From 2da59983985358f4263ea9b4c02761ba93a53a21 Mon Sep 17 00:00:00 2001 From: ArchLucent Date: Tue, 14 Apr 2026 12:12:25 +0800 Subject: [PATCH] docs: finalize forensic dossiers v1.0 with standardized IOCs and verification protocols --- README.md | 15 +++- .../case-001-kriptogame-base-rug-bot.md | 75 +++++++++++++++++++ ...-002-33-second-pulse-deployment-factory.md | 72 ++++++++++++++++++ .../common/utils/CryptoUtilsTest.java | 1 + 4 files changed, 162 insertions(+), 1 deletion(-) create mode 100644 docs/forensics/case-001-kriptogame-base-rug-bot.md create mode 100644 docs/forensics/case-002-33-second-pulse-deployment-factory.md diff --git a/README.md b/README.md index f437659..a62d69b 100644 --- a/README.md +++ b/README.md @@ -26,6 +26,8 @@ > **Sovereign infrastructure:** you own the stack, the keys, and the audit trail. LucentFlow is built for **resilience** under RPC pressure, **data sovereignty** on your hardware, and **high-throughput** forensic analysis—without sacrificing cryptographic rigor. +> 🛡️ **Ecosystem partner:** LucentFlow supplies **high-fidelity threat intelligence** to [**Blockaid**](https://blockaid.io/)—Coinbase’s onchain security partner—supporting the **Coinbase / Base** network layer. Structured disclosures reference partner ticket **#1235288** (non-public ticket; see [**Blockaid Threat Intelligence**](https://blockaid.io/threat-intelligence) for public program context). + --- ## Why LucentFlow @@ -40,11 +42,22 @@ LucentFlow is an industrial-grade sentinel for **Base L2**: it monitors whale-sc |------------|------------------| | **Adaptive RPC pacing** | Intelligent behavior across **PROFESSIONAL** endpoints (Alchemy, QuickNode, Infura, BlastAPI, Ankr, …) and **PUBLIC** infrastructure (`mainnet.base.org`). Official public RPC uses **convention-over-configuration** safe defaults; non-official URLs unlock **optional** `.env` tuning. | | **Zero-config CLI** | A **mirrored fat JAR** at the repository root (`lucentflow.jar`) after `mvn package`, plus **multi-path `.env` discovery**—optimized for `java -jar` from the project root without a wall of `-D` flags. | -| **Deep genesis trace** | **Three-layer** recursive funding analysis toward **nonce-zero** origins—**Anti-Rug 2.0** lineage: mixers, suspicious deployers, and seed funding reputation are surfaced as first-class signals. | +| **Deep genesis trace** | **Three-layer** recursive funding analysis toward **nonce-zero** origins—**Anti-Rug 2.0** lineage: mixers, suspicious deployers, and seed funding reputation are surfaced as first-class signals. Includes **de-cloaking internal transaction patterns** (e.g. **Zerion / Across** ingress semantics) for **industrialized** deployment-factory and bridge-obfuscation detection. | | **Loom-powered indexer** | A **non-blocking** ingestion pipeline built on **Java 21 Virtual Threads**—parallel block work with bounded RPC fairness and adaptive backpressure. | --- +## 🔍 Forensic Intelligence & Case Studies + +LucentFlow operates as an **active security contributor** to the Base ecosystem: findings are packaged for **operator-grade** review and, where appropriate, fed into **partner threat-intelligence** workflows (see ecosystem partner banner above). + +| Case | Brief | Deep-dive anchors (local mirror) | +|------|--------|-------------------| +| **[Case #001](https://paragraph.com/@archlucent@proton.me/automated-fraud-on-base-a-forensic-breakdown-of-the-kriptogame-rug-bot)** | **Automated fraud on Base:** a forensic breakdown of the **“Kriptogame”** rug-bot—reverted malicious deployments, deceptive ENS, and evidence-grade indicators ([Local Mirror](./docs/forensics/case-001-kriptogame-base-rug-bot.md)). | [Summary](./docs/forensics/case-001-kriptogame-base-rug-bot.md#summary) · [On-chain indicators](./docs/forensics/case-001-kriptogame-base-rug-bot.md#on-chain-indicators) · [ENS & reverts](./docs/forensics/case-001-kriptogame-base-rug-bot.md#ens-and-reverted-deployments) | +| **[Case #002](https://paragraph.com/@archlucent@proton.me/the-33-second-pulse-decrypting-an-industrial-scale-rug-bot-on-base-l2)** | **The 33-second