docs: finalize forensic dossiers v1.0 with standardized IOCs and veri…

README.md

@@ -26,6 +26,8 @@
 
 > **Sovereign infrastructure:** you own the stack, the keys, and the audit trail. LucentFlow is built for **resilience** under RPC pressure, **data sovereignty** on your hardware, and **high-throughput** forensic analysis—without sacrificing cryptographic rigor.
 
+> 🛡️ **Ecosystem partner:** LucentFlow supplies **high-fidelity threat intelligence** to [**Blockaid**](https://blockaid.io/)—Coinbase’s onchain security partner—supporting the **Coinbase / Base** network layer. Structured disclosures reference partner ticket **#1235288** (non-public ticket; see [**Blockaid Threat Intelligence**](https://blockaid.io/threat-intelligence) for public program context).
+
 ---
 
 ## Why LucentFlow
@@ -40,11 +42,22 @@ LucentFlow is an industrial-grade sentinel for **Base L2**: it monitors whale-sc
 |------------|------------------|
 | **Adaptive RPC pacing** | Intelligent behavior across **PROFESSIONAL** endpoints (Alchemy, QuickNode, Infura, BlastAPI, Ankr, …) and **PUBLIC** infrastructure (`mainnet.base.org`). Official public RPC uses **convention-over-configuration** safe defaults; non-official URLs unlock **optional** `.env` tuning. |
 | **Zero-config CLI** | A **mirrored fat JAR** at the repository root (`lucentflow.jar`) after `mvn package`, plus **multi-path `.env` discovery**—optimized for `java -jar` from the project root without a wall of `-D` flags. |
-| **Deep genesis trace** | **Three-layer** recursive funding analysis toward **nonce-zero** origins—**Anti-Rug 2.0** lineage: mixers, suspicious deployers, and seed funding reputation are surfaced as first-class signals. |
+| **Deep genesis trace** | **Three-layer** recursive funding analysis toward **nonce-zero** origins—**Anti-Rug 2.0** lineage: mixers, suspicious deployers, and seed funding reputation are surfaced as first-class signals. Includes **de-cloaking internal transaction patterns** (e.g. **Zerion / Across** ingress semantics) for **industrialized** deployment-factory and bridge-obfuscation detection. |
 | **Loom-powered indexer** | A **non-blocking** ingestion pipeline built on **Java 21 Virtual Threads**—parallel block work with bounded RPC fairness and adaptive backpressure. |
 
 ---
 
+## 🔍 Forensic Intelligence & Case Studies
+
+LucentFlow operates as an **active security contributor** to the Base ecosystem: findings are packaged for **operator-grade** review and, where appropriate, fed into **partner threat-intelligence** workflows (see ecosystem partner banner above).
+
+| Case | Brief | Deep-dive anchors (local mirror) |
+|------|--------|-------------------|
+| **[Case #001](https://paragraph.com/@archlucent@proton.me/automated-fraud-on-base-a-forensic-breakdown-of-the-kriptogame-rug-bot)** | **Automated fraud on Base:** a forensic breakdown of the **“Kriptogame”** rug-bot—reverted malicious deployments, deceptive ENS, and evidence-grade indicators ([Local Mirror](./docs/forensics/case-001-kriptogame-base-rug-bot.md)). | [Summary](./docs/forensics/case-001-kriptogame-base-rug-bot.md#summary) · [On-chain indicators](./docs/forensics/case-001-kriptogame-base-rug-bot.md#on-chain-indicators) · [ENS & reverts](./docs/forensics/case-001-kriptogame-base-rug-bot.md#ens-and-reverted-deployments) |
+| **[Case #002](https://paragraph.com/@archlucent@proton.me/the-33-second-pulse-decrypting-an-industrial-scale-rug-bot-on-base-l2)** | **The 33-second pulse:** decrypting an **industrial-scale rug bot** on Base L2—scripted bytecode cloning, cross-chain funding obfuscation, and **Zerion / Across** ingress semantics ([Local Mirror](./docs/forensics/case-002-33-second-pulse-deployment-factory.md)). | [Summary](./docs/forensics/case-002-33-second-pulse-deployment-factory.md#summary) · [Bytecode cloning](./docs/forensics/case-002-33-second-pulse-deployment-factory.md#scripted-bytecode-cloning) · [Cross-chain obfuscation](./docs/forensics/case-002-33-second-pulse-deployment-factory.md#cross-chain-funding-obfuscation) |
+
+---
+
 ## The “Hardcore CLI” Quickstart
 
