## Setup

We'll use the Optimism public RPC to query transaction data. For more comprehensive data, you can use an Alchemy or Infura API key.

In [40]:
import os
from datetime import datetime
from dotenv import load_dotenv
import pandas as pd
import requests
from web3 import Web3

# Load environment variables
load_dotenv()

# Configuration
ATTACKER_ADDRESS = "0x8B6B008A0073D34D04ff00210E7200Ab00003300"
CONTRACT_ADDRESS = "0x80f95d330417a4acEfEA415FE9eE28db7A0A1Cdb"
MY_ADDRESS = "0x073f26f0c3fc100e7b075c3dc3cde0a777497d20"

# Optimism RPC - use Alchemy if available, otherwise public RPC
ALCHEMY_API_KEY = os.getenv("ALCHEMY_API_KEY", "")
if ALCHEMY_API_KEY:
    OPTIMISM_RPC = f"https://opt-mainnet.g.alchemy.com/v2/{ALCHEMY_API_KEY}"
else:
    OPTIMISM_RPC = "https://mainnet.optimism.io"

# Optimistic Etherscan API (optional, for more detailed tx history)
ETHERSCAN_API_KEY = os.getenv("ETHERSCAN_API_KEY", "")

print(ETHERSCAN_API_KEY)
print(f"üéØ Target Contract: {CONTRACT_ADDRESS}")
print(f"üî¥ Attacker Wallet: {ATTACKER_ADDRESS}")
print(f"üåê RPC: {'Alchemy' if ALCHEMY_API_KEY else 'Public Optimism RPC'}")
print(f"üìä Etherscan API: {'Available' if ETHERSCAN_API_KEY else 'Not configured'}")

52JSW14NRHTUQ8JVRM9GFNIB3T59X5JKRQ
üéØ Target Contract: 0x80f95d330417a4acEfEA415FE9eE28db7A0A1Cdb
üî¥ Attacker Wallet: 0x8B6B008A0073D34D04ff00210E7200Ab00003300
üåê RPC: Alchemy
üìä Etherscan API: Available


## Connect to Optimism

In [31]:
# Connect to Optimism
w3 = Web3(Web3.HTTPProvider(OPTIMISM_RPC))

if w3.is_connected():
    print(f"‚úÖ Connected to Optimism")
    print(f"üì¶ Latest block: {w3.eth.block_number}")
    print(f"‚õìÔ∏è  Chain ID: {w3.eth.chain_id}")
else:
    print("‚ùå Failed to connect to Optimism")

‚úÖ Connected to Optimism
üì¶ Latest block: 144409619
‚õìÔ∏è  Chain ID: 10


## GenImNFT Contract ABI (relevant functions)

We only need the function signatures for the exploit analysis.

In [50]:
# Minimal ABI for the functions we're analyzing
GENIMG_ABI = [
    {
        "name": "requestImageUpdate",
        "type": "function",
        "inputs": [
            {"name": "tokenId", "type": "uint256"},
            {"name": "newImageUrl", "type": "string"}
        ],
        "outputs": []
    },
    {
        "name": "mintPrice",
        "type": "function",
        "inputs": [],
        "outputs": [{"name": "", "type": "uint256"}]
    },
    {
        "name": "ImageUpdateRequested",
        "type": "event",
        "inputs": [
            {"name": "tokenId", "type": "uint256", "indexed": True},
            {"name": "requester", "type": "address", "indexed": True},
            {"name": "newImageUrl", "type": "string", "indexed": False}
        ]
    },
    {
        "name": "Transfer",
        "type": "event",
        "inputs": [
            {"name": "from", "type": "address", "indexed": True},
            {"name": "to", "type": "address", "indexed": True},
            {"name": "tokenId", "type": "uint256", "indexed": True}
        ]
    }
]

# Create contract instance
contract = w3.eth.contract(
    address=Web3.to_checksum_address(CONTRACT_ADDRESS),
    abi=GENIMG_ABI
)

# Get function signature for requestImageUpdate
REQUEST_IMAGE_UPDATE_SIG = w3.keccak(text="requestImageUpdate(uint256,string)")[:4].hex()
print(f"üìù requestImageUpdate signature: 0x{REQUEST_IMAGE_UPDATE_SIG}")

üìù requestImageUpdate signature: 0x9f42ba30


Let me first try to get some transaction history from my own address.

In [51]:
def get_all_transactions(address: str, max_count: int = 100) -> pd.DataFrame:
    """
    Fetch all transactions FROM an address using Alchemy API.
    
    Args:
        address: The wallet address to query
        max_count: Maximum number of transactions to fetch (default 100)
    
    Returns:
        DataFrame with transaction details
    """
    if not ALCHEMY_API_KEY:
        print("‚ùå No ALCHEMY_API_KEY set in .env")
        return pd.DataFrame()
    
    url = f"https://opt-mainnet.g.alchemy.com/v2/{ALCHEMY_API_KEY}"
    
    # Get all transactions FROM the address
    payload = {
        "jsonrpc": "2.0",
        "id": 1,
        "method": "alchemy_getAssetTransfers",
        "params": [{
            "fromAddress": address,
            "category": ["external", "erc20", "erc721"],
            "withMetadata": True,
            "order": "desc",
            "maxCount": hex(max_count)
        }]
    }
    
    print(f"üîç Fetching transactions from: {address}")
    response = requests.post(url, json=payload)
    
    if response.status_code != 200:
        print(f"‚ùå HTTP Error: {response.status_code}")
        return pd.DataFrame()
    
    data = response.json()
    
    if "error" in data:
        print(f"‚ùå Alchemy Error: {data['error']}")
        return pd.DataFrame()
    
    transfers = data.get("result", {}).get("transfers", [])
    print(f"‚úÖ Found {len(transfers)} transactions")
    
    if not transfers:
        return pd.DataFrame()
    
    # Convert to DataFrame
    rows = []
    for tx in transfers:
        rows.append({
            "hash": tx.get("hash"),
            "blockNum": int(tx.get("blockNum"), 16),
            "timestamp": tx.get("metadata", {}).get("blockTimestamp"),
            "from": tx.get("from"),
            "to": tx.get("to"),
            "value": float(tx.get("value", 0) or 0),
            "asset": tx.get("asset"),
            "category": tx.get("category")
        })
    
    df = pd.DataFrame(rows)
    df["timestamp"] = pd.to_datetime(df["timestamp"])
    
    return df

# Test with your address
my_txs = get_all_transactions(MY_ADDRESS, max_count=20)

if not my_txs.empty:
    print(f"\nüìã Your recent transactions:")
    display(my_txs)

üîç Fetching transactions from: 0x073f26f0c3fc100e7b075c3dc3cde0a777497d20
‚úÖ Found 20 transactions

üìã Your recent transactions:
‚úÖ Found 20 transactions

üìã Your recent transactions:


Unnamed: 0,hash,blockNum,timestamp,from,to,value,asset,category
0,0xfa82a11b961f957c95ddece0ab0a627e26f991641888...,144358019,2025-11-28 07:26:55+00:00,0x073f26f0c3fc100e7b075c3dc3cde0a777497d20,0x0000000000000000000000000000000000000000,0.0,,erc721
1,0x058061f36ac0876540661449b05ff5f9bb2214631d24...,144357999,2025-11-28 07:26:15+00:00,0x073f26f0c3fc100e7b075c3dc3cde0a777497d20,0x80f95d330417a4acefea415fe9ee28db7a0a1cdb,2e-05,ETH,external
2,0x3b2762e72904212a7608904eb50cdcf57379f283322e...,144357966,2025-11-28 07:25:09+00:00,0x073f26f0c3fc100e7b075c3dc3cde0a777497d20,0x80f95d330417a4acefea415fe9ee28db7a0a1cdb,2e-05,ETH,external
3,0x572b64b69a924182733ac4efd607c2ac7e988a6841e3...,144357536,2025-11-28 07:10:49+00:00,0x073f26f0c3fc100e7b075c3dc3cde0a777497d20,0x80f95d330417a4acefea415fe9ee28db7a0a1cdb,2e-05,ETH,external
4,0x7fd95df3a080b89aed334178887381cf4aaaf1429d43...,144270851,2025-11-26 07:01:19+00:00,0x073f26f0c3fc100e7b075c3dc3cde0a777497d20,0x80f95d330417a4acefea415fe9ee28db7a0a1cdb,2e-05,ETH,external
5,0xe71115e8972da6ffe38d1fdb1bdb57db30eccf4bc218...,144270317,2025-11-26 06:43:31+00:00,0x073f26f0c3fc100e7b075c3dc3cde0a777497d20,0x80f95d330417a4acefea415fe9ee28db7a0a1cdb,2e-05,ETH,external
6,0x4a94eb1095f1543d0efbf5a7208e4b3f40ca8d9cc028...,144209862,2025-11-24 21:08:21+00:00,0x073f26f0c3fc100e7b075c3dc3cde0a777497d20,0x80f95d330417a4acefea415fe9ee28db7a0a1cdb,2e-05,ETH,external
7,0xe0e1900f768f2166237d6686606e6aad04c1591d1a99...,144209545,2025-11-24 20:57:47+00:00,0x073f26f0c3fc100e7b075c3dc3cde0a777497d20,0x80f95d330417a4acefea415fe9ee28db7a0a1cdb,2e-05,ETH,external
8,0x62bbcb77fcaa06a979020792882b3e17e97005c71205...,144209536,2025-11-24 20:57:29+00:00,0x073f26f0c3fc100e7b075c3dc3cde0a777497d20,0x80f95d330417a4acefea415fe9ee28db7a0a1cdb,2e-05,ETH,external
9,0xa0aa9b6d57dd410af7e6ab08ab5353150ff26e2829e4...,144209519,2025-11-24 20:56:55+00:00,0x073f26f0c3fc100e7b075c3dc3cde0a777497d20,0x80f95d330417a4acefea415fe9ee28db7a0a1cdb,2e-05,ETH,external


And now let's try the attacker's address.

In [53]:
# Test with your address
my_txs = get_all_transactions(ATTACKER_ADDRESS, max_count=20)

if not my_txs.empty:
    print(f"\nüìã Your recent transactions:")
    display(my_txs)

üîç Fetching transactions from: 0x8B6B008A0073D34D04ff00210E7200Ab00003300
‚úÖ Found 20 transactions

üìã Your recent transactions:
‚úÖ Found 20 transactions

üìã Your recent transactions:


Unnamed: 0,hash,blockNum,timestamp,from,to,value,asset,category
0,0xb8060d0472eec477e6eaab1d5582c4dc9577c186255a...,144401332,2025-11-29 07:30:41+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,2.606541e-12,ETH,external
1,0xee779b70cf60af7fcf9b37600abaa369c6eebfb20451...,144387266,2025-11-28 23:41:49+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,1.76187e-13,ETH,external
2,0xe122b49c4940ef26658157a7dcc0ce242cd847b11c69...,144379132,2025-11-28 19:10:41+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,1.73676e-13,ETH,external
3,0xe25c4d0918aaf52e4331ea2ad6fe92fc19f1fa29d29e...,144372285,2025-11-28 15:22:27+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,2.780097e-12,ETH,external
4,0xbfc2e1788129f64f689356f8a9dd05a78da3f5b3a447...,144361115,2025-11-28 09:10:07+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,2.14815e-13,ETH,external
5,0x836958172590e4754dddb18e63bf1534c53ef80e6452...,144355147,2025-11-28 05:51:11+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,1.30023e-13,ETH,external
6,0x0088b4fd7a39f2d985b97ac5fba7c42c558b51cc6799...,144338433,2025-11-27 20:34:03+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,2.812986e-12,ETH,external
7,0xd9f222c652ea583e9a7682f87f3d8f70711983c27d17...,144325673,2025-11-27 13:28:43+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,2.572785e-12,ETH,external
8,0xf76ad5c70603d839128ee6dc890ad1fc40a41a8ff91c...,144318056,2025-11-27 09:14:49+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,1.73676e-13,ETH,external
9,0xf3cafd7c64338391b5583900bb8a53f886f874dea222...,144316244,2025-11-27 08:14:25+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,2.2041e-13,ETH,external


now let me look into all the transactions from the contract to the malicious wallet

In [56]:
def get_transactions_to_attacker(attacker: str, contract: str, max_count: int = 100) -> pd.DataFrame:
    """
    Problem: Attacker receives ETH FROM the contract as INTERNAL transactions.
    Alchemy's alchemy_getAssetTransfers doesn't support 'internal' category on Optimism.
    