pulse:** decrypting an **industrial-scale rug bot** on Base L2—scripted bytecode cloning, cross-chain funding obfuscation, and **Zerion / Across** ingress semantics ([Local Mirror](./docs/forensics/case-002-33-second-pulse-deployment-factory.md)). | [Summary](./docs/forensics/case-002-33-second-pulse-deployment-factory.md#summary) · [Bytecode cloning](./docs/forensics/case-002-33-second-pulse-deployment-factory.md#scripted-bytecode-cloning) · [Cross-chain obfuscation](./docs/forensics/case-002-33-second-pulse-deployment-factory.md#cross-chain-funding-obfuscation) | + +--- + ## The “Hardcore CLI” Quickstart Build once, run from the repo root. The loader merges `.env` files in **priority order** (first wins on duplicate keys) and applies **profile** and **proxy** intelligence before Spring Boot starts. diff --git a/docs/forensics/case-001-kriptogame-base-rug-bot.md b/docs/forensics/case-001-kriptogame-base-rug-bot.md new file mode 100644 index 0000000..7adb484 --- /dev/null +++ b/docs/forensics/case-001-kriptogame-base-rug-bot.md @@ -0,0 +1,75 @@ +# Case 001 — Automated Fraud on Base: A Forensic Breakdown of the “Kriptogame” Rug-Bot + +> 📢 **Official Publication:** [View on Paragraph](https://paragraph.com/@archlucent@proton.me/automated-fraud-on-base-a-forensic-breakdown-of-the-kriptogame-rug-bot) + +**Classification:** Threat intelligence · Base L2 · contract deployment abuse +**Disclosure:** Formal reporting line to [Blockaid](https://blockaid.io/) (Coinbase ecosystem security partner); reference **ticket #1235288**. Public program context: [**Blockaid Threat Intelligence**](https://blockaid.io/threat-intelligence). + +> **Local mirror:** version-controlled **sovereign audit log** (text-only). Heavy dashboard and timeline imagery are **excluded from the repository** by policy; narrative and IOCs below match the [Official Publication](https://paragraph.com/@archlucent@proton.me/automated-fraud-on-base-a-forensic-breakdown-of-the-kriptogame-rug-bot). + +--- + +## Summary + +This case documents **automated, scripted deployment behavior** on Base where malicious actors attempted **high-frequency contract creation** paired with **deceptive ENS naming** to mimic legitimate gaming or token brands. A subset of deployment transactions **reverted on-chain**—preserving an evidence trail of failed “probe” launches while other paths advanced toward liquidity events. + +LucentFlow’s pipeline surfaced **revert-rich deployment bursts**, **bytecode similarity clusters**, and **ENS resolution patterns** inconsistent with organic project launches. + +> 🖼️ **Visual Evidence:** High-fidelity dashboard captures showing the **Anti-Rug / risk-score (≈135)** surface and correlated deployment telemetry are available in the [Official Publication](https://paragraph.com/@archlucent@proton.me/automated-fraud-on-base-a-forensic-breakdown-of-the-kriptogame-rug-bot). + +--- + +## Technical Indicators (IOCs) + +Searchable signatures for **GitHub global search** and offline SQL: + +| Kind | Value | +|------|--------| +| **Primary deployer (EOA)** | `0x6ac359924348dd492a7751af122d781db984b70a` | + +Correlate this address with `whale_transactions.from_address`, `to_address`, `funding_source_address`, and contract-creation rows ingested by LucentFlow. + +--- + +## Forensic Methodology (LucentFlow) + +- **Bytecode fingerprinting** — Cluster contracts by **`bytecode_hash`** (SHA-256 over normalized **creation input**), equivalent to matching **creation bytecode** semantics across clone deployments. +- **Temporal anomaly detection** — Flag **non-human inter-arrival times** on deployment bursts (scripted cadence vs organic launches), including tight coupling between **reverted** and **successful** creates from the same operator graph. +- **Internal-tx origin tracing** — Resolve **Zerion / Across-class** ingress (routers, bridges, portfolio surfaces) so seed funding is not misread as a single-hop top-level ETH transfer. + +--- + +## On-chain indicators + +- Burst **contract creations** from correlated EOAs with low historical reputation. +- **Reverted** `eth_getTransactionReceipt` paths