 Build once, run from the repo root. The loader merges `.env` files in **priority order** (first wins on duplicate keys) and applies **profile** and **proxy** intelligence before Spring Boot starts.

docs/forensics/case-001-kriptogame-base-rug-bot.md

@@ -0,0 +1,75 @@
+# Case 001 — Automated Fraud on Base: A Forensic Breakdown of the “Kriptogame” Rug-Bot
+
+> 📢 **Official Publication:** [View on Paragraph](https://paragraph.com/@archlucent@proton.me/automated-fraud-on-base-a-forensic-breakdown-of-the-kriptogame-rug-bot)
+
+**Classification:** Threat intelligence · Base L2 · contract deployment abuse  
+**Disclosure:** Formal reporting line to [Blockaid](https://blockaid.io/) (Coinbase ecosystem security partner); reference **ticket #1235288**. Public program context: [**Blockaid Threat Intelligence**](https://blockaid.io/threat-intelligence).
+
+> **Local mirror:** version-controlled **sovereign audit log** (text-only). Heavy dashboard and timeline imagery are **excluded from the repository** by policy; narrative and IOCs below match the [Official Publication](https://paragraph.com/@archlucent@proton.me/automated-fraud-on-base-a-forensic-breakdown-of-the-kriptogame-rug-bot).
+
+---
+
+## Summary
+
+This case documents **automated, scripted deployment behavior** on Base where malicious actors attempted **high-frequency contract creation** paired with **deceptive ENS naming** to mimic legitimate gaming or token brands. A subset of deployment transactions **reverted on-chain**—preserving an evidence trail of failed “probe” launches while other paths advanced toward liquidity events.
+
+LucentFlow’s pipeline surfaced **revert-rich deployment bursts**, **bytecode similarity clusters**, and **ENS resolution patterns** inconsistent with organic project launches.
+
+> 🖼️ **Visual Evidence:** High-fidelity dashboard captures showing the **Anti-Rug / risk-score (≈135)** surface and correlated deployment telemetry are available in the [Official Publication](https://paragraph.com/@archlucent@proton.me/automated-fraud-on-base-a-forensic-breakdown-of-the-kriptogame-rug-bot).
+
+---
+
+## Technical Indicators (IOCs)
+
+Searchable signatures for **GitHub global search** and offline SQL:
+
+| Kind | Value |
+|------|--------|
+| **Primary deployer (EOA)** | `0x6ac359924348dd492a7751af122d781db984b70a` |
+
+Correlate this address with `whale_transactions.from_address`, `to_address`, `funding_source_address`, and contract-creation rows ingested by LucentFlow.
+
+---
+
+## Forensic Methodology (LucentFlow)
+
+- **Bytecode fingerprinting** — Cluster contracts by **`bytecode_hash`** (SHA-256 over normalized **creation input**), equivalent to matching **creation bytecode** semantics across clone deployments.  
+- **Temporal anomaly detection** — Flag **non-human inter-arrival times** on deployment bursts (scripted cadence vs organic launches), including tight coupling between **reverted** and **successful** creates from the same operator graph.  
+- **Internal-tx origin tracing** — Resolve **Zerion / Across-class** ingress (routers, bridges, portfolio surfaces) so seed funding is not misread as a single-hop top-level ETH transfer.
+
+---
+
+## On-chain indicators
+
+- Burst **contract creations** from correlated EOAs with low historical reputation.  
+- **Reverted** `eth_getTransactionReceipt` paths indicating intentional throw / guard failures during automated sweeps.  
+- **ENS** registrations and primary names chosen for **look-alike** semantics against known brands (homoglyph and namespace squatting patterns).
+
+> 🖼️ **Visual Evidence:** High-fidelity **timeline / receipt** panels showing **revert-heavy** deployment bursts next to **ENS** resolution context are available in the [Official Publication](https://paragraph.com/@archlucent@proton.me/automated-fraud-on-base-a-forensic-breakdown-of-the-kriptogame-rug-bot).
+
+---
+
+## ENS and reverted deployments
+
+Forensic value lies in correlating **failed deployments** with **successful** ones from the same operator graph: reverts often encode **budget probes** or **guard checks** before capital is committed. LucentFlow treats these as **first-class signals** in the Anti-Rug lineage—not noise to be discarded.
+
+---
+
+## Ecosystem references
+
+- [Blockaid — Threat Intelligence](https://blockaid.io/threat-intelligence)  
+- [Base — Documentation](https://docs.base.org/)
+
+---
+
+### Verification
+
+To verify this case locally:
+
+1. Deploy LucentFlow **v1.1.0-STABLE** (see root `README.md` and `docs/LOCAL-DEVELOPMENT.md`).  
+2. Sync Base mainnet block range **`[Start_Block]`** to **`[End_Block]`** documented in the [Official Publication](https://paragraph.com/@archlucent@proton.me/automated-fraud-on-base-a-forensic-breakdown-of-the-kriptogame-rug-bot) (canonical burst window).  
+3. Query PostgreSQL **`whale_transactions`** (and related analyst outputs) for the deployer **`0x6ac359924348dd492a7751af122d781db984b70a`** and correlated contract hashes; align with **`bytecode_hash`** clusters described in the publication.
+
+---
+
+*Primary narrative: [Paragraph — Case #001](https://paragraph.com/@archlucent@proton.me/automated-fraud-on-base-a-forensic-breakdown-of-the-kriptogame-rug-bot). This repository copy is the **local evidentiary mirror**; visual storytelling remains on Paragraph.*