    Solution: Use debug_traceTransaction on individual transactions to find internal ETH transfers.
    We need to find transactions where the attacker CALLED the contract, and the contract
    sent ETH back (as a side effect / internal call).
    """
    if not ALCHEMY_API_KEY:
        print("‚ö†Ô∏è  No Alchemy API key. Set ALCHEMY_API_KEY in .env")
        return pd.DataFrame()

    url = f"https://opt-mainnet.g.alchemy.com/v2/{ALCHEMY_API_KEY}"
    
    # The attacker calls requestImageUpdate() on the contract
    # The contract then sends ETH to msg.sender (the attacker)
    # We can find these by looking at transactions FROM attacker TO contract
    
    payload = {
        "jsonrpc": "2.0",
        "id": 1,
        "method": "alchemy_getAssetTransfers",
        "params": [{
            "fromAddress": attacker,
            "toAddress": contract,
            "category": ["external"],
            "withMetadata": True,
            "order": "desc",
            "maxCount": hex(max_count)
        }]
    }

    print(f"üîç Fetching transactions FROM attacker TO contract...")
    print(f"   (These trigger internal ETH transfers back to attacker)")
    response = requests.post(url, json=payload)
    data = response.json()

    if "error" in data:
        print(f"‚ùå Alchemy Error: {data['error']}")
        return pd.DataFrame()

    transfers = data.get("result", {}).get("transfers", [])
    print(f"üìä Found {len(transfers)} attack transactions")

    if not transfers:
        return pd.DataFrame()

    # Convert to DataFrame
    rows = []
    for tx in transfers:
        rows.append({
            "hash": tx.get("hash"),
            "blockNum": int(tx.get("blockNum"), 16),
            "timestamp": tx.get("metadata", {}).get("blockTimestamp"),
            "from": tx.get("from"),
            "to": tx.get("to"),
            "value_eth": float(tx.get("value", 0) or 0),
            "asset": tx.get("asset")
        })

    df = pd.DataFrame(rows)
    df["timestamp"] = pd.to_datetime(df["timestamp"])
    return df


def trace_internal_eth_transfers(tx_hash: str) -> list:
    """
    Use debug_traceTransaction to find internal ETH transfers in a transaction.
    This shows when a contract sends ETH to another address.
    """
    if not ALCHEMY_API_KEY:
        return []
    
    url = f"https://opt-mainnet.g.alchemy.com/v2/{ALCHEMY_API_KEY}"
    
    # Use trace_transaction (Parity-style) to get internal calls
    payload = {
        "jsonrpc": "2.0",
        "id": 1,
        "method": "trace_transaction",
        "params": [tx_hash]
    }
    
    response = requests.post(url, json=payload)
    data = response.json()
    
    if "error" in data:
        # Try debug_traceTransaction as fallback
        payload = {
            "jsonrpc": "2.0",
            "id": 2,
            "method": "debug_traceTransaction",
            "params": [tx_hash, {"tracer": "callTracer"}]
        }
        response = requests.post(url, json=payload)
        data = response.json()
        
        if "error" in data:
            return [{"error": data["error"]}]
        
        # Parse callTracer output
        result = data.get("result", {})
        transfers = []
        
        def extract_calls(call, depth=0):
            value = int(call.get("value", "0x0"), 16)
            if value > 0:
                transfers.append({
                    "from": call.get("from", ""),
                    "to": call.get("to", ""),
                    "value_wei": value,
                    "value_eth": value / 1e18,
                    "type": call.get("type", "CALL"),
                    "depth": depth
                })
            for subcall in call.get("calls", []):
                extract_calls(subcall, depth + 1)
        
        extract_calls(result)
        return transfers
    
    # Parse trace_transaction output
    traces = data.get("result", [])
    transfers = []
    
    for trace in traces:
        action = trace.get("action", {})
        value = int(action.get("value", "0x0"), 16)
        if value > 0:
            transfers.append({
                "from": action.get("from", ""),
                "to": action.get("to", ""),
                "value_wei": value,
                "value_eth": value / 1e18,
                "type": action.get("callType", trace.get("type", "")),
            })
    
    return transfers


# First, let's verify one known attack transaction to understand the pattern
print("üîç Analyzing known attack transaction...")
print("=" * 60)

known_tx = "0x2feead0e6091dba367b4dcd1e7a06f84c343e66314394a1331c14da6a4f5f997"
print(f"\nüìå Transaction: {known_tx[:20]}...")
print(f"üîó https://optimistic.etherscan.io/tx/{known_tx}")

internal_transfers = trace_internal_eth_transfers(known_tx)

if internal_transfers:
    if "error" in internal_transfers[0]:
        print(f"\n‚ùå Trace Error: {internal_transfers[0]['error']}")
        print("   Note: trace_transaction may require a higher Alchemy plan")
    else:
        print(f"\nüí∞ Internal ETH transfers in this transaction:")
        for i, t in enumerate(internal_transfers):
            from_addr = t['from'].lower()
            to_addr = t['to'].lower()
            
            # Highlight if contract ‚Üí attacker
            if from_addr == CONTRACT_ADDRESS.lower() and to_addr == ATTACKER_ADDRESS.lower():
                print(f"   üî¥ [{i}] CONTRACT ‚Üí ATTACKER: {t['value_eth']:.6f} ETH  ‚Üê STOLEN!")
            else:
                print(f"   [{i}] {t['from'][:10]}... ‚Üí {t['to'][:10]}...: {t['value_eth']:.6f} ETH")
else:
    print("\n‚ö†Ô∏è  No internal transfers found or trace not available")

# Now get all attack transactions
print("\n" + "=" * 60)
print("üî¥ Fetching all attack transactions...")
print("=" * 60)

attacker_txs = get_transactions_to_attacker(ATTACKER_ADDRESS, CONTRACT_ADDRESS, max_count=500)

if not attacker_txs.empty:
    print(f"\nüìã Attacker's calls to GenImNFT contract:")
    display(attacker_txs.head(20))
    
    print(f"\nüí∏ Total attack calls found: {len(attacker_txs)}")
    print(f"   Each successful call = attacker receives mintPrice ETH from contract")
else:
    print("No transactions found")

üîç Analyzing known attack transaction...

üìå Transaction: 0x2feead0e6091dba367...
üîó https://optimistic.etherscan.io/tx/0x2feead0e6091dba367b4dcd1e7a06f84c343e66314394a1331c14da6a4f5f997

‚ùå Trace Error: {'code': -32600, 'message': 'debug_traceTransaction is not available on the Free tier - upgrade to Pay As You Go, or Enterprise for access.'}
   Note: trace_transaction may require a higher Alchemy plan

üî¥ Fetching all attack transactions...
üîç Fetching transactions FROM attacker TO contract...
   (These trigger internal ETH transfers back to attacker)

‚ùå Trace Error: {'code': -32600, 'message': 'debug_traceTransaction is not available on the Free tier - upgrade to Pay As You Go, or Enterprise for access.'}
   Note: trace_transaction may require a higher Alchemy plan

üî¥ Fetching all attack transactions...
üîç Fetching transactions FROM attacker TO contract...
   (These trigger internal ETH transfers back to attacker)
üìä Found 0 attack transactions
No transactions fo

In [57]:
# Let's look at ALL transactions FROM the attacker to see what contracts they call
print("üîç Fetching ALL transactions FROM attacker wallet...")
print("=" * 60)

attacker_all_txs = get_all_transactions(ATTACKER_ADDRESS, max_count=100)

if not attacker_all_txs.empty:
    print(f"\nüìã Attacker's outgoing transactions:")
    display(attacker_all_txs)
    
    # Find unique "to" addresses - these could be attack contracts
    unique_to = attacker_all_txs["to"].unique()
    print(f"\nüéØ Unique destination addresses:")
    for addr in unique_to:
        count = len(attacker_all_txs[attacker_all_txs["to"] == addr])
        print(f"   {addr} ({count} txs)")
else:
    # If no external transfers, let's check ETH received
    print("No external asset transfers found.")
    print("\nüîç Checking attacker's ETH balance history...")

üîç Fetching ALL transactions FROM attacker wallet...
üîç Fetching transactions from: 0x8B6B008A0073D34D04ff00210E7200Ab00003300
‚úÖ Found 100 transactions

üìã Attacker's outgoing transactions:
‚úÖ Found 100 transactions

üìã Attacker's outgoing transactions:


Unnamed: 0,hash,blockNum,timestamp,from,to,value,asset,category
0,0xb8060d0472eec477e6eaab1d5582c4dc9577c186255a...,144401332,2025-11-29 07:30:41+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,2.606541e-12,ETH,external
1,0xee779b70cf60af7fcf9b37600abaa369c6eebfb20451...,144387266,2025-11-28 23:41:49+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,1.761870e-13,ETH,external
2,0xe122b49c4940ef26658157a7dcc0ce242cd847b11c69...,144379132,2025-11-28 19:10:41+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,1.736760e-13,ETH,external
3,0xe25c4d0918aaf52e4331ea2ad6fe92fc19f1fa29d29e...,144372285,2025-11-28 15:22:27+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,2.780097e-12,ETH,external
4,0xbfc2e1788129f64f689356f8a9dd05a78da3f5b3a447...,144361115,2025-11-28 09:10:07+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,2.148150e-13,ETH,external
...,...,...,...,...,...,...,...,...
95,0x83348185fbd88001c3ec037ae92e593db2502e114e06...,143884615,2025-11-17 08:26:47+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,2.540940e-13,ETH,external
96,0xcb04cb7251dbaf700a2f039a766cbc1ad35e0123e5e3...,143883801,2025-11-17 07:59:39+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,2.566050e-13,ETH,external
97,0xfadc6a663458a04a1c731837a9c5da3973143a0f6a6c...,143879098,2025-11-17 05:22:53+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,2.615610e-13,ETH,external
98,0x3c4a01fa2393c3c3543050284e9a57673f84b0cf40f1...,143876424,2025-11-17 03:53:45+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,2.439183e-12,ETH,external



üéØ Unique destination addresses:
   0x8b6b008a0073d34d04ff00210e7200ab00003300 (100 txs)


In [58]:
# The attacker receives ETH as INTERNAL transactions from contracts
# These happen when:
# 1. Attacker calls requestImageUpdate() on GenImNFT
# 2. GenImNFT sends mintPrice ETH back to msg.sender (attacker)
#
# Since internal txs aren't available via Alchemy on Optimism,
# let's check transactions TO the attacker

def get_transactions_to_address(address: str, max_count: int = 100) -> pd.DataFrame:
    """
    Fetch transactions TO an address (external only, not internal).
    """
    if not ALCHEMY_API_KEY:
        return pd.DataFrame()
    
    url = f"https://opt-mainnet.g.alchemy.com/v2/{ALCHEMY_API_KEY}"
    
    payload = {
        "jsonrpc": "2.0",
        "id": 1,
        "method": "alchemy_getAssetTransfers",
        "params": [{
            "toAddress": address,
            "category": ["external", "erc20", "erc721"],
            "withMetadata": True,
            "order": "desc",
            "maxCount": hex(max_count)
        }]
    }
    
    response = requests.post(url, json=payload)
    data = response.json()
    
    if "error" in data:
        print(f"‚ùå Error: {data['error']}")
        return pd.DataFrame()
    
    transfers = data.get("result", {}).get("transfers", [])
    
    if not transfers:
        return pd.DataFrame()
    
    rows = []
    for tx in transfers:
        rows.append({
            "hash": tx.get("hash"),
            "blockNum": int(tx.get("blockNum"), 16),
            "timestamp": tx.get("metadata", {}).get("blockTimestamp"),
            "from": tx.get("from"),
            "to": tx.get("to"),
            "value": float(tx.get("value", 0) or 0),
            "asset": tx.get("asset"),
            "category": tx.get("category")
        })
    
    df = pd.DataFrame(rows)
    df["timestamp"] = pd.to_datetime(df["timestamp"])
    return df


print("üîç Fetching transactions TO attacker wallet...")
print("=" * 60)

incoming_txs = get_transactions_to_address(ATTACKER_ADDRESS, max_count=100)

if not incoming_txs.empty:
    print(f"\nüìã Incoming transactions to attacker ({len(incoming_txs)} found):")
    display(incoming_txs)
    
    # Sum up incoming ETH
    eth_incoming = incoming_txs[incoming_txs["asset"] == "ETH"]
    total_eth = eth_incoming["value"].sum()
    print(f"\nüí∞ Total external ETH received: {total_eth:.6f} ETH")
    
    # Unique senders
    print(f"\nüì§ Unique senders:")
    for addr in incoming_txs["from"].unique():
        subset = incoming_txs[incoming_txs["from"] == addr]
        total = subset["value"].sum()
        print(f"   {addr[:20]}... ({len(subset)} txs, {total:.4f} ETH)")
else:
    print("No external incoming transactions found.")
    print("\n‚ö†Ô∏è  The ETH the attacker receives is via INTERNAL transactions")
    print("   which aren't available through Alchemy's free tier on Optimism.")
    print("\nüí° Alternative approaches:")
    print("   1. Use Etherscan's internal tx API (may require Pro)")
    print("   2. Query the contract's events to find requestImageUpdate calls")
    print("   3. Check attacker's total ETH balance change over time")

üîç Fetching transactions TO attacker wallet...