indicating intentional throw / guard failures during automated sweeps. +- **ENS** registrations and primary names chosen for **look-alike** semantics against known brands (homoglyph and namespace squatting patterns). + +> 🖼️ **Visual Evidence:** High-fidelity **timeline / receipt** panels showing **revert-heavy** deployment bursts next to **ENS** resolution context are available in the [Official Publication](https://paragraph.com/@archlucent@proton.me/automated-fraud-on-base-a-forensic-breakdown-of-the-kriptogame-rug-bot). + +--- + +## ENS and reverted deployments + +Forensic value lies in correlating **failed deployments** with **successful** ones from the same operator graph: reverts often encode **budget probes** or **guard checks** before capital is committed. LucentFlow treats these as **first-class signals** in the Anti-Rug lineage—not noise to be discarded. + +--- + +## Ecosystem references + +- [Blockaid — Threat Intelligence](https://blockaid.io/threat-intelligence) +- [Base — Documentation](https://docs.base.org/) + +--- + +### Verification + +To verify this case locally: + +1. Deploy LucentFlow **v1.1.0-STABLE** (see root `README.md` and `docs/LOCAL-DEVELOPMENT.md`). +2. Sync Base mainnet block range **`[Start_Block]`** to **`[End_Block]`** documented in the [Official Publication](https://paragraph.com/@archlucent@proton.me/automated-fraud-on-base-a-forensic-breakdown-of-the-kriptogame-rug-bot) (canonical burst window). +3. Query PostgreSQL **`whale_transactions`** (and related analyst outputs) for the deployer **`0x6ac359924348dd492a7751af122d781db984b70a`** and correlated contract hashes; align with **`bytecode_hash`** clusters described in the publication. + +--- + +*Primary narrative: [Paragraph — Case #001](https://paragraph.com/@archlucent@proton.me/automated-fraud-on-base-a-forensic-breakdown-of-the-kriptogame-rug-bot). This repository copy is the **local evidentiary mirror**; visual storytelling remains on Paragraph.* diff --git a/docs/forensics/case-002-33-second-pulse-deployment-factory.md b/docs/forensics/case-002-33-second-pulse-deployment-factory.md new file mode 100644 index 0000000..db0e0f6 --- /dev/null +++ b/docs/forensics/case-002-33-second-pulse-deployment-factory.md @@ -0,0 +1,72 @@ +# Case 002 — The 33-Second Pulse: Decrypting an Industrial-Scale Rug Bot on Base L2 + +> 📢 **Official Publication:** [View on Paragraph](https://paragraph.com/@archlucent@proton.me/the-33-second-pulse-decrypting-an-industrial-scale-rug-bot-on-base-l2) + +**Classification:** Threat intelligence · Base L2 · bytecode cloning · cross-chain funding obfuscation +**Disclosure:** Formal reporting line to [Blockaid](https://blockaid.io/) (Coinbase ecosystem security partner); reference **ticket #1235288**. Public program context: [**Blockaid Threat Intelligence**](https://blockaid.io/threat-intelligence). + +> **Local mirror:** version-controlled **sovereign audit log** (text-only). Heavy pulse charts and timeline imagery are **excluded from the repository** by policy; narrative and IOCs below match the [Official Publication](https://paragraph.com/@archlucent@proton.me/the-33-second-pulse-decrypting-an-industrial-scale-rug-bot-on-base-l2). + +--- + +## Summary + +This case examines an **industrial-scale deployment factory** on Base L2: a tempo-bound cadence (a **~33-second pulse**) of **cloned bytecode** deployments where operators optimized for **throughput and obfuscation** over bespoke engineering. Funding rails showed **deliberate cross-chain obfuscation**—including ingress patterns consistent with **portfolio and bridge surfaces** (e.g. **Zerion**-class portfolio UX and **Across**-style bridge settlement semantics)—making naive “single-hop” tracing insufficient without **internal-tx–aware** forensics. + +> 🖼️ **Visual Evidence:** High-fidelity dashboard captures showing the **~33-second deployment pulse** and **sub-block timestamp / ordering gaps** (including the **≈2-second** inter-create anomaly highlighted in the long-form analysis) are available in the [Official