In [1]:
# Copyright 2022 The Forta Foundation
 
import requests
import pandas as pd
import json
import dotenv
import os

# Load environment variables
dotenv.load_dotenv()

True

In [2]:
def execute_query(sql: str) -> pd.DataFrame:
        url = "https://q.luabase.com/run"
        payload = {"block":
                   {"details": {
                    "sql": sql,
                    }
                    },
                   "api_key": os.environ.get('LUABASE_API_KEY')
                   }

        headers = {"content-type": "application/json"}
        response = requests.request("POST", url, json=payload, headers=headers, timeout=600)  # 10min timeout
        
        data = response.json()
        
        print(data)
        return pd.DataFrame(data["data"])

This notebook allows to backtest the attack detector V2 against a set of alerts. Independent of the threshold set within the bot, the log will be analyzed, so the relevant alerts, their anomaly score, overall anomaly score, and any FP filtering mitigations are shown.

Since there is a command line character limit, the local persistence mechanism needs to be enabled to persist state across executions (by setting local node property in constants.py to 1)

In [3]:
start_date = "2022-12-31" #when the attack detector first started to operate



attacker_addresses = "0x14d8Ada7A0BA91f59Dc0Cb97C8F44F1d177c2195".lower()
chain = "ethereum" #ethereum or binance 
name = "TomInu"
end_date = "2023-01-26" #should be the date of the attack


# attacker_addresses = "0x14d8Ada7A0BA91f59Dc0Cb97C8F44F1d177c2195".lower()
# chain = "ethereum" #ethereum or binance 
# name = "TomInu"
# end_date = "2023-01-26" #should be the date of the attack


# attacker_addresses = "0x69f0EdC352eCffC4EF49516c9b20eA88B3E947cb".lower()
# chain = "ethereum" #ethereum or binance 
# name = "BlueCluesInu"
# end_date = "2023-01-26" #should be the date of the attack

# attacker_addresses = "0x88a2386e7ec97ad1e7a72176a66b6d0711ae3527".lower()
# chain = "ethereum" #ethereum or binance 
# name = "Quaternion"
# end_date = "2023-01-20" #should be the date of the attack


# attacker_addresses = "0xf3a465c9fa6663ff50794c698f600faa4b05c777,0x2ffc59d32a524611bb891cab759112a51f9e33c0" #comma separated list of attacker addresses (note, while all alerts from those addresses are pushed to the attack detector, one should check the clustering bot to see whether they are clustered together)
# chain = "ethereum" #ethereum or binance 
# name = "ANKR"
# end_date = "2022-12-04" #should be the date of the attack

# start_date = "2023-01-10" #when the attack detector first started to operate
# attacker_addresses = "0x9d0163e76bbcf776001e639d65f573949a53ab03"
# chain = "ethereum" #ethereum or binance 
# name = "LendHub"
# end_date = "2023-01-14" #should be the date of the attack

# attacker_addresses = "0x0348d20b74ddc0ac9bfc3626e06d30bb6fac213b"
# chain = "ethereum" #ethereum or binance 
# name = "JayExploiter"
# end_date = "2022-12-31" #should be the date of the attack

# attacker_addresses = "0x001B91c794dFEecf00124D3F9525DD32870B6ee9" #comma separated list of attacker addresses (note, while all alerts from those addresses are pushed to the attack detector, one should check the clustering bot to see whether they are clustered together)
# chain = "ethereum" #ethereum or binance 
# name = "CryptoRubric"
# end_date = "2022-12-28" #should be the date of the attack

# attacker_addresses = "0x3bdF01ed32F07e8e843163b5d478d4502F5743CD,0x25fDe76A52D01c83E31d2d3D5e1d2011ff103c56,0xBeAdeDBABED6A353c9cAa4894Aa7E5F883e32967" #comma separated list of attacker addresses (note, while all alerts from those addresses are pushed to the attack detector, one should check the clustering bot to see whether they are clustered together)
# chain = "ethereum" #ethereum or binance 
# name = "ElasticSwap"
# start_date = "2022-11-30" #when the attack detector first started to operate
# end_date = "2022-12-15" #should be the date of the attack

# attacker_addresses = "0x86Aa1c46f2Ae35ba1B228dC69fB726813D95b597,0x3c4e5b099f3c02122079d124138377e1b9048629" #comma separated list of attacker addresses (note, while all alerts from those addresses are pushed to the attack detector, one should check the clustering bot to see whether they are clustered together)
# chain = "binance" #ethereum or binance 
# name = "Nimbus"
# end_date = "2022-12-15" #should be the date of the attack

# attacker_addresses = "0xF4FD2EbE7196c8E99E88bcc4Aef69dda0e493B8F" #comma separated list of attacker addresses (note, while all alerts from those addresses are pushed to the attack detector, one should check the clustering bot to see whether they are clustered together)
# chain = "binance" #ethereum or binance 
# name = "BlackGold"
# end_date = "2022-12-15" #should be the date of the attack

# attacker_addresses = "0x286E09932B8D096cbA3423d12965042736b8F850" #comma separated list of attacker addresses (note, while all alerts from those addresses are pushed to the attack detector, one should check the clustering bot to see whether they are clustered together)
# chain = "binance" #ethereum or binance 
# name = "aespool"
# end_date = "2022-12-17" #should be the date of the attack

# attacker_addresses = "0xf71708C59be7e32B9FF2aa174F07311869C6bf0c" #comma separated list of attacker addresses (note, while all alerts from those addresses are pushed to the attack detector, one should check the clustering bot to see whether they are clustered together)
# chain = "binance" #ethereum or binance 
# name = "optionroom"
# end_date = "2022-12-17" #should be the date of the attack




