In [6]:
# this script will answer the question around how many transactions/EOAs would have been blocked by Forta's Threat Oracle on the protocols identified by the DefiLamaProtocols.ipynb:
# 1. get all defi protocols
# 2. get all EOAs the attack detector alerted on in the last 60 days
# 3. from zettablock, get stats around the number of tx/EOAs for a given protocol; stats around the number of tx/EOAs for a given protocol that were blocked


In [8]:
import requests
import pandas as pd
from random import random
from dotenv import load_dotenv
from urllib.parse import quote
from time import sleep
from hexbytes import HexBytes
import traceback
import time
from io import StringIO
import logging
from web3 import Web3
import json
import rlp
from json.decoder import JSONDecodeError
from datetime import datetime, timezone
from ratelimiter import RateLimiter
import os
load_dotenv()


True

In [3]:

    
class ZettablockClient:
    
    sql_api_url = "https://api.zettablock.com/qugate/v1/databases/{catalog}/queries"
    query_queue_url = "https://api.zettablock.com/qugate/v1/queries/{query_id}/trigger"
    query_runs_url = "https://api.zettablock.com/qugate/v1/queryruns/{query_run_id}/status"
    query_run_stream_url = "https://api.zettablock.com/qugate/v1/stream/queryruns/{query_run_id}/result"

    graph_ql_api = "https://api.zettablock.com/api/v1/dataset/sq_5e4eb6ce5eef480ab538ca9440ada71c/graphql"

    @staticmethod
    def get_contract_creations(deployer:str) -> pd.DataFrame:
        endpoint = "https://api.zettablock.com/api/v1/dataset/sq_5e4eb6ce5eef480ab538ca9440ada71c/graphql"

        query = f"""
            {{records(
                filter: {{
                        deployer: {{
                            eq: "{deployer}"
                        }}
                    }}
                ) {{
                    address
                    deployer
                    transaction_hash
                }}
            }}
            """
        print(query)

        api_key = os.environ.get('ZETTABLOCK_API_KEY')
        headers = {
            "accept": "application/json",
            "X-API-KEY": api_key
        }
        #headers = {'authorization': 'Basic Y2lyY2xldXNlcjE6Q2Frc1Nuc2RCbnNaYWYxMl8xMDE3'}
        data = {'query': query}

        res = requests.post(endpoint, headers=headers, data=json.dumps(data))
        if res.status_code == 200:
            resjson = json.loads(res.text)
            records = resjson['data']['records']
            df = pd.DataFrame(records, columns=['address', 'deployer', 'transaction_hash'])
            return df
            
        return pd.DataFrame(columns=['address', 'deployer', 'transaction_hash'])
    
    @staticmethod
    def get_catalog():
        api_key = os.environ.get('ZETTABLOCK_API_KEY')
        url = "https://api.zettablock.com/api/v1/databases"

        headers = {
            "accept": "application/json",
            "X-API-KEY": api_key
        }

        response = requests.get(url, headers=headers)
        res = response.json()
        return res["items"][0]["id"]
    
    @classmethod
    def sql_to_csv(cls, query: str) -> str:

        catalog = ZettablockClient.get_catalog()

        user = os.environ.get('ZETTABLOCK_USER')
        password = os.environ.get('ZETTABLOCK_PW')
        api_key = os.environ.get('ZETTABLOCK_API_KEY')

        
        params = {'includeColumnName': 'true'}
        headers = {'Content-Type': 'application/x-www-form-urlencoded'}
        data = {'query': query, 'resultCacheExpireMillis': 86400000}
        
        queue_response = (requests.post(cls.sql_api_url.format(catalog=catalog), data=json.dumps(data),
                                 params=params, headers=headers, auth=(user, password))).json()
        query_id = queue_response.get('id')
        trigger_response = (requests.post(cls.query_queue_url.format(query_id=query_id), data=json.dumps({}), headers=headers, auth=(user, password))).json()
        
        if trigger_response.get('message'):
            if trigger_response.get('message')[0:22] == "Failed to submit query":
                warning_message = queue_response.get('analyzeResult').get('warnings')
                trigger_error = trigger_response.get('message')
                logging.warning(warning_message)
                logging.error(trigger_error)
                raise SyntaxError("Failed to submit query. Check SQL syntax.")
        