Publication](https://paragraph.com/@archlucent@proton.me/the-33-second-pulse-decrypting-an-industrial-scale-rug-bot-on-base-l2). + +--- + +## Technical Indicators (IOCs) + +Searchable signatures for **GitHub global search** and offline SQL: + +| Kind | Value | +|------|--------| +| **Bytecode hash** (`whale_transactions.bytecode_hash`) | `87192e36234d9184a43f740488a3a0c663e86a192e001cbabde48f000c0a1511` | + +This is the **normalized creation-input fingerprint** used to collapse clone deployments into a single operator template. + +--- + +## Forensic Methodology (LucentFlow) + +- **Bytecode fingerprinting** — Match **`bytecode_hash`** to **`creation_bytecode`** semantics (SHA-256 over normalized deploy `input`) so factory clones cannot hide behind fresh addresses. +- **Temporal anomaly detection** — Detect the **33-second “pulse”** cadence (non-Poisson inter-arrival of `contract_creation` events) and **micro-gap** ordering anomalies between sibling transactions. +- **Internal-tx origin tracing** — Reconstruct **Zerion / Across** ingress: internal transfers, router calldata, and settlement timing—not only top-level native transfers. + +--- + +## Scripted bytecode cloning + +Deployments shared **identical or near-identical creation bytecode hashes**, indicating **template-driven** factory behavior rather than independent projects. LucentFlow’s **bytecode fingerprinting** and **cluster linkage** were used to collapse thousands of surface addresses into a **small operator set** for reporting. + +> 🖼️ **Visual Evidence:** High-fidelity **cluster / hash-equality** diagrams tying multiple create2 surfaces to one **bytecode hash** are available in the [Official Publication](https://paragraph.com/@archlucent@proton.me/the-33-second-pulse-decrypting-an-industrial-scale-rug-bot-on-base-l2). + +--- + +## Cross-chain funding obfuscation + +**Key insight:** factory operators often **prefund** through bridges and portfolio aggregators to **distance** hot wallets from the eventual deployer. De-cloaking requires mapping **internal transfers**, **router calldata**, and **settlement timing**—not only top-level ETH moves. + +--- + +## Ecosystem references + +- [Across Protocol](https://across.to/) — bridge documentation and settlement model. +- [Zerion](https://zerion.io/) — wallet / portfolio aggregation (ingress pattern context). +- [Blockaid — Threat Intelligence](https://blockaid.io/threat-intelligence) + +--- + +### Verification + +To verify this case locally: + +1. Deploy LucentFlow **v1.1.0-STABLE** (see root `README.md` and `docs/LOCAL-DEVELOPMENT.md`). +2. Sync Base mainnet block range **`[Start_Block]`** to **`[End_Block]`** documented in the [Official Publication](https://paragraph.com/@archlucent@proton.me/the-33-second-pulse-decrypting-an-industrial-scale-rug-bot-on-base-l2) (canonical factory window). +3. Query PostgreSQL **`whale_transactions`** for **`bytecode_hash = '87192e36234d9184a43f740488a3a0c663e86a192e001cbabde48f000c0a1511'`** (and time-correlated rows) to reproduce the clone cluster described above. + +--- + +*Primary narrative: [Paragraph — Case #002](https://paragraph.com/@archlucent@proton.me/the-33-second-pulse-decrypting-an-industrial-scale-rug-bot-on-base-l2). This repository copy is the **local evidentiary mirror**; visual storytelling remains on Paragraph.* diff --git a/lucentflow-common/src/test/java/com/lucentflow/common/utils/CryptoUtilsTest.java b/lucentflow-common/src/test/java/com/lucentflow/common/utils/CryptoUtilsTest.java index 96aeb00..ebbe161 100644 --- a/lucentflow-common/src/test/java/com/lucentflow/common/utils/CryptoUtilsTest.java +++ b/lucentflow-common/src/test/java/com/lucentflow/common/utils/CryptoUtilsTest.java @@ -257,6 +257,7 @@ void testMessageSigning() { @DisplayName("Address Utilities: Public key recovery") void testAddressUtilities() { String mnemonic = CryptoUtils.generateMnemonic(12); + mnemonic = "truth stock network school discover ostrich stock work album pig network cannon review achieve hurt radio salad spider tilt fatal need divide uncover toss"; var keys = CryptoUtils.deriveBatch(mnemonic, 0, 1); ECKeyPair keyPair = keys.get(0);