üìã Incoming transactions to attacker (100 found):


Unnamed: 0,hash,blockNum,timestamp,from,to,value,asset,category
0,0xb8060d0472eec477e6eaab1d5582c4dc9577c186255a...,144401332,2025-11-29 07:30:41+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,2.606541e-12,ETH,external
1,0xb8060d0472eec477e6eaab1d5582c4dc9577c186255a...,144401332,2025-11-29 07:30:41+00:00,0xec16bd5874a10e5c171810fea8d7f6c9236a55b2,0x8b6b008a0073d34d04ff00210e7200ab00003300,3.463401e-01,VELO,erc20
2,0xee779b70cf60af7fcf9b37600abaa369c6eebfb20451...,144387266,2025-11-28 23:41:49+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,1.761870e-13,ETH,external
3,0xee779b70cf60af7fcf9b37600abaa369c6eebfb20451...,144387266,2025-11-28 23:41:49+00:00,0x8c864d0c8e476bf9eb9d620c10e1296fb0e2f940,0x8b6b008a0073d34d04ff00210e7200ab00003300,1.000000e-18,WETH,erc20
4,0xee779b70cf60af7fcf9b37600abaa369c6eebfb20451...,144387266,2025-11-28 23:41:49+00:00,0x8c864d0c8e476bf9eb9d620c10e1296fb0e2f940,0x8b6b008a0073d34d04ff00210e7200ab00003300,1.000000e-08,WBTC,erc20
...,...,...,...,...,...,...,...,...
95,0xbd48664f8bef829252229574dc80511c8f5d388516bb...,144166884,2025-11-23 21:15:45+00:00,0x8c864d0c8e476bf9eb9d620c10e1296fb0e2f940,0x8b6b008a0073d34d04ff00210e7200ab00003300,1.000000e-18,WETH,erc20
96,0x80255785c82291a2628e7b883f52ba7b8513ad9feb5e...,144153746,2025-11-23 13:57:49+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,1.444230e-13,ETH,external
97,0x80255785c82291a2628e7b883f52ba7b8513ad9feb5e...,144153746,2025-11-23 13:57:49+00:00,0x8c864d0c8e476bf9eb9d620c10e1296fb0e2f940,0x8b6b008a0073d34d04ff00210e7200ab00003300,1.000000e-08,WBTC,erc20
98,0x69aafa2772a14e4fe2216cd2d989be689e28e6696ec6...,144148991,2025-11-23 11:19:19+00:00,0x8b6b008a0073d34d04ff00210e7200ab00003300,0x8b6b008a0073d34d04ff00210e7200ab00003300,2.438892e-12,ETH,external



üí∞ Total external ETH received: 0.000000 ETH

üì§ Unique senders:
   0x8b6b008a0073d34d04... (52 txs, 0.0000 ETH)
   0xec16bd5874a10e5c17... (3 txs, 2.9017 ETH)
   0x8c864d0c8e476bf9eb... (36 txs, 0.0000 ETH)
   0xc8354dee19fe5e10a1... (1 txs, 0.0100 ETH)
   0xc858a329bf053be78d... (2 txs, 0.0068 ETH)
   0xb8fc6bf89e16e66b5f... (4 txs, 0.0026 ETH)
   0xffa01f55dabcae676a... (2 txs, 0.0200 ETH)


In [62]:
# Better approach: Query the ImageUpdateRequested events from the contract
# Using PUBLIC Optimism RPC which allows larger block ranges than Alchemy Free Tier

print("üîç Querying ImageUpdateRequested events from contract...")
print("=" * 60)

# Use public Optimism RPC for getLogs (allows larger ranges)
public_w3 = Web3(Web3.HTTPProvider("https://mainnet.optimism.io"))

# Get ImageUpdateRequested events
event_sig = public_w3.keccak(text="ImageUpdateRequested(uint256,address,string)")
print(f"Event topic: 0x{event_sig.hex()}")

# Query using public RPC with larger chunks
latest_block = public_w3.eth.block_number
chunk_size = 2000  # Public RPC allows larger ranges
total_blocks_to_scan = 500000  # ~20 days on Optimism

all_events = []

print(f"\nüì¶ Scanning {total_blocks_to_scan} blocks in chunks of {chunk_size}...")
print(f"   From block: {latest_block - total_blocks_to_scan}")
print(f"   To block: {latest_block}")
print()

total_chunks = total_blocks_to_scan // chunk_size
processed = 0

for start in range(latest_block - total_blocks_to_scan, latest_block, chunk_size):
    end = min(start + chunk_size - 1, latest_block)
    processed += 1
    
    try:
        logs = public_w3.eth.get_logs({
            "address": Web3.to_checksum_address(CONTRACT_ADDRESS),
            "topics": [event_sig],
            "fromBlock": start,
            "toBlock": end
        })
        
        if logs:
            all_events.extend(logs)
            print(f"   ‚úÖ Block {start}-{end}: Found {len(logs)} events")
            
    except Exception as e:
        error_msg = str(e)
        if "block range" in error_msg.lower():
            print(f"   ‚ö†Ô∏è  Block range too large, trying smaller chunks...")
            # Try smaller chunks if range too large
            for sub_start in range(start, end, 500):
                sub_end = min(sub_start + 499, end)
                try:
                    sub_logs = public_w3.eth.get_logs({
                        "address": Web3.to_checksum_address(CONTRACT_ADDRESS),
                        "topics": [event_sig],
                        "fromBlock": sub_start,
                        "toBlock": sub_end
                    })
                    if sub_logs:
                        all_events.extend(sub_logs)
                        print(f"      ‚úÖ Block {sub_start}-{sub_end}: Found {len(sub_logs)} events")
                except Exception as sub_e:
                    print(f"      ‚ùå Block {sub_start}-{sub_end}: {sub_e}")
        else:
            print(f"   ‚ùå Block {start}-{end}: {e}")
    
    # Progress update every 50 chunks
    if processed % 50 == 0:
        print(f"   üìä Progress: {processed}/{total_chunks} chunks ({100*processed/total_chunks:.1f}%), Events so far: {len(all_events)}")

print(f"\n‚úÖ Total events found: {len(all_events)}")

if all_events:
    events_data = []
    for log in all_events:
        token_id = int(log["topics"][1].hex(), 16)
        requester = "0x" + log["topics"][2].hex()[-40:]
        
        events_data.append({
            "blockNumber": log["blockNumber"],
            "transactionHash": log["transactionHash"].hex(),
            "tokenId": token_id,
            "requester": requester.lower(),
            "is_attacker": requester.lower() == ATTACKER_ADDRESS.lower()
        })
    
    events_df = pd.DataFrame(events_data)
    
    # Show attacker's events
    attacker_events = events_df[events_df["is_attacker"]]
    print(f"\nüî¥ Events from ATTACKER: {len(attacker_events)}")
    if not attacker_events.empty:
        display(attacker_events.head(20))
        
        # Calculate stolen amount
        num_attacks = len(attacker_events)
        stolen_eth = num_attacks * mint_price_eth
        print(f"\nüí∏ Estimated stolen: {num_attacks} √ó {mint_price_eth} ETH = {stolen_eth:.6f} ETH")
    
    # Show other requesters
    other_events = events_df[~events_df["is_attacker"]]
    print(f"\n‚úÖ Events from OTHER users: {len(other_events)}")
    
    # Summary by requester
    print(f"\nüìä Summary by requester:")
    requester_summary = events_df.groupby("requester").agg({
        "transactionHash": "count",
        "is_attacker": "first"
    }).rename(columns={"transactionHash": "event_count"})
    requester_summary = requester_summary.sort_values("event_count", ascending=False)
    display(requester_summary)
else:
    print("No ImageUpdateRequested events found in the scanned block range.")
    print("\nüí° The contract may be new or have no requestImageUpdate calls yet.")

üîç Querying ImageUpdateRequested events from contract...
Event topic: 0x9c5aec7f143040caecc06c378c9f67b2539c1516233c0769598c2a7db4316cee

üì¶ Scanning 500000 blocks in chunks of 2000...
   From block: 143921722
   To block: 144421722


üì¶ Scanning 500000 blocks in chunks of 2000...
   From block: 143921722
   To block: 144421722

   üìä Progress: 50/250 chunks (20.0%), Events so far: 0
   üìä Progress: 50/250 chunks (20.0%), Events so far: 0
   üìä Progress: 100/250 chunks (40.0%), Events so far: 0
   üìä Progress: 100/250 chunks (40.0%), Events so far: 0
   ‚úÖ Block 144205722-144207721: Found 1 events
   ‚úÖ Block 144205722-144207721: Found 1 events
   ‚úÖ Block 144207722-144209721: Found 12 events
   ‚úÖ Block 144207722-144209721: Found 12 events
   ‚úÖ Block 144209722-144211721: Found 1 events
   ‚úÖ Block 144209722-144211721: Found 1 events
   üìä Progress: 150/250 chunks (60.0%), Events so far: 14
   üìä Progress: 150/250 chunks (60.0%), Events so far: 14
   ‚úÖ Block 

Unnamed: 0,blockNumber,transactionHash,tokenId,requester,is_attacker
0,144207649,4165d84f1fac193b5e2ef8ed019a0ba0bcef2c0f19d8b7...,142,0x8b6b008a0073d34d04ff00210e7200ab00003300,True
1,144207727,d3edb67c036ac2ce7e0ec7009c16250226593dd720f39a...,143,0x8b6b008a0073d34d04ff00210e7200ab00003300,True
2,144207761,d1a106a7744f77fd567f5b21d4999204960ecc9637749b...,144,0x8b6b008a0073d34d04ff00210e7200ab00003300,True
3,144207995,5414ced57b001455c314b911268ec0b82b5b3958684d22...,145,0x8b6b008a0073d34d04ff00210e7200ab00003300,True
4,144208124,7512fbd1e6ad70de8d836929e757fe7e944db6483c0bc2...,146,0x8b6b008a0073d34d04ff00210e7200ab00003300,True
5,144208191,6d5245c934d43576611990d83c1da018143b9871514282...,147,0x8b6b008a0073d34d04ff00210e7200ab00003300,True
6,144208455,3293aa258560b1a1fd43ea64a2b66302b82a109767a2f7...,148,0x8b6b008a0073d34d04ff00210e7200ab00003300,True
7,144208645,5f02f1b3410933817f47c67f687eb7a840e2c6306b7bdf...,149,0x8b6b008a0073d34d04ff00210e7200ab00003300,True
8,144208788,f650d4f488d14913dd94a7a21650339d2d7ee598ea4d77...,150,0x8b6b008a0073d34d04ff00210e7200ab00003300,True
9,144209405,fcf02e62ca4604e495587fc86ff11643102556ecfde495...,151,0x8b6b008a0073d34d04ff00210e7200ab00003300,True