        
        query_run_id = trigger_response.get("queryrunId")
        logging.info(f"Executed query: {query_run_id}")
        state_url = cls.query_runs_url.format(query_run_id=query_run_id)
        logging.info(f"Track status here: {state_url}")
        
        def get_state():
            return ((requests.get(state_url, auth=(user,password))).json()).get('state')
        
        state = get_state()
        state_timer = 1
        while state != "SUCCEEDED":
            if state == 'FAILED':
                response = requests.get(cls.query_run_stream_url.format(query_run_id=query_run_id), headers=headers, params=params, auth=(user, password))
                print(f"Request failed with response: {response.text}")
                raise ConnectionError("The response from the database was invalid.")
            
            if state_timer > 3000:
                raise TimeoutError("Query took more than 5 minutes.")
            elif state_timer % 100 == 0:
                print(state)
                response = requests.get(cls.query_run_stream_url.format(query_run_id=query_run_id), headers=headers, params=params, auth=(user, password))
                print(f"Request failed with response: {response.text}")
                print(f"Elapsed query execution time: {int(state_timer/10)}s")
            state = get_state()
            time.sleep(0.1)
            state_timer += 1
            
        logging.info(f"Query run: {query_run_id} has succeeded! Link to status: {state_url}")
        response = requests.get(cls.query_run_stream_url.format(query_run_id=query_run_id), headers=headers, params=params, auth=(user, password))
       
        try:
            if response.status_code == 200:
                response.encoding = "utf-8"
                return (response.text)
#                lines = [line.split(',') for line in response.iter_lines(decode_unicode=True)]
 #               return lines
            else:
                logging.error(f"Request failed with status: {response.status_code}")
                logging.error(f"Request failed with response: {response.text}")
                print(f"Request failed with response: {response.text}")
                raise ConnectionError("The response from the database was invalid.")
        except TypeError as e:
            logging.error(e)


zb = ZettablockClient()

In [47]:
def empty_alerts() -> pd.DataFrame:
        df_forta = pd.DataFrame(columns=['createdAt', 'name', 'protocol', 'scanNodeCount', 'findingType', 'source', 'labels', 'severity', 'metadata', 'alertId', 'description', 'addresses', 'contracts', 'hash'])
        return df_forta

def alerts_by_agent3(agent_id: str, start_date: datetime, end_date: datetime) -> pd.DataFrame:
    url = "https://api.forta.network/graphql"
    chunk_size = 500

    df_forta = empty_alerts()
    json_data = ""
    first_run = True
    count = 0
    while (json_data == "" or json_data['data']['alerts']['pageInfo']['hasNextPage']):
        query = """query exampleQuery {
                alerts(
                    input: {
                        CHUNKSIZE
                        AFTER_CLAUSE
                        BLOCK_RANGE_CLAUSE
                        BOT_CLAUSE
                    }
                ) {
                    pageInfo {
                    hasNextPage
                    endCursor {
                        alertId
                        blockNumber
                    }
                    }
                    alerts {
                    createdAt
                    name
                    chainId
                    protocol
                    scanNodeCount
                    findingType
                    source {
                        transactionHash
                        block {
                        number
                        chainId
                        }
                        bot {
                        id
                        }
                    }
                    labels {
                        entity
                        entityType
                        label
                        metadata
                        remove
                        confidence
                    }
                    severity
                    metadata
                    alertId
                    description
                    addresses
                    contracts {
                        address
                        name
                        projectId
                    }
                    hash
                    }
                }
                }"""

        after_clause = ""
        if(first_run is False):
            blockNumber = json_data['data']['alerts']['pageInfo']['endCursor']['blockNumber']
            alertId = json_data['data']['alerts']['pageInfo']['endCursor']['alertId']
            after_clause = """after: {{blockNumber:{0}, alertId:"{1}"}}""".format(blockNumber, alertId)

