers to the most recently mined block. The pending block contains every transaction that hasn’t been confirmed yet (e.g. is waiting to be mined). To list all transactions from a block, you need to loop over the index of each transaction.
There’s another function that allows you to get the total number of transactions in any given block:
Note that the Metamask extension doesn’t support synchronous requests, so in both of these functions you’ll have to provide the callback function to retrieve data asynchronously.
Here’s a sample script that lists every transaction in the latest block: (try it in jsfiddle)
What we actually need to do, however, is to monitor transactions live and without the need to constantly execute a specific command. There’s a separate function in web3 for this:
Depending on the parameters used, this function can enable several filtering scenarios:
- Filtering of the most recent blocks (if the filterString is latest)
- Filtering of the most recent pending transaction (if the filterString is pending)
- Filtering of the event logs from processed transactions on the blockchain (if the filterOptions object is specified)
More details about this function and its parameters can be found on GitHub.
This function allows you to receive notifications for every new transaction created on the blockchain network. However, in order to get these notifications, you need to add a callback function to the filter:
At this point, we can come up with a simple script that will list every new transaction to or from an address in the console: (try it in jsfiddle)
While successfully accomplishing the main task — listing every new transaction on the blockchain — this script has several drawbacks:
- It’s difficult to run outside of a web browser
- It doesn’t capture smart contract function call data
- It may skip internal function calls and transfers if they’re made from a different smart contract
As for internal transactions, they aren’t recorded on the blockchain. So the only way to capture internal transactions is to run a modified version of the Ethereum Virtual Machine (EVM). Modifying the EVM, however, is out of the scope of this post.
The other way you can tell if a function has been executed internally is by using transaction logs. Any events that were fired during a transaction are recorded on the blockchain. The only requirement for this method is that the events actually were fired from the contract. Fortunately, this is considered the best practice for smart contracts.
The contract event filter provides event logs in an accessible manner so that you don’t need to parse anything. For example, this function allows you to detect transfer events from an ECR20 token:
This function will filter all Transfer events and their parameters. Then you can add some simple filtering to detect any suspicious transactions. The final script for the transaction monitoring will look something like this:
In this script, we set up a filter based on the contract’s address and keep polling the network for new events. A JSON file with the contract’s application binary interface (ABI) is used to parse all of the event data in the handle_event function. The parsed data is passed into the check_suspicious_event function, which can perform any necessary checks to validate the transaction. If the transaction is suspicious, the function will return true and the script will log event details. The example checks if a Transfer event (from the ERC20 standard) was emitted and if the transferred number of tokens was greater than 1000 full tokens.
You can easily use any other criteria for detecting potentially suspicious transactions.
- Recording the receiver address and frequency of payments — This way you can detect siphoning of tokens. Small but frequent payments may slip under the radar and allow an attacker to get away.
- Compare a transaction destination address with the contract address — This way you can figure out if a real person executed the contract. Automatic execution of a contract could be an attempt to exploit a reentrancy vulnerability.
The script above can monitor any contract as long as it emits events or is called directly via the fallback function.
Note that for running this script, you need Python 3.5 or higher and the web3 library has to be installed using the following function:
After all of the dependencies are installed, you can run the script by providing an address of a contract and its ABI (created during contract compilation):
Of course, all these approaches are just some basic ways to monitor Ethereum transactions. There are lots of other ways of interacting with the blockchain, from browsing blocks in a block explorer to studying the blockchain using neural networks and machine learning. And, to monitor suspicious Bitcoin mempool activity, for instance, you’ll need to use a different approach.
You can choose the approach that best suits your needs and security standards. Regardless of the approach you decide to use, you should definitely look into monitoring blockchain data as a way to protect your digital assets.
Transaction monitoring is one of the most effective tools you can use for preventing and detecting criminal activity in cryptocurrencies. Depending on your scope of work, you can monitor and read blockchain transactions either manually, using a block explorer, or automatically, with the help of scripts.
At Apriorit, we have a team of experienced professionals whose field of interest is the fascinating world of blockchain technology. Our developers have a high level of expertise in cybersecurity and data encryption, so we can assist you in developing and securing your blockchain-based solution.