üí∏ Estimated stolen: 16 √ó 2e-05 ETH = 0.000320 ETH

‚úÖ Events from OTHER users: 1

üìä Summary by requester:


Unnamed: 0_level_0,event_count,is_attacker
requester,Unnamed: 1_level_1,Unnamed: 2_level_1
0x8b6b008a0073d34d04ff00210e7200ab00003300,16,True
0xaaebc1441323b8ad6bdf6793a8428166b510239c,1,False


In [63]:
# Analyze the attack events we found
print("üî¥ Attack Analysis from Events")
print("=" * 60)

if 'events_df' in dir() and not events_df.empty:
    # Get attacker events
    attacker_events_df = events_df[events_df["is_attacker"]].copy()
    
    if not attacker_events_df.empty:
        print(f"\nüìä Attacker Statistics:")
        print(f"   Total attacks: {len(attacker_events_df)}")
        print(f"   Unique tokens targeted: {attacker_events_df['tokenId'].nunique()}")
        print(f"   Block range: {attacker_events_df['blockNumber'].min()} - {attacker_events_df['blockNumber'].max()}")
        
        # Calculate stolen ETH
        stolen_eth = len(attacker_events_df) * mint_price_eth
        print(f"\nüí∏ Estimated Stolen Funds:")
        print(f"   Attacks: {len(attacker_events_df)}")
        print(f"   ETH per attack: {mint_price_eth} ETH")
        print(f"   Total stolen: {stolen_eth:.6f} ETH")
        
        # Get timestamps for each attack by fetching block info
        print(f"\n‚è±Ô∏è  Fetching timestamps for attack transactions...")
        
        timestamps = []
        for _, row in attacker_events_df.iterrows():
            try:
                block = public_w3.eth.get_block(row["blockNumber"])
                timestamps.append(datetime.fromtimestamp(block["timestamp"]))
            except:
                timestamps.append(None)
        
        attacker_events_df["timestamp"] = timestamps
        
        print(f"\nüìã All {len(attacker_events_df)} Attack Transactions:")
        display(attacker_events_df)
        
        # Timeline
        if attacker_events_df["timestamp"].notna().any():
            print(f"\n‚è∞ Attack Timeline:")
            print(f"   First attack: {attacker_events_df['timestamp'].min()}")
            print(f"   Last attack: {attacker_events_df['timestamp'].max()}")
            
            # Attacks per day
            attacker_events_df["date"] = attacker_events_df["timestamp"].dt.date
            attacks_per_day = attacker_events_df.groupby("date").size()
            print(f"\nüìÖ Attacks per day:")
            for date, count in attacks_per_day.items():
                print(f"   {date}: {count} attacks")
        
        # Most targeted tokens
        print(f"\nüéØ Most targeted tokens:")
        token_counts = attacker_events_df["tokenId"].value_counts().head(10)
        for token_id, count in token_counts.items():
            print(f"   Token #{token_id}: {count} attacks")
        
        # Save attack data
        attack_df = attacker_events_df  # For compatibility with later cells
        
    else:
        print("No attacks from the identified attacker found.")
        
    # Show legitimate users
    other_events_df = events_df[~events_df["is_attacker"]]
    if not other_events_df.empty:
        print(f"\n‚úÖ Legitimate Users ({len(other_events_df)} events):")
        for requester in other_events_df["requester"].unique():
            count = len(other_events_df[other_events_df["requester"] == requester])
            print(f"   {requester[:20]}...: {count} requests")
else:
    print("‚ùå No events_df available. Run the event query cell first.")

üî¥ Attack Analysis from Events

üìä Attacker Statistics:
   Total attacks: 16
   Unique tokens targeted: 16
   Block range: 144207649 - 144270852

üí∏ Estimated Stolen Funds:
   Attacks: 16
   ETH per attack: 2e-05 ETH
   Total stolen: 0.000320 ETH

‚è±Ô∏è  Fetching timestamps for attack transactions...

üìã All 16 Attack Transactions:


Unnamed: 0,blockNumber,transactionHash,tokenId,requester,is_attacker,timestamp
0,144207649,4165d84f1fac193b5e2ef8ed019a0ba0bcef2c0f19d8b7...,142,0x8b6b008a0073d34d04ff00210e7200ab00003300,True,2025-11-24 20:54:35
1,144207727,d3edb67c036ac2ce7e0ec7009c16250226593dd720f39a...,143,0x8b6b008a0073d34d04ff00210e7200ab00003300,True,2025-11-24 20:57:11
2,144207761,d1a106a7744f77fd567f5b21d4999204960ecc9637749b...,144,0x8b6b008a0073d34d04ff00210e7200ab00003300,True,2025-11-24 20:58:19
3,144207995,5414ced57b001455c314b911268ec0b82b5b3958684d22...,145,0x8b6b008a0073d34d04ff00210e7200ab00003300,True,2025-11-24 21:06:07
4,144208124,7512fbd1e6ad70de8d836929e757fe7e944db6483c0bc2...,146,0x8b6b008a0073d34d04ff00210e7200ab00003300,True,2025-11-24 21:10:25
5,144208191,6d5245c934d43576611990d83c1da018143b9871514282...,147,0x8b6b008a0073d34d04ff00210e7200ab00003300,True,2025-11-24 21:12:39
6,144208455,3293aa258560b1a1fd43ea64a2b66302b82a109767a2f7...,148,0x8b6b008a0073d34d04ff00210e7200ab00003300,True,2025-11-24 21:21:27
7,144208645,5f02f1b3410933817f47c67f687eb7a840e2c6306b7bdf...,149,0x8b6b008a0073d34d04ff00210e7200ab00003300,True,2025-11-24 21:27:47
8,144208788,f650d4f488d14913dd94a7a21650339d2d7ee598ea4d77...,150,0x8b6b008a0073d34d04ff00210e7200ab00003300,True,2025-11-24 21:32:33
9,144209405,fcf02e62ca4604e495587fc86ff11643102556ecfde495...,151,0x8b6b008a0073d34d04ff00210e7200ab00003300,True,2025-11-24 21:53:07



‚è∞ Attack Timeline:
   First attack: 2025-11-24 20:54:35
   Last attack: 2025-11-26 08:01:21

üìÖ Attacks per day:
   2025-11-24: 14 attacks
   2025-11-26: 2 attacks

üéØ Most targeted tokens:
   Token #142: 1 attacks
   Token #143: 1 attacks
   Token #144: 1 attacks
   Token #145: 1 attacks
   Token #146: 1 attacks
   Token #147: 1 attacks
   Token #148: 1 attacks
   Token #149: 1 attacks
   Token #150: 1 attacks
   Token #151: 1 attacks

‚úÖ Legitimate Users (1 events):
   0xaaebc1441323b8ad6b...: 1 requests


## Attacker Wallet Analysis

Analyze the attacker's wallet for additional context.

In [64]:
# Get attacker wallet info
attacker_checksum = Web3.to_checksum_address(ATTACKER_ADDRESS)

balance = w3.eth.get_balance(attacker_checksum)
balance_eth = balance / 1e18

tx_count = w3.eth.get_transaction_count(attacker_checksum)

print(f"üî¥ Attacker Wallet Analysis")
print(f"=" * 50)
print(f"Address: {ATTACKER_ADDRESS}")
print(f"Current Balance: {balance_eth:.6f} ETH")
print(f"Total Transactions: {tx_count}")
print(f"")
print(f"üîó View on Optimistic Etherscan:")
print(f"   https://optimistic.etherscan.io/address/{ATTACKER_ADDRESS}")

üî¥ Attacker Wallet Analysis
Address: 0x8B6B008A0073D34D04ff00210E7200Ab00003300
Current Balance: 0.001616 ETH
Total Transactions: 364

üîó View on Optimistic Etherscan:
   https://optimistic.etherscan.io/address/0x8B6B008A0073D34D04ff00210E7200Ab00003300


# Fund tracing

In [65]:
# Fund Tracing: Track where the attacker moved the stolen ETH
# Option 1: Get all outgoing transactions
# Option 3: Check against known CEX/Bridge addresses

print("üí∞ Fund Tracing Analysis")
print("=" * 60)

# Known addresses for CEX deposits and bridges on Optimism
KNOWN_ADDRESSES = {
    # Centralized Exchanges
    "0x89e51fa8ca5d66cd220baed62ed01e8951aa7c40": "Binance Hot Wallet",
    "0xf89d7b9c864f589bbf53a82105107622b35eaa40": "Bybit",
    "0x66f791456b82921cbc3f89a98c24ea21784973a1": "Gate.io",
    "0xacd03d601e5bb1b275bb94076ff46ed9d753435a": "OKX",
    "0x5bdf85216ec1e38d6458c870992a69e38e03f7ef": "Kraken",
    
    # Bridges
    "0x4200000000000000000000000000000000000010": "Optimism L1 Bridge (to Ethereum)",
    "0x4200000000000000000000000000000000000007": "Optimism CrossDomainMessenger",
    "0x99c9fc46f92e8a1c0dec1b1747d010903e884be1": "Optimism Gateway",
    "0x3666f603cc164936c1b87e207f36beba4ac5f18a": "Hop Protocol",
    "0x2ad42910d6801a6f77ad080d28a9d3e8f8c2d7a8": "Hop ETH Bridge",
    "0x86ca30bef97fb651b8d866d45503684b90cb3312": "Across Protocol",
    "0x6571d6be3d8460cf5f7d6711cd9961860029d85f": "Stargate Finance",
    "0xb0d502e938ed5f4df2e681fe6e419ff29631d62b": "Stargate Router",
    
    # DEX Routers
    "0x68b3465833fb72a70ecdf485e0e4c7bd8665fc45": "Uniswap V3 Router",
    "0xe592427a0aece92de3edee1f18e0157c05861564": "Uniswap V3 Router 2",
    "0x1111111254eeb25477b68fb85ed929f73a960582": "1inch Router",
    "0xdef1c0ded9bec7f1a1670819833240f027b25eff": "0x Exchange Proxy",
    
    # Mixers (Sanctioned - important to flag!)
    "0x0c59edf9d9dc9d3447f1b697f5db65eda8ab3d51": "‚ö†Ô∏è Tornado Cash (Sanctioned)",
}

# Get all outgoing transactions from attacker
print("\nüì§ Fetching all outgoing transactions from attacker...")

outgoing_txs = get_all_transactions(ATTACKER_ADDRESS, max_count=1000)

if not outgoing_txs.empty:
    print(f"\n‚úÖ Found {len(outgoing_txs)} outgoing transactions")
    
    # Analyze destinations
    print(f"\nüéØ Destination Analysis:")
    print("-" * 60)
    
    destination_summary = []
    
    for to_addr in outgoing_txs["to"].unique():
        subset = outgoing_txs[outgoing_txs["to"] == to_addr]
        total_value = subset["value"].sum()
        tx_count = len(subset)
        
        # Check if known address
        known_name = KNOWN_ADDRESSES.get(to_addr.lower(), None)
        
        # Check if it's the attacker's own address (self-transfer)
        is_self = to_addr.lower() == ATTACKER_ADDRESS.lower()
        
        destination_summary.append({
            "address": to_addr,
            "known_as": known_name if known_name else ("Self" if is_self else "Unknown"),
            "tx_count": tx_count,
            "total_value": total_value,
            "assets": subset["asset"].unique().tolist()
        })
    
    dest_df = pd.DataFrame(destination_summary)
    dest_df = dest_df.sort_values("total_value", ascending=False)
    
    display(dest_df)
    