        # this is a bit hacky
        query = query.replace("CHUNKSIZE", f"first: {chunk_size}") 
        query = query.replace("AFTER_CLAUSE", after_clause)
        query = query.replace("BLOCK_RANGE_CLAUSE", """blockDateRange: {{ startDate: "{0}", endDate: "{1}" }}""".format(datetime.strftime(start_date, "%Y-%m-%d"), datetime.strftime(end_date, "%Y-%m-%d")))
        query = query.replace("BOT_CLAUSE", f"""bots: ["{agent_id}"]""")

        #print(query)

        retries = 1
        wait = 1
        success = False
        r = None
        while not success:
            try:
                count += 1
                forta_api_key = os.environ.get('FORTA_API_KEY')
                headers = {"Authorization": "Bearer " + forta_api_key}
                r = requests.post(url, json={'query': query}, headers=headers)
                if r.status_code == 200:
                    success = True
                    if chunk_size < 5000:
                        chunk_size *= 2
                        logging.warning(f"Increasing chunk size to {chunk_size}")
                else:
                    raise Exception(f"status code: {r.status_code} {r.text}")
            except Exception as e:
                logging.warning(f"Unable to retrieve alerts {r.status_code} , {e}")
                logging.warning(f"Sleeping {wait}sec. Count {count}.")
                old_chunk_size = chunk_size
                chunk_size = int(chunk_size/2)
                if(chunk_size<1):
                    chunk_size = 1
                query = query.replace(f"first: {old_chunk_size}", f"first: {chunk_size}") 
                logging.warning(f"Reducing chunk size to {chunk_size}")
                time.sleep(wait)
                retries += 1
                if retries > 30:
                    raise Exception("Unable to retrieve alerts even after repeated retries. Pls check logs")

        json_data = json.loads(r.text)
        df_data = json_data['data']['alerts']['alerts']
        df_forta = pd.concat([pd.DataFrame(df_data), df_forta])

        first_run = False
        count += 1

    return df_forta


In [32]:
df_protocols = pd.read_csv('202311_precision_cleansed.csv')

In [48]:
bot_id = '0x80ed808b586aeebe9cdd4088ea4dea0a8e322909c0e4493c993e060e89c09ed1'
start_date = datetime(2023, 10, 1)
end_date = datetime(2023, 11, 27)
df_alert_records = alerts_by_agent3(bot_id, start_date, end_date)





In [54]:
attack_detector_eos = dict()
attack_detector_eos['1'] = set()
attack_detector_eos['137'] = set()
attack_detector_eos['56'] = set()

for index, row in df_alert_records.iterrows():
    chainId = int(row['chainId'])
    if str(chainId) not in attack_detector_eos:
        continue
    addresses = (row['description'].split(" ")[0])
    addresses = addresses.split(",")
    for address in addresses:        
        attack_detector_eos[str(chainId)].add(address)

print(len(attack_detector_eos['1']))
print(len(attack_detector_eos['56']))
print(len(attack_detector_eos['137']))

740
481
327


In [55]:
df_threat_oracle_stats = pd.DataFrame(columns=['protocol', 'total_tx', 'total_eoa', 'blocked_tx', 'blocked_eoa', 'chain'])

for index, protocol in df_protocols.iterrows():
  #protocol = df_protocols.iloc[0]
  print(protocol['protocol'])

  table_name = 'ethereum_mainnet'
  chainId = '1'
  if protocol['chain'] == "Binance":
      table_name = 'bsc_mainnet'
      chainId = '56'
  if protocol['chain'] == "Polygon":
      table_name = 'polygon_mainnet'
      chainId = '137'

  protocol_addresses = "'" + protocol['addresses'].replace(",","','").lower() + "'"
  attack_detector_eoas = "'" + "','".join(attack_detector_eos[chainId]).lower() + "'"