In [4]:
chain = "ethereum"
attacks = [#("0x14d8Ada7A0BA91f59Dc0Cb97C8F44F1d177c2195","ethereum","tominu","2023-01-18","2023-01-27"),
           ("0x69f0EdC352eCffC4EF49516c9b20eA88B3E947cb,0xceed34f03a3e607cc04c2d0441c7386b190d7cf4","ethereum","blueclues","2023-01-19","2023-01-26"),
           #("0x88a2386e7ec97ad1e7a72176a66b6d0711ae3527","ethereum","quaternion","2023-01-17","2023-01-19"),
           #("0x8a2d94ea342cbdd6d57db614b24f20cae286cac6,0x22898dc59145eae79471dd1f06b7e542e0982d30","ethereum","Upswing","2022-12-21","2023-01-20"),
           #("0x15d87DC2Eb27fdA26451f8FB04C576639104344d","ethereum","roefinance","2023-01-10","2023-01-18"),
           #("0x9D0163e76BbCf776001E639d65F573949a53AB03","ethereum","lendhub","2023-01-10","2023-01-16"),
           ("0xc578d755cd56255d3ff6e92e1b6371ba945e3984","binance","ufdaoattack","2023-01-01","2023-02-06")
           ]

# chain = "binance"
# attacks = [#("0x66be80c796cba0844dace3e291632bfd397bd7a0","binance","phyproxy","2023-01-01","2023-01-24"),
#            #("0x1ae2dc57399b2f4597366c5bf4fe39859c006f99","binance","thoreum","2023-01-14","2023-01-20"),
#            #("0x9BbD94506398a1459F0Cd3B2638512627390255e,0xda5919bf3a49ad47b7c7103a9ed3902cee78d528","binance","omniprotocol","2023-01-07","2023-01-18"),
#            ("0xc578d755cd56255d3ff6e92e1b6371ba945e3984","binance","ufdaoattack","2023-01-01","2023-02-06"),
#            ("0x67a909f2953fb1138beA4B60894B51291D2d0795,0xE2Ba15be8C6Fb0d7C1F7bEA9106eb8232248FB8B","binance","bratoken","2022-12-08","2023-01-16"),
#            #("0xcf2362b46669e04b16d0780cf9b6e61c82de36a7","binance","GDS","2023-01-01","2023-01-05")
#             ]

In [5]:
# #clustering
# for attacker_address in attacker_addresses.split(","):
#     sql = f"SELECT metadata FROM forta.{chain}_alerts WHERE bot_id = '0xd3061db4662d5b3406b52b20f34234e462d2c275b99414d76dc644e2486be3e9' and CAST(substring(block_timestamp,1,19) as datetime)  >= '2022-10-01T00:00:00' AND CAST(substring(block_timestamp,1,19)  as datetime)  <= '{end_date}T00:00:00' and  lower(arrayStringConcat(metadata)) like '%{attacker_address.lower()}%'"
#     print(sql)
#     df = execute_query(sql)
#     print(df)

In [6]:
def get_alert_hashes(attacker_addresses: str, start_date: str, end_date: str) -> pd.DataFrame:

    alert_hashes_df = pd.DataFrame(columns=["hash","createdAt"])
    for attacker_address in attacker_addresses.split(","):
        url = 'https://api.forta.network/graphql'
        query = '''query exampleQuery {
            # first 5 alerts
            alerts(
                input: { first: 2000 , addresses: ["'''+attacker_address+'''"],
                blockDateRange: { startDate: "'''+start_date+'''", endDate: "'''+end_date+'''" }
                }
            ) {
                pageInfo {
                hasNextPage
                endCursor {
                    alertId
                    blockNumber
                }
                }
                alerts {
                hash
                createdAt
                
                }
            }
            }
        '''
        r = requests.post(url, json={'query': query})
        #print(r.text)
        json_data = json.loads(r.text)
        df = pd.DataFrame(json_data['data']['alerts']['alerts'])
        #print(df)
        alert_hashes_df = pd.concat([alert_hashes_df, df])

    print(len(alert_hashes_df))
    return alert_hashes_df


In [7]:

for attacker_addresses, chain, name, start_date, end_date in attacks:

    alert_hashes_df = get_alert_hashes(attacker_addresses.lower(), start_date, end_date)

    !echo 'output.txt' > {name}.txt

    #run npm run to get and route to output.txt
    count = 0
    alert_hashes = ""
    for alert_hash in alert_hashes_df["hash"]:
        !npm run alert {alert_hash} >> {name}.txt 2>> {name}_{chain}.txt


    !grep 'ERROR'  {name}_{chain}.txt >  {name}_{chain}_results.txt
    !grep 'WARN'  {name}_{chain}.txt >>  {name}_{chain}_results.txt
    !grep 'adding cluster mapping'  {name}_{chain}.txt >>  {name}_{chain}_results.txt
    !grep 'adding FP mitigation cluster'  {name}_{chain}.txt >>  {name}_{chain}_results.txt
    !grep 'anomaly'  {name}_{chain}.txt >>  {name}_{chain}_results.txt
    



1556


In [None]:
!grep 'ERROR' {name}.txt


ERROR: Error: no alert found with hash 0xa8941ce002f802d34ff9353e7a32f4225507b8adb4b7f69740267762ed2e1b43
ERROR: Error: no alert found with hash 0x3fb1ebf6f55424105a6ea785c4babafb3c9ec59f3ee045382678c3345bbce20f


In [None]:
!grep 'WARN' {name}.txt

In [None]:
!grep 'adding cluster mapping' {name}.txt

In [None]:
!grep 'adding FP mitigation cluster' {name}.txt

In [None]:
#read output.txt and answer questions around
!grep 'anomaly' {name}.txt


#anomaly scores
#FP filtering