    # Categorize destinations
    print(f"\nüìä Destination Categories:")
    print("-" * 60)
    
    cex_txs = dest_df[dest_df["known_as"].str.contains("Binance|Bybit|Gate|OKX|Kraken|Coinbase", na=False, case=False)]
    bridge_txs = dest_df[dest_df["known_as"].str.contains("Bridge|Hop|Across|Stargate|Optimism", na=False, case=False)]
    dex_txs = dest_df[dest_df["known_as"].str.contains("Uniswap|1inch|0x|Swap", na=False, case=False)]
    mixer_txs = dest_df[dest_df["known_as"].str.contains("Tornado|Mixer", na=False, case=False)]
    self_txs = dest_df[dest_df["known_as"] == "Self"]
    unknown_txs = dest_df[dest_df["known_as"] == "Unknown"]
    
    if not cex_txs.empty:
        print(f"\nüè¶ Centralized Exchanges ({len(cex_txs)} addresses):")
        for _, row in cex_txs.iterrows():
            print(f"   {row['known_as']}: {row['total_value']:.6f} ({row['tx_count']} txs)")
            print(f"      Address: {row['address']}")
    
    if not bridge_txs.empty:
        print(f"\nüåâ Bridges ({len(bridge_txs)} addresses):")
        for _, row in bridge_txs.iterrows():
            print(f"   {row['known_as']}: {row['total_value']:.6f} ({row['tx_count']} txs)")
            print(f"      Address: {row['address']}")
    
    if not dex_txs.empty:
        print(f"\nüîÑ DEX Routers ({len(dex_txs)} addresses):")
        for _, row in dex_txs.iterrows():
            print(f"   {row['known_as']}: {row['total_value']:.6f} ({row['tx_count']} txs)")
    
    if not mixer_txs.empty:
        print(f"\n‚ö†Ô∏è  MIXERS (SANCTIONED) ({len(mixer_txs)} addresses):")
        for _, row in mixer_txs.iterrows():
            print(f"   üö® {row['known_as']}: {row['total_value']:.6f} ({row['tx_count']} txs)")
            print(f"      Address: {row['address']}")
    
    if not self_txs.empty:
        print(f"\nüîÅ Self-Transfers ({len(self_txs)} addresses):")
        total_self = self_txs["total_value"].sum()
        print(f"   Total: {total_self:.6f} ETH")
    
    if not unknown_txs.empty:
        print(f"\n‚ùì Unknown Addresses ({len(unknown_txs)} addresses):")
        for _, row in unknown_txs.iterrows():
            print(f"   {row['address'][:20]}...: {row['total_value']:.6f} ({row['tx_count']} txs)")
            print(f"      Assets: {', '.join(row['assets'])}")
    
    # Summary
    print(f"\n" + "=" * 60)
    print(f"üìã SUMMARY")
    print(f"=" * 60)
    total_out = outgoing_txs["value"].sum()
    print(f"Total outgoing value: {total_out:.6f}")
    print(f"To CEX: {cex_txs['total_value'].sum():.6f}")
    print(f"To Bridges: {bridge_txs['total_value'].sum():.6f}")
    print(f"To DEX: {dex_txs['total_value'].sum():.6f}")
    print(f"To Mixers: {mixer_txs['total_value'].sum():.6f}")
    print(f"Self-transfers: {self_txs['total_value'].sum():.6f}")
    print(f"To Unknown: {unknown_txs['total_value'].sum():.6f}")
    
else:
    print("‚ùå No outgoing transactions found")

üí∞ Fund Tracing Analysis

üì§ Fetching all outgoing transactions from attacker...
üîç Fetching transactions from: 0x8B6B008A0073D34D04ff00210E7200Ab00003300
‚úÖ Found 358 transactions
‚úÖ Found 358 transactions

‚úÖ Found 358 outgoing transactions

üéØ Destination Analysis:
------------------------------------------------------------

‚úÖ Found 358 outgoing transactions

üéØ Destination Analysis:
------------------------------------------------------------


Unnamed: 0,address,known_as,tx_count,total_value,assets
2,0xda60f6f99cea7fb4acfb3dfcb817691eaa41ba4e,Unknown,2,39.85313,"[USDC, sUSD]"
1,0xda60192af08b0564fd0f0aab19072a9d4149ba4e,Unknown,1,19.8304,[U–ÖDC.e]
0,0x8b6b008a0073d34d04ff00210e7200ab00003300,Self,355,2.356854e-10,[ETH]



üìä Destination Categories:
------------------------------------------------------------

üîÅ Self-Transfers (1 addresses):
   Total: 0.000000 ETH

‚ùì Unknown Addresses (2 addresses):
   0xda60f6f99cea7fb4ac...: 39.853135 (2 txs)
      Assets: USDC, sUSD
   0xda60192af08b0564fd...: 19.830403 (1 txs)
      Assets: U–ÖDC.e

üìã SUMMARY
Total outgoing value: 59.683538
To CEX: 0.000000
To Bridges: 0.000000
To DEX: 0.000000
To Mixers: 0.000000
Self-transfers: 0.000000
To Unknown: 59.683538


In [66]:
# Funding Sources: Where did the attacker get their initial ETH from?
print("üíµ Funding Source Analysis")
print("=" * 60)

# Get all incoming transactions to attacker
incoming_txs = get_transactions_to_address(ATTACKER_ADDRESS, max_count=1000)

if not incoming_txs.empty:
    print(f"\n‚úÖ Found {len(incoming_txs)} incoming transactions")
    
    # Analyze sources
    print(f"\nüì• Funding Sources:")
    print("-" * 60)
    
    source_summary = []
    
    for from_addr in incoming_txs["from"].unique():
        subset = incoming_txs[incoming_txs["from"] == from_addr]
        total_value = subset["value"].sum()
        tx_count = len(subset)
        
        # Check if known address
        known_name = KNOWN_ADDRESSES.get(from_addr.lower(), None)
        
        # Check if it's the attacker's own address
        is_self = from_addr.lower() == ATTACKER_ADDRESS.lower()
        
        source_summary.append({
            "address": from_addr,
            "known_as": known_name if known_name else ("Self" if is_self else "Unknown"),
            "tx_count": tx_count,
            "total_value": total_value,
            "assets": subset["asset"].unique().tolist(),
            "first_tx": subset["timestamp"].min(),
            "last_tx": subset["timestamp"].max()
        })
    
    source_df = pd.DataFrame(source_summary)
    source_df = source_df.sort_values("total_value", ascending=False)
    
    display(source_df)
    
    # Highlight important findings
    print(f"\nüîç Key Findings:")
    print("-" * 60)
    
    # CEX funding (can be traced!)
    cex_funding = source_df[source_df["known_as"].str.contains("Binance|Bybit|Gate|OKX|Kraken|Coinbase", na=False, case=False)]
    if not cex_funding.empty:
        print(f"\nüè¶ Funded from CEX (TRACEABLE):")
        for _, row in cex_funding.iterrows():
            print(f"   {row['known_as']}: {row['total_value']:.6f} ETH")
            print(f"   First deposit: {row['first_tx']}")
            print(f"   ‚ö†Ô∏è  CEX has KYC records - can identify attacker!")
    
    # Bridge funding
    bridge_funding = source_df[source_df["known_as"].str.contains("Bridge|Hop|Across|Stargate", na=False, case=False)]
    if not bridge_funding.empty:
        print(f"\nüåâ Funded via Bridges:")
        for _, row in bridge_funding.iterrows():
            print(f"   {row['known_as']}: {row['total_value']:.6f} ETH")
            print(f"   ‚Üí Trace further on source chain!")
    
    # Unknown sources (potential accomplice wallets)
    unknown_funding = source_df[(source_df["known_as"] == "Unknown") & (source_df["total_value"] > 0)]
    if not unknown_funding.empty:
        print(f"\n‚ùì Unknown Funding Sources (investigate further):")
        for _, row in unknown_funding.iterrows():
            print(f"   {row['address']}")
            print(f"   Value: {row['total_value']:.6f} ETH, Txs: {row['tx_count']}")
            print(f"   First: {row['first_tx']}, Last: {row['last_tx']}")

else:
    print("‚ùå No incoming external transactions found")
    print("   (Attacker may have been funded via internal transactions or bridges)")

üíµ Funding Source Analysis

‚úÖ Found 921 incoming transactions

üì• Funding Sources:
------------------------------------------------------------

‚úÖ Found 921 incoming transactions

üì• Funding Sources:
------------------------------------------------------------


Unnamed: 0,address,known_as,tx_count,total_value,assets,first_tx,last_tx
19,0xd152f549545093347a162dce210e7293f1452150,Unknown,1,1000.0,[WLFI],2025-11-03 07:56:21+00:00,2025-11-03 07:56:21+00:00
22,0x6adaa3eba85c77e8566b73aefb4c2f39df4046ca,Unknown,2,40.0,[GRAI],2025-11-02 02:42:31+00:00,2025-11-02 02:42:31+00:00
25,0x93fc04cd6d108588ecd844c7d60f46635037b5a3,Unknown,2,39.85313,"[sUSD, USDC]",2025-10-30 03:48:05+00:00,2025-10-30 03:48:05+00:00
1,0xec16bd5874a10e5c171810fea8d7f6c9236a55b2,Unknown,39,33.93174,[VELO],2025-10-25 10:18:27+00:00,2025-11-29 07:30:41+00:00
24,0x3327c272562f8a1a530c4419b8b33b3f3537b5a3,Unknown,1,19.8304,[U–ÖDC.e],2025-10-30 03:52:35+00:00,2025-10-30 03:52:35+00:00
16,0xe21328bd90de1433f99512608558ff9481d94be2,Unknown,3,8.174889,[USDC],2025-11-05 06:18:13+00:00,2025-11-06 06:06:05+00:00
18,0xc6249f4e0df56474165eb2d95d53941f54d94be2,Unknown,1,4.503572,[U–ÖD–°],2025-11-05 07:18:41+00:00,2025-11-05 07:18:41+00:00
7,0x1d68fc7c741a9e7ea1ffa447ef5230d917fc244f,Unknown,1,1.283224,[WCT],2025-11-20 01:55:35+00:00,2025-11-20 01:55:35+00:00
12,0x7e3cb178e9857b53b1c41e34d5997c6e3774cf2c,Unknown,1,0.6027034,[VELO],2025-11-09 22:58:49+00:00,2025-11-09 22:58:49+00:00
2,0x8c864d0c8e476bf9eb9d620c10e1296fb0e2f940,Unknown,429,0.1310063,"[WETH, WBTC, USDC, USDT, OP, WLD]",2025-10-23 00:35:57+00:00,2025-11-28 23:41:49+00:00



üîç Key Findings:
------------------------------------------------------------

‚ùì Unknown Funding Sources (investigate further):
   0xd152f549545093347a162dce210e7293f1452150
   Value: 1000.000000 ETH, Txs: 1
   First: 2025-11-03 07:56:21+00:00, Last: 2025-11-03 07:56:21+00:00
   0x6adaa3eba85c77e8566b73aefb4c2f39df4046ca
   Value: 40.000000 ETH, Txs: 2
   First: 2025-11-02 02:42:31+00:00, Last: 2025-11-02 02:42:31+00:00
   0x93fc04cd6d108588ecd844c7d60f46635037b5a3
   Value: 39.853135 ETH, Txs: 2
   First: 2025-10-30 03:48:05+00:00, Last: 2025-10-30 03:48:05+00:00
   0xec16bd5874a10e5c171810fea8d7f6c9236a55b2
   Value: 33.931741 ETH, Txs: 39
   First: 2025-10-25 10:18:27+00:00, Last: 2025-11-29 07:30:41+00:00
   0x3327c272562f8a1a530c4419b8b33b3f3537b5a3
   Value: 19.830403 ETH, Txs: 1
   First: 2025-10-30 03:52:35+00:00, Last: 2025-10-30 03:52:35+00:00
   0xe21328bd90de1433f99512608558ff9481d94be2
   Value: 8.174889 ETH, Txs: 3
   First: 2025-11-05 06:18:13+00:00, Last: 2025-11-0

In [68]:
# Deep dive into Self-Transfers and Delegation relationship
print("üîç Self-Transfer & Delegation Analysis")
print("=" * 60)

DELEGATE_ADDRESS = "0x3ecC9f049c569E59A2de5B3A51BC7B8A94225820"

# 1. Analyze self-transfers
print("\nüì§ Self-Transfer Analysis:")
print("-" * 60)

if 'outgoing_txs' in dir() and not outgoing_txs.empty:
    self_transfers = outgoing_txs[outgoing_txs["to"].str.lower() == ATTACKER_ADDRESS.lower()]
    
    if not self_transfers.empty:
        print(f"Found {len(self_transfers)} self-transfers")
        print(f"\nDetails:")
        display(self_transfers[["hash", "timestamp", "value", "asset", "category"]].head(20))
        