  query = f"""
  SELECT COUNT(DISTINCT transaction_hash) AS tx_count, COUNT(DISTINCT from_address) AS eoa_count, 'all' as type 
  from
    (SELECT transaction_hash
  FROM {table_name}.traces
  WHERE to_address in ({protocol_addresses})
  AND "data_creation_date" > DATE('2023-10-01')
    AND "data_creation_date" <= DATE('2023-11-27')) as traces
  JOIN 
    (SELECT hash, from_address FROM {table_name}.transactions
    where "data_creation_date" > DATE('2023-10-01')
    AND "data_creation_date" <= DATE('2023-11-27')
    ) as transactions
  ON traces.transaction_hash = transactions.hash
  union
  SELECT COUNT(DISTINCT transaction_hash) AS tx_count, COUNT(DISTINCT from_address) AS eoa_count, 'exploit' as type 
  from
    (SELECT transaction_hash
  FROM {table_name}.traces
  WHERE to_address in ({protocol_addresses})
  AND "data_creation_date" > DATE('2023-10-01')
    AND "data_creation_date" <= DATE('2023-11-27')) as traces
  JOIN 
    (SELECT hash, from_address FROM {table_name}.transactions
    where "data_creation_date" > DATE('2023-10-01')
    AND "data_creation_date" <= DATE('2023-11-27')
    AND from_address in ({attack_detector_eoas})
    ) as transactions
  ON traces.transaction_hash = transactions.hash

  """

  #print(protocol_addresses)
  #print(attack_detector_eoas)
  #print(query)
  csv_str = zb.sql_to_csv(query)
  data = StringIO(csv_str)

  # Read the data into a DataFrame
  df = pd.read_csv(data)

  protocol_name = protocol['protocol']
  chain = protocol['chain']
  all_tx_count = 0
  all_eoa_count = 0
  if len(df[df['type']=='all']) > 0:
    all_tx_count = df[df['type']=='all'].iloc[0]['tx_count']
    all_eoa_count = df[df['type']=='all'].iloc[0]['eoa_count']
  exploit_tx_count = 0
  exploit_eoa_count = 0
  if(len(df[df['type']=='exploit']) > 0):
      exploit_tx_count = df[df['type']=='exploit'].iloc[0]['tx_count']
      exploit_eoa_count = df[df['type']=='exploit'].iloc[0]['eoa_count']

  df_threat_oracle_stats = pd.concat([df_threat_oracle_stats, pd.DataFrame([[protocol_name, all_tx_count, all_eoa_count, exploit_tx_count, exploit_eoa_count, chain]], columns=['protocol', 'total_tx', 'total_eoa', 'blocked_tx', 'blocked_eoa', 'chain'])])


xToken
Genius
NowSwap
IQ
Merkl
Ribbon
Swapr
Meta Pool ETH
Solidly V2
Swipe
Nord Finance
Ribbon Lend
H2Odata
Ferrum
Redacted Protocol
Amun
Yapeswap
Florence Finance
Tornado Cash
JustMoney
Midas Capital
Oni Exchange
PancakeSwap Perps
Belt Finance
Opium
Bearn
Pacoca
RBX
Tenet
XEUS
Magpie
PolkaEx
KACO Finance
OrbitalSwap
SMBSwap V2
Wault
Yogi Finance
FinNexus
MetalSwap
Tetu Swap
Tetu Pawnshop
Paprprintr
Portal
Entropyfi
GET Protocol
Kromatika
Olive
UniPower
DPEX
Gravis Finance
Spherium
Mirai
dHEDGE
SmarDex
RUNNING
Request failed with response: [,ERROR,] {"message":"This result has not been updated for last 3 months and therefore deleted, please re-run the query to get the latest data. "}

Elapsed query execution time: 10s
GotchiVault
MahaDAO Arth
WOWswap
Umbria Network