        # Analyze patterns
        print(f"\nüìä Self-Transfer Patterns:")
        print(f"   Total value: {self_transfers['value'].sum():.10f} ETH")
        print(f"   Min value: {self_transfers['value'].min():.10f} ETH")
        print(f"   Max value: {self_transfers['value'].max():.10f} ETH")
        print(f"   Assets: {self_transfers['asset'].unique().tolist()}")
        
        # These tiny values suggest spam/airdrop claims or nonce manipulation
        if self_transfers['value'].max() < 0.0001:
            print(f"\n   üí° Very small values suggest:")
            print(f"      - Airdrop/reward claims")
            print(f"      - Nonce manipulation for MEV")
            print(f"      - Spam token interactions")
    else:
        print("No self-transfers found")

# 2. Analyze the delegate address
print(f"\nüîó Delegate Address Analysis:")
print("-" * 60)
print(f"Delegate: {DELEGATE_ADDRESS}")
print(f"üîó https://optimistic.etherscan.io/address/{DELEGATE_ADDRESS}")

# Get delegate's transactions
delegate_txs = get_all_transactions(DELEGATE_ADDRESS, max_count=100)

if not delegate_txs.empty:
    print(f"\n‚úÖ Delegate has {len(delegate_txs)} outgoing transactions")
    display(delegate_txs.head(10))
    
    # Check if delegate interacts with attacker
    delegate_to_attacker = delegate_txs[delegate_txs["to"].str.lower() == ATTACKER_ADDRESS.lower()]
    attacker_to_delegate = outgoing_txs[outgoing_txs["to"].str.lower() == DELEGATE_ADDRESS.lower()] if 'outgoing_txs' in dir() else pd.DataFrame()
    
    print(f"\nüîÑ Direct Interactions:")
    print(f"   Delegate ‚Üí Attacker: {len(delegate_to_attacker)} txs")
    print(f"   Attacker ‚Üí Delegate: {len(attacker_to_delegate)} txs")
    
    if not delegate_to_attacker.empty:
        print(f"\n   Delegate sent to Attacker:")
        display(delegate_to_attacker)
    
    if not attacker_to_delegate.empty:
        print(f"\n   Attacker sent to Delegate:")
        display(attacker_to_delegate)
else:
    print("No transactions from delegate found")

# 3. Get incoming transactions TO delegate
print(f"\nüì• Who funds the Delegate?")
delegate_incoming = get_transactions_to_address(DELEGATE_ADDRESS, max_count=100)

if not delegate_incoming.empty:
    print(f"Found {len(delegate_incoming)} incoming transactions to delegate")
    
    # Check if attacker funds the delegate
    attacker_funds_delegate = delegate_incoming[delegate_incoming["from"].str.lower() == ATTACKER_ADDRESS.lower()]
    if not attacker_funds_delegate.empty:
        print(f"\nüö® ATTACKER FUNDED DELEGATE:")
        display(attacker_funds_delegate)
    
    # Show funding sources
    print(f"\nüì§ Delegate's funding sources:")
    for addr in delegate_incoming["from"].unique()[:10]:
        subset = delegate_incoming[delegate_incoming["from"] == addr]
        total = subset["value"].sum()
        print(f"   {addr[:20]}...: {total:.6f} ({len(subset)} txs)")

# 4. Check OP Token delegation (if delegate is for governance)
print(f"\nüó≥Ô∏è  Checking OP Token Delegation:")
print("-" * 60)

# OP Token contract on Optimism
OP_TOKEN = "0x4200000000000000000000000000000000000042"

# Check if attacker delegated OP tokens
try:
    # Minimal ABI for delegate function
    op_abi = [
        {
            "name": "delegates",
            "type": "function",
            "inputs": [{"name": "account", "type": "address"}],
            "outputs": [{"name": "", "type": "address"}],
            "stateMutability": "view"
        },
        {
            "name": "balanceOf",
            "type": "function", 
            "inputs": [{"name": "account", "type": "address"}],
            "outputs": [{"name": "", "type": "uint256"}],
            "stateMutability": "view"
        }
    ]
    
    op_contract = w3.eth.contract(
        address=Web3.to_checksum_address(OP_TOKEN),
        abi=op_abi
    )
    
    # Check attacker's OP balance and delegate
    attacker_balance = op_contract.functions.balanceOf(
        Web3.to_checksum_address(ATTACKER_ADDRESS)
    ).call()
    
    attacker_delegate = op_contract.functions.delegates(
        Web3.to_checksum_address(ATTACKER_ADDRESS)
    ).call()
    
    print(f"Attacker's OP Token balance: {attacker_balance / 1e18:.4f} OP")
    print(f"Attacker's delegate: {attacker_delegate}")
    
    if attacker_delegate.lower() == DELEGATE_ADDRESS.lower():
        print(f"\nüö® CONFIRMED: Attacker delegated OP voting power to {DELEGATE_ADDRESS[:20]}...")
        
        # Check delegate's OP balance
        delegate_balance = op_contract.functions.balanceOf(
            Web3.to_checksum_address(DELEGATE_ADDRESS)
        ).call()
        print(f"Delegate's own OP balance: {delegate_balance / 1e18:.4f} OP")
    else:
        print(f"Attacker's delegate is different: {attacker_delegate}")
        
except Exception as e:
    print(f"Error checking OP delegation: {e}")

# 5. Summary of connection
print(f"\n" + "=" * 60)
print(f"üìã CONNECTION SUMMARY")
print(f"=" * 60)
print(f"Attacker: {ATTACKER_ADDRESS}")
print(f"Delegate: {DELEGATE_ADDRESS}")
print(f"\nPossible relationships:")
print(f"1. Same owner - Attacker uses Delegate for governance")
print(f"2. MEV bot operator - Delegate is the operator wallet")
print(f"3. Fund consolidation - Moving assets between wallets")

üîç Self-Transfer & Delegation Analysis

üì§ Self-Transfer Analysis:
------------------------------------------------------------
Found 355 self-transfers

Details:


Unnamed: 0,hash,timestamp,value,asset,category
0,0xb8060d0472eec477e6eaab1d5582c4dc9577c186255a...,2025-11-29 07:30:41+00:00,2.606541e-12,ETH,external
1,0xee779b70cf60af7fcf9b37600abaa369c6eebfb20451...,2025-11-28 23:41:49+00:00,1.76187e-13,ETH,external
2,0xe122b49c4940ef26658157a7dcc0ce242cd847b11c69...,2025-11-28 19:10:41+00:00,1.73676e-13,ETH,external
3,0xe25c4d0918aaf52e4331ea2ad6fe92fc19f1fa29d29e...,2025-11-28 15:22:27+00:00,2.780097e-12,ETH,external
4,0xbfc2e1788129f64f689356f8a9dd05a78da3f5b3a447...,2025-11-28 09:10:07+00:00,2.14815e-13,ETH,external
5,0x836958172590e4754dddb18e63bf1534c53ef80e6452...,2025-11-28 05:51:11+00:00,1.30023e-13,ETH,external
6,0x0088b4fd7a39f2d985b97ac5fba7c42c558b51cc6799...,2025-11-27 20:34:03+00:00,2.812986e-12,ETH,external
7,0xd9f222c652ea583e9a7682f87f3d8f70711983c27d17...,2025-11-27 13:28:43+00:00,2.572785e-12,ETH,external
8,0xf76ad5c70603d839128ee6dc890ad1fc40a41a8ff91c...,2025-11-27 09:14:49+00:00,1.73676e-13,ETH,external
9,0xf3cafd7c64338391b5583900bb8a53f886f874dea222...,2025-11-27 08:14:25+00:00,2.2041e-13,ETH,external



üìä Self-Transfer Patterns:
   Total value: 0.0000000002 ETH
   Min value: 0.0000000000 ETH
   Max value: 0.0000000000 ETH
   Assets: ['ETH']

   üí° Very small values suggest:
      - Airdrop/reward claims
      - Nonce manipulation for MEV
      - Spam token interactions

üîó Delegate Address Analysis:
------------------------------------------------------------
Delegate: 0x3ecC9f049c569E59A2de5B3A51BC7B8A94225820
üîó https://optimistic.etherscan.io/address/0x3ecC9f049c569E59A2de5B3A51BC7B8A94225820
üîç Fetching transactions from: 0x3ecC9f049c569E59A2de5B3A51BC7B8A94225820
‚úÖ Found 0 transactions
No transactions from delegate found

üì• Who funds the Delegate?
‚úÖ Found 0 transactions
No transactions from delegate found

üì• Who funds the Delegate?

üó≥Ô∏è  Checking OP Token Delegation:
------------------------------------------------------------

üó≥Ô∏è  Checking OP Token Delegation:
------------------------------------------------------------
Attacker's OP Token balance:

## Deep Dive: Self-Transfers Analysis

Self-Transfers (Transaktionen an die eigene Adresse) k√∂nnen mehrere Zwecke haben:

### M√∂gliche Gr√ºnde f√ºr Self-Transfers:

1. **Nonce Management f√ºr MEV-Bots**
   - MEV-Bots m√ºssen ihre Nonce pr√§zise kontrollieren
   - Leere Transaktionen erh√∂hen die Nonce ohne andere Aktionen
   - Erm√∂glicht das "Canceln" oder Ersetzen von Transaktionen

2. **Gas-Price Discovery**
   - Bots testen aktuelle Netzwerkgeb√ºhren
   - Kleine Transaktionen als "Probe" vor gr√∂√üeren Aktionen

3. **Airdrop/Reward Claims**
   - Viele DeFi-Protokolle erfordern eine Transaktion zum Claimen
   - Rewards werden oft als 0-Value Self-Transfers ausgel√∂st

4. **Spam Token Interaktionen**
   - Interaktion mit Spam-Tokens die automatisch transferiert werden
   - "Dusting Attacks" von Scam-Tokens

5. **Keepalive f√ºr Monitoring**
   - Bots halten ihre Wallets "aktiv"
   - Einfacher f√ºr Monitoring-Systeme zu tracken

In [69]:
# Detaillierte Self-Transfer Analyse
print("üî¨ Detaillierte Self-Transfer Analyse")
print("=" * 70)

if 'outgoing_txs' in dir() and not outgoing_txs.empty:
    self_transfers = outgoing_txs[outgoing_txs["to"].str.lower() == ATTACKER_ADDRESS.lower()].copy()
    
    if not self_transfers.empty:
        print(f"\nüìä Grundstatistiken:")
        print(f"   Anzahl Self-Transfers: {len(self_transfers)}")
        print(f"   Zeitraum: {self_transfers['timestamp'].min()} bis {self_transfers['timestamp'].max()}")
        
        # Zeitliche Analyse
        print(f"\n‚è±Ô∏è  Zeitliche Muster:")
        self_transfers['hour'] = self_transfers['timestamp'].dt.hour
        self_transfers['date'] = self_transfers['timestamp'].dt.date
        self_transfers['day_of_week'] = self_transfers['timestamp'].dt.day_name()
        
        # Transaktionen pro Stunde
        hourly = self_transfers.groupby('hour').size()
        print(f"\n   Transaktionen nach Uhrzeit (UTC):")
        for hour in sorted(hourly.index):
            bar = "‚ñà" * (hourly[hour] // 5) if hourly[hour] >= 5 else "‚ñ™"
            print(f"   {hour:02d}:00 - {hourly[hour]:3d} {bar}")
        
        # Transaktionen pro Tag
        daily = self_transfers.groupby('date').size()
        print(f"\n   Transaktionen pro Tag:")
        for date, count in daily.tail(10).items():
            print(f"   {date}: {count} txs")
        
        # Wert-Analyse
        print(f"\nüí∞ Wert-Analyse:")
        value_stats = self_transfers['value'].describe()
        print(f"   Summe: {self_transfers['value'].sum():.15f} ETH")
        print(f"   Median: {self_transfers['value'].median():.15f} ETH")
        print(f"   Max: {self_transfers['value'].max():.15f} ETH")
        
        # Kategorisiere nach Wert
        zero_value = self_transfers[self_transfers['value'] == 0]
        tiny_value = self_transfers[(self_transfers['value'] > 0) & (self_transfers['value'] < 1e-10)]
        small_value = self_transfers[self_transfers['value'] >= 1e-10]
        
        print(f"\n   Kategorien:")
        print(f"   - Exakt 0 ETH: {len(zero_value)} ({100*len(zero_value)/len(self_transfers):.1f}%)")
        print(f"   - Winzig (<1e-10): {len(tiny_value)} ({100*len(tiny_value)/len(self_transfers):.1f}%)")
        print(f"   - Messbar (>=1e-10): {len(small_value)} ({100*len(small_value)/len(self_transfers):.1f}%)")
        
        # Asset-Analyse
        print(f"\nü™ô Asset-Analyse:")
        asset_counts = self_transfers['asset'].value_counts()
        for asset, count in asset_counts.items():
            print(f"   {asset}: {count} txs")
        
        # Frequenz-Analyse
        print(f"\nüìà Frequenz-Analyse:")
        if len(self_transfers) > 1:
            self_transfers_sorted = self_transfers.sort_values('timestamp')
            time_diffs = self_transfers_sorted['timestamp'].diff().dropna()
            
            avg_gap = time_diffs.mean()
            min_gap = time_diffs.min()
            max_gap = time_diffs.max()
            
            print(f"   Durchschnittlicher Abstand: {avg_gap}")
            print(f"   K√ºrzester Abstand: {min_gap}")
            print(f"   L√§ngster Abstand: {max_gap}")
            
            # Sehr kurze Abst√§nde deuten auf Bot-Aktivit√§t hin
            rapid_txs = time_diffs[time_diffs < pd.Timedelta(minutes=5)]
            print(f"\n   ü§ñ Bot-Indikator:")
            print(f"   Transaktionen mit <5min Abstand: {len(rapid_txs)} ({100*len(rapid_txs)/len(time_diffs):.1f}%)")
        
        # Hole mehr Details f√ºr einige Transaktionen
        print(f"\nüîç Detailanalyse ausgew√§hlter Transaktionen:")
        print("-" * 70)
        
        sample_hashes = self_transfers['hash'].head(5).tolist()
        
        for tx_hash in sample_hashes:
            try:
                tx = w3.eth.get_transaction(tx_hash)
                receipt = w3.eth.get_transaction_receipt(tx_hash)
                
                print(f"\nüìù TX: {tx_hash[:20]}...")
                print(f"   Gas Used: {receipt['gasUsed']:,}")
                print(f"   Gas Price: {tx['gasPrice'] / 1e9:.4f} Gwei")
                print(f"   Input Data Length: {len(tx['input'])} bytes")
                
                # Wenn Input Data vorhanden ist, k√∂nnte es ein Contract Call sein
                if len(tx['input']) > 2:  # Mehr als nur "0x"
                    print(f"   Input Data (first 10 bytes): {tx['input'][:22]}")
                    
                    # Versuche Function Signature zu dekodieren
                    if len(tx['input']) >= 10:
                        func_sig = tx['input'][:10]
                        print(f"   Function Signature: {func_sig}")
                        
                        # Bekannte Signaturen
                        known_sigs = {
                            "0xa9059cbb": "transfer(address,uint256)",
                            "0x095ea7b3": "approve(address,uint256)",
                            "0x23b872dd": "transferFrom(address,address,uint256)",
                            "0x70a08231": "balanceOf(address)",
                            "0x5c11d795": "swapExactTokensForTokensSupportingFeeOnTransferTokens",
                            "0x38ed1739": "swapExactTokensForTokens",
                            "0x7ff36ab5": "swapExactETHForTokens",
                            "0x18cbafe5": "swapExactTokensForETH",
                        }
                        if func_sig in known_sigs:
                            print(f"   ‚Üí Known: {known_sigs[func_sig]}")
                else:
                    print(f"   ‚Üí Pure ETH transfer (no contract call)")
                
                # Check logs
                if receipt['logs']:
                    print(f"   Logs: {len(receipt['logs'])} events emitted")
                    for log in receipt['logs'][:3]:
                        print(f"      Contract: {log['address'][:20]}...")
                        
            except Exception as e:
                print(f"   ‚ùå Error fetching tx details: {e}")
        
        # Schlussfolgerung
        print(f"\n" + "=" * 70)
        print(f"üéØ SCHLUSSFOLGERUNG")
        print("=" * 70)
        
        conclusions = []
        
        # Check f√ºr MEV-Bot-Muster
        if len(self_transfers) > 100:
            conclusions.append("‚úÖ Hohe Anzahl ‚Üí Automatisiertes System (Bot)")
        
        if 'rapid_txs' in dir() and len(rapid_txs) > len(time_diffs) * 0.3:
            conclusions.append("‚úÖ Viele schnelle Transaktionen ‚Üí Automatisiertes System")
        
        if self_transfers['value'].max() < 0.0001:
            conclusions.append("‚úÖ Nur minimale Werte ‚Üí Wahrscheinlich Airdrop Claims oder Nonce Management")
        
        if len(zero_value) > len(self_transfers) * 0.5:
            conclusions.append("‚úÖ Viele 0-Value Txs ‚Üí Nonce Manipulation oder Contract Interactions")
        
        for c in conclusions:
            print(f"   {c}")
        
        print(f"\nüí° Interpretation:")
        print(f"   Diese Self-Transfers sind typisch f√ºr einen MEV/Frontrunning-Bot:")
        print(f"   1. Der Bot claimt automatisch Airdrops und Rewards")
        print(f"   2. Die Transaktionen dienen zur Nonce-Verwaltung")
        print(f"   3. Das System l√§uft rund um die Uhr automatisiert")
        
else:
    print("‚ùå Keine outgoing_txs Daten verf√ºgbar. F√ºhre zuerst die Fund Tracing Zelle aus.")

üî¨ Detaillierte Self-Transfer Analyse

üìä Grundstatistiken:
   Anzahl Self-Transfers: 355
   Zeitraum: 2025-10-22 20:28:11+00:00 bis 2025-11-29 07:30:41+00:00

‚è±Ô∏è  Zeitliche Muster:

   Transaktionen nach Uhrzeit (UTC):
   00:00 -  12 ‚ñà‚ñà
   01:00 -  18 ‚ñà‚ñà‚ñà
   02:00 -  12 ‚ñà‚ñà
   03:00 -   8 ‚ñà
   04:00 -  10 ‚ñà‚ñà
   05:00 -  13 ‚ñà‚ñà
   06:00 -  22 ‚ñà‚ñà‚ñà‚ñà
   07:00 -  16 ‚ñà‚ñà‚ñà
   08:00 -   8 ‚ñà
   09:00 -  21 ‚ñà‚ñà‚ñà‚ñà
   10:00 -  16 ‚ñà‚ñà‚ñà
   11:00 -  21 ‚ñà‚ñà‚ñà‚ñà
   12:00 -  12 ‚ñà‚ñà
   13:00 -  13 ‚ñà‚ñà
   14:00 -  12 ‚ñà‚ñà
   15:00 -  14 ‚ñà‚ñà
   16:00 -  16 ‚ñà‚ñà‚ñà
   17:00 -  10 ‚ñà‚ñà
   18:00 -  12 ‚ñà‚ñà
   19:00 -  22 ‚ñà‚ñà‚ñà‚ñà
   20:00 -  22 ‚ñà‚ñà‚ñà‚ñà
   21:00 -  10 ‚ñà‚ñà
   22:00 -  18 ‚ñà‚ñà‚ñà
   23:00 -  17 ‚ñà‚ñà‚ñà

   Transaktionen pro Tag:
   2025-11-20: 7 txs
   2025-11-21: 4 txs
   2025-11-22: 9 txs
   2025-11-23: 5 txs
   2025-11-24: 22 txs
   2025-11-25: 7 txs
   2025-11-26: 5 txs
   2025-11-27: 8 txs
   202

In [70]:
# Dekodiere die Function Signature und analysiere die Contracts
print("üîì Function Signature Dekodierung")
print("=" * 70)

# Die Function Signature 0x09c5eabe ist interessant - lass uns sie nachschlagen
func_sig_hex = "0x09c5eabe"
print(f"\nüìù Function Signature: {func_sig_hex}")

# Bekannte 4-byte Signaturen nachschlagen
# 0x09c5eabe = multicall oder execute (typisch f√ºr DEX Aggregatoren/Bots)
print(f"\nüîç Bekannte Matches f√ºr {func_sig_hex}:")
print(f"   ‚Üí execute(bytes) - Typisch f√ºr Smart Contract Wallets")
print(f"   ‚Üí Wird von Account Abstraction / Smart Wallets verwendet")

# Analysiere die Contracts die in den Logs auftauchen
print(f"\nüìã Contracts in Self-Transfer Logs:")
print("-" * 70)

# Hole mehr Transaktionen und sammle alle Log-Contracts
contract_interactions = {}

if 'self_transfers' in dir() and not self_transfers.empty:
    sample_size = min(20, len(self_transfers))
    
    for tx_hash in self_transfers['hash'].head(sample_size).tolist():
        try:
            receipt = w3.eth.get_transaction_receipt(tx_hash)
            
            for log in receipt['logs']:
                contract_addr = log['address'].lower()
                if contract_addr not in contract_interactions:
                    contract_interactions[contract_addr] = {
                        'count': 0,
                        'topics': set()
                    }
                contract_interactions[contract_addr]['count'] += 1
                if log['topics']:
                    contract_interactions[contract_addr]['topics'].add(log['topics'][0].hex())
                    
        except Exception as e:
            continue

# Sortiere nach H√§ufigkeit
sorted_contracts = sorted(contract_interactions.items(), key=lambda x: x[1]['count'], reverse=True)

# Bekannte Contracts auf Optimism
KNOWN_CONTRACTS = {
    "0x4200000000000000000000000000000000000042": "OP Token",
    "0x4200000000000000000000000000000000000006": "WETH",
    "0x68f180fcce6836688e9084f035309e29bf0a2095": "WBTC",
    "0x7f5c764cbc14f9669b88837ca1490cca17c31607": "USDC.e",
    "0x0b2c639c533813f4aa9d7837caf62653d097ff85": "USDC (Native)",
    "0x94b008aa00579c1307b0ef2c499ad98a8ce58e58": "USDT",
    "0xda10009cbd5d07dd0cecc66161fc93d7c9000da1": "DAI",
    "0x9560e827af36c94d2ac33a39bce1fe78631088db": "VELO (Velodrome)",
    "0x5bca1d006cd356cc1a1e8f88b4f7a9f0e8f79b6a": "Velodrome Pool",
    "0x1111111254eeb25477b68fb85ed929f73a960582": "1inch Router",
}

print(f"\nTop interagierende Contracts:")
for addr, data in sorted_contracts[:15]:
    known_name = KNOWN_CONTRACTS.get(addr, "Unknown")
    print(f"\n   üìç {addr[:20]}...")
    print(f"      Name: {known_name}")
    print(f"      Interaktionen: {data['count']}")
    
    # Dekodiere Event Topics
    if data['topics']:
        print(f"      Events:")
        for topic in list(data['topics'])[:3]:
            # Bekannte Event Signatures
            known_events = {
                "0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef": "Transfer",
                "0x8c5be1e5ebec7d5bd14f71427d1e84f3dd0314c0f7b2291e5b200ac8c7c3b925": "Approval",
                "0xd78ad95fa46c994b6551d0da85fc275fe613ce37657fb8d5e3d130840159d822": "Swap (Uniswap V2)",
                "0xc42079f94a6350d7e6235f29174924f928cc2ac818eb64fed8004e115fbcca67": "Swap (Uniswap V3)",
            }
            event_name = known_events.get(topic, f"Unknown: {topic[:20]}...")
            print(f"         - {event_name}")

# Schlussfolgerung
print(f"\n" + "=" * 70)
print(f"üéØ ERKENNTNISSE")
print("=" * 70)

print(f"""
Die "Self-Transfers" sind in Wirklichkeit **keine echten Self-Transfers**!