In [56]:
df_threat_oracle_stats

Unnamed: 0,protocol,total_tx,total_eoa,blocked_tx,blocked_eoa,chain
0,xToken,401,199,2,2,Ethereum
0,Genius,828,304,11,9,Ethereum
0,NowSwap,110,50,0,0,Ethereum
0,IQ,102454,23013,5494,85,Ethereum
0,Merkl,83149,32388,1093,52,Ethereum
0,Ribbon,4350,1190,271,25,Ethereum
0,Swapr,74946,18853,3828,65,Ethereum
0,Meta Pool ETH,0,0,0,0,Ethereum
0,Solidly V2,2560,511,43,8,Ethereum
0,Swipe,1388,423,19,7,Ethereum


In [57]:
df_threat_oracle_stats.to_csv('threat_oracle_stats.csv', index=False)

In [60]:
blocked_tx = pd.DataFrame(columns=['transaction_hash', 'from_address'])

for chain in ['Ethereum','Binance','Polygon']:
   
    protocol_addresses = set()
    for index, protocol in df_protocols.iterrows():
        if protocol['chain'] != chain:
            continue

        print(protocol['protocol'])

        table_name = 'ethereum_mainnet'
        chainId = '1'
        if protocol['chain'] == "Binance":
            table_name = 'bsc_mainnet'
            chainId = '56'
        if protocol['chain'] == "Polygon":
            table_name = 'polygon_mainnet'
            chainId = '137'
        protocol_addresses = protocol_addresses.union(set(protocol['addresses'].split(",")))

    print(len(protocol_addresses))
    protocol_addresses_chunks = [protocol_addresses[x:x+1500] for x in range(0, len(protocol_addresses), 1500)]

    for protocol_address_chunk in protocol_addresses_chunks:

        attack_detector_eoas = "'" + "','".join(attack_detector_eos[chainId]).lower() + "'"
        protocol_addresses_str = "'" + "','".join(protocol_address_chunk).lower() + "'"
        query = f"""
        SELECT DISTINCT transaction_hash, from_address
        from
            (SELECT transaction_hash
        FROM {table_name}.traces
        WHERE to_address in ({protocol_addresses_str})
        AND "data_creation_date" > DATE('2023-10-01')
            AND "data_creation_date" <= DATE('2023-11-27')) as traces
        JOIN 
            (SELECT hash, from_address FROM {table_name}.transactions
            where "data_creation_date" > DATE('2023-10-01')
            AND "data_creation_date" <= DATE('2023-11-27')
            AND from_address in ({attack_detector_eoas})
            ) as transactions
        ON traces.transaction_hash = transactions.hash

        """
        #print(query)

        #print(protocol_addresses)
        #print(attack_detector_eoas)
        #print(query)
        #csv_str = zb.sql_to_csv(query)
        #data = StringIO(csv_str)

        # Read the data into a DataFrame
        #df = pd.read_csv(data)
        #blocked_tx = pd.concat([blocked_tx, df])

#blocked_tx.to_csv('blocked_tx.csv', index=False)

xToken
Genius
NowSwap
IQ
Merkl
Ribbon
Swapr
Meta Pool ETH
Solidly V2
Swipe
Nord Finance
Ribbon Lend
H2Odata
Ferrum
Redacted Protocol
Amun
Yapeswap
Florence Finance
3194
Tornado Cash
JustMoney
Midas Capital
Oni Exchange
PancakeSwap Perps
Belt Finance
Opium
Bearn
Pacoca
RBX
Tenet
XEUS
Magpie
PolkaEx
KACO Finance
OrbitalSwap
SMBSwap V2
Wault
Yogi Finance
FinNexus
3534
MetalSwap
Tetu Swap
Tetu Pawnshop
Paprprintr
Portal
Entropyfi
GET Protocol
Kromatika
Olive
UniPower
DPEX
Gravis Finance
Spherium
Mirai
dHEDGE
SmarDex
GotchiVault
MahaDAO Arth
WOWswap
Umbria Network
47


In [45]:
blocked_tx

Unnamed: 0,transaction_hash,from_address