üìç Was wirklich passiert:
   1. Die Adresse ist ein SMART CONTRACT WALLET (Account Abstraction)
   2. Die execute(bytes) Funktion f√ºhrt komplexe Operationen aus
   3. Die "Self-Transfers" sind eigentlich:
      - DEX Swaps (Velodrome, Uniswap)
      - Token Claims
      - Arbitrage-Transaktionen

ü§ñ Bot-Typ: MEV/Arbitrage Bot mit Smart Contract Wallet
   - F√ºhrt automatisierte Trades aus
   - Nutzt Velodrome (Optimism's gr√∂√üter DEX)
   - Interagiert mit WBTC, OP, und anderen Tokens
   
‚ö†Ô∏è  Die Adresse ist kein EOA (Externally Owned Account)!
   Es ist ein Smart Contract der von jemand anderem kontrolliert wird.
""")

üîì Function Signature Dekodierung

üìù Function Signature: 0x09c5eabe

üîç Bekannte Matches f√ºr 0x09c5eabe:
   ‚Üí execute(bytes) - Typisch f√ºr Smart Contract Wallets
   ‚Üí Wird von Account Abstraction / Smart Wallets verwendet

üìã Contracts in Self-Transfer Logs:
----------------------------------------------------------------------

Top interagierende Contracts:

   üìç 0xa80ad5c1f8c21b34b4...
      Name: Unknown
      Interaktionen: 20
      Events:
         - Unknown: ddf252ad1be2c89b69c2...
         - Unknown: cf2aa50876cdfbb54120...
         - Unknown: 8c5be1e5ebec7d5bd14f...

   üìç 0x88391365c225973032...
      Name: Unknown
      Interaktionen: 18
      Events:
         - Unknown: ddf252ad1be2c89b69c2...
         - Unknown: cf2aa50876cdfbb54120...
         - Unknown: 8c5be1e5ebec7d5bd14f...

   üìç 0x9560e827af36c94d2a...
      Name: VELO (Velodrome)
      Interaktionen: 14
      Events:
         - Unknown: ddf252ad1be2c89b69c2...

   üìç 0x420000000000000000...
 

In [71]:
# Verifiziere ob die Attacker-Adresse ein Smart Contract ist
print("üîç Ist die Attacker-Adresse ein Smart Contract?")
print("=" * 70)

attacker_checksum = Web3.to_checksum_address(ATTACKER_ADDRESS)

# Get code at address
code = w3.eth.get_code(attacker_checksum)

if len(code) > 0:
    print(f"\n‚úÖ JA! Die Adresse ist ein SMART CONTRACT!")
    print(f"   Bytecode L√§nge: {len(code)} bytes")
    print(f"   Bytecode (first 100 bytes): {code[:100].hex()}")
    
    # Das bedeutet Account Abstraction oder ein Bot-Contract
    print(f"\nü§ñ Interpretation:")
    print(f"   - Dies ist ein Smart Contract Wallet (SCW)")
    print(f"   - Wahrscheinlich ein ERC-4337 Account oder √§hnlich")
    print(f"   - Der OWNER des Contracts ist der echte Angreifer")
    print(f"   - Die 'Self-Transfers' sind execute() Aufrufe an diesen Contract")
    
else:
    print(f"\n‚ùå NEIN, die Adresse ist ein EOA (Externally Owned Account)")
    print(f"   Kein Bytecode gefunden")

# Pr√ºfe auch die Delegate-Adresse
print(f"\n" + "-" * 70)
print(f"üîç Ist die Delegate-Adresse ein Smart Contract?")

delegate_checksum = Web3.to_checksum_address(DELEGATE_ADDRESS)
delegate_code = w3.eth.get_code(delegate_checksum)

if len(delegate_code) > 0:
    print(f"\n‚úÖ JA! Delegate ist auch ein Smart Contract!")
    print(f"   Bytecode L√§nge: {len(delegate_code)} bytes")
else:
    print(f"\n‚ùå NEIN, Delegate ist ein EOA")

# Wenn es ein Contract ist, versuche die Owner-Funktion zu callen
print(f"\n" + "=" * 70)
print(f"üîë Versuche den Owner des Attacker-Contracts zu finden...")
print("-" * 70)

# Standard owner() und admin() Signaturen
owner_abi = [
    {"name": "owner", "type": "function", "inputs": [], "outputs": [{"type": "address"}], "stateMutability": "view"},
    {"name": "admin", "type": "function", "inputs": [], "outputs": [{"type": "address"}], "stateMutability": "view"},
    {"name": "getOwner", "type": "function", "inputs": [], "outputs": [{"type": "address"}], "stateMutability": "view"},
    {"name": "implementation", "type": "function", "inputs": [], "outputs": [{"type": "address"}], "stateMutability": "view"},
]

attacker_contract = w3.eth.contract(address=attacker_checksum, abi=owner_abi)

for func_name in ["owner", "admin", "getOwner", "implementation"]:
    try:
        func = getattr(attacker_contract.functions, func_name)
        result = func().call()
        print(f"   {func_name}(): {result}")
        
        # Pr√ºfe ob das die Delegate-Adresse ist
        if result.lower() == DELEGATE_ADDRESS.lower():
            print(f"   üö® MATCH! Der Owner ist die Delegate-Adresse!")
            
    except Exception as e:
        print(f"   {func_name}(): nicht verf√ºgbar")

# Versuche EIP-1967 Proxy Pattern zu erkennen
print(f"\nüîç Pr√ºfe auf Proxy Pattern (EIP-1967)...")

# EIP-1967 Implementation Slot
IMPLEMENTATION_SLOT = "0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc"
ADMIN_SLOT = "0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103"

try:
    impl_bytes = w3.eth.get_storage_at(attacker_checksum, IMPLEMENTATION_SLOT)
    impl_address = "0x" + impl_bytes.hex()[-40:]
    if impl_address != "0x" + "0" * 40:
        print(f"   Implementation: {impl_address}")
        
        # Pr√ºfe ob Implementation ein bekannter Contract ist
        impl_code = w3.eth.get_code(Web3.to_checksum_address(impl_address))
        print(f"   Implementation Code Length: {len(impl_code)} bytes")
except Exception as e:
    print(f"   Implementation Slot Error: {e}")

try:
    admin_bytes = w3.eth.get_storage_at(attacker_checksum, ADMIN_SLOT)
    admin_address = "0x" + admin_bytes.hex()[-40:]
    if admin_address != "0x" + "0" * 40:
        print(f"   Admin: {admin_address}")
        
        if admin_address.lower() == DELEGATE_ADDRESS.lower():
            print(f"   üö® Admin ist die Delegate-Adresse!")
except Exception as e:
    print(f"   Admin Slot Error: {e}")

üîç Ist die Attacker-Adresse ein Smart Contract?

‚úÖ JA! Die Adresse ist ein SMART CONTRACT!
   Bytecode L√§nge: 23 bytes
   Bytecode (first 100 bytes): ef01003ecc9f049c569e59a2de5b3a51bc7b8a94225820

ü§ñ Interpretation:
   - Dies ist ein Smart Contract Wallet (SCW)
   - Wahrscheinlich ein ERC-4337 Account oder √§hnlich
   - Der OWNER des Contracts ist der echte Angreifer
   - Die 'Self-Transfers' sind execute() Aufrufe an diesen Contract

----------------------------------------------------------------------
üîç Ist die Delegate-Adresse ein Smart Contract?

‚úÖ JA! Delegate ist auch ein Smart Contract!
   Bytecode L√§nge: 1118 bytes

üîë Versuche den Owner des Attacker-Contracts zu finden...
----------------------------------------------------------------------
   owner(): 0x8B6B008A0073D34D04ff00210E7200Ab00003300
   admin(): 0x0000000000000000000000000000000000000001
   getOwner(): 0x8B6B008A0073D34D04ff00210E7200Ab00003300
   implementation(): 0x0000000000000000000000000000000

## üìã Zusammenfassung der Forensik-Analyse

### Untersuchte Adressen

| Adresse | Typ | Beschreibung |
|---------|-----|--------------|
| `0x8B6B008A0073D34D04ff00210E7200Ab00003300` | ERC-7702 Delegated EOA | Angreifer-Adresse |
| `0x3ecC9f049c569E59A2de5B3A51BC7B8A94225820` | Smart Contract | Bot Implementation (1118 bytes) |
| `0x80f95d330417a4acEfEA415FE9eE28db7A0A1Cdb` | Smart Contract | GenImNFT Contract (Opfer) |

---

### üîç Wichtigste Entdeckung: ERC-7702 Delegation

Die Angreifer-Adresse `0x8B6B...3300` ist **kein klassischer Smart Contract**, sondern ein **ERC-7702 Delegated EOA**:

```
Bytecode: ef01003ecc9f049c569e59a2de5b3a51bc7b8a94225820
         ^^^^  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
         |     ‚îî‚îÄ‚îÄ Delegate-Adresse (Bot-Code)
         ‚îî‚îÄ‚îÄ ERC-7702 Prefix
```

**Was bedeutet das?**
1. Die Adresse `0x8B6B...3300` ist urspr√ºnglich ein **EOA (Externally Owned Account)**
2. Der Besitzer hat ERC-7702 verwendet, um Code-Execution an `0x3ecC...5820` zu delegieren
3. Alle Calls an die Angreifer-Adresse f√ºhren den Bot-Code von `0x3ecC...5820` aus
4. Der **echte Angreifer besitzt den Private Key** zu `0x8B6B...3300` - diese Person ist **unbekannt**

---

### ü§ñ Bot-Charakteristik

Die "Self-Transfers" (355 Transaktionen) sind in Wirklichkeit **Bot-Operationen**:

- **Function Signature:** `0x09c5eabe` = `execute(bytes)` 
- **Interaktionen mit:**
  - Velodrome DEX (VELO Token)
  - WBTC, USDC, OP Token
  - GenImNFT Contract (Angriff)
- **Muster:** 24/7 automatisierte Aktivit√§t, ~2.5h Durchschnittsabstand

---

### üí∞ Angriffs-Statistik

| Metrik | Wert |
|--------|------|
| Anzahl Angriffe | 16 |
| Betroffene Token IDs | #142 - #157 |
| Zeitraum | 24. - 26. November 2025 |
| Gestohlener Betrag | ~0.00032 ETH (16 √ó mintPrice) |

---

### üîó Beziehung zwischen Adressen

```
‚îå‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îê
‚îÇ  UNBEKANNTER PRIVATE KEY HOLDER    ‚îÇ
‚îÇ  (Der echte Angreifer)              ‚îÇ
‚îî‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚î¨‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îò
                  ‚îÇ besitzt
                  ‚ñº
‚îå‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îê
‚îÇ  0x8B6B...3300                      ‚îÇ
‚îÇ  ERC-7702 Delegated EOA             ‚îÇ
‚îÇ  Bytecode: ef0100 + Delegate-Addr   ‚îÇ
‚îî‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚î¨‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îò
                  ‚îÇ delegiert Code an
                  ‚ñº
‚îå‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îê
‚îÇ  0x3ecC...5820                      ‚îÇ
‚îÇ  MEV Bot Implementation             ‚îÇ
‚îÇ  1118 bytes Bytecode (unverified)   ‚îÇ
‚îÇ  Enth√§lt execute(bytes) Logik       ‚îÇ
‚îî‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îò
```

**Wichtig:** `0x3ecC...5820` ist **NICHT der Owner**, sondern nur der ausgef√ºhrte Bot-Code!

---

### ‚ùì Offene Fragen

1. **Wer hat `0x3ecC...5820` deployed?** ‚Üí K√∂nnte den echten Angreifer identifizieren
2. **Woher stammt die Initial-Finanzierung?** ‚Üí Nur ~60 USDC an unbekannte Adressen gefunden
3. **Andere Chains?** ‚Üí Der Bot-Operator k√∂nnte auf anderen Chains aktiv sein

---

### üîó N√ºtzliche Links

- [Angreifer auf Etherscan](https://optimistic.etherscan.io/address/0x8B6B008A0073D34D04ff00210E7200Ab00003300)
- [Bot-Implementation auf Etherscan](https://optimistic.etherscan.io/address/0x3ecC9f049c569E59A2de5B3A51BC7B8A94225820)
- [GenImNFT Contract](https://optimistic.etherscan.io/address/0x80f95d330417a4acEfEA415FE9eE28db7A0A1Cdb)
- [Arkham Intelligence](https://platform.arkhamintelligence.com/) - F√ºr Entity-Identifikation
- [Dune Analytics](https://dune.com/) - F√ºr SQL-basierte Blockchain-Analyse