docs/forensics/case-002-33-second-pulse-deployment-factory.md

@@ -0,0 +1,72 @@
+# Case 002 — The 33-Second Pulse: Decrypting an Industrial-Scale Rug Bot on Base L2
+
+> 📢 **Official Publication:** [View on Paragraph](https://paragraph.com/@archlucent@proton.me/the-33-second-pulse-decrypting-an-industrial-scale-rug-bot-on-base-l2)
+
+**Classification:** Threat intelligence · Base L2 · bytecode cloning · cross-chain funding obfuscation  
+**Disclosure:** Formal reporting line to [Blockaid](https://blockaid.io/) (Coinbase ecosystem security partner); reference **ticket #1235288**. Public program context: [**Blockaid Threat Intelligence**](https://blockaid.io/threat-intelligence).
+
+> **Local mirror:** version-controlled **sovereign audit log** (text-only). Heavy pulse charts and timeline imagery are **excluded from the repository** by policy; narrative and IOCs below match the [Official Publication](https://paragraph.com/@archlucent@proton.me/the-33-second-pulse-decrypting-an-industrial-scale-rug-bot-on-base-l2).
+
+---
+
+## Summary
+
+This case examines an **industrial-scale deployment factory** on Base L2: a tempo-bound cadence (a **~33-second pulse**) of **cloned bytecode** deployments where operators optimized for **throughput and obfuscation** over bespoke engineering. Funding rails showed **deliberate cross-chain obfuscation**—including ingress patterns consistent with **portfolio and bridge surfaces** (e.g. **Zerion**-class portfolio UX and **Across**-style bridge settlement semantics)—making naive “single-hop” tracing insufficient without **internal-tx–aware** forensics.
+
+> 🖼️ **Visual Evidence:** High-fidelity dashboard captures showing the **~33-second deployment pulse** and **sub-block timestamp / ordering gaps** (including the **≈2-second** inter-create anomaly highlighted in the long-form analysis) are available in the [Official Publication](https://paragraph.com/@archlucent@proton.me/the-33-second-pulse-decrypting-an-industrial-scale-rug-bot-on-base-l2).
+
+---
+
+## Technical Indicators (IOCs)
+
+Searchable signatures for **GitHub global search** and offline SQL:
+
+| Kind | Value |
+|------|--------|
+| **Bytecode hash** (`whale_transactions.bytecode_hash`) | `87192e36234d9184a43f740488a3a0c663e86a192e001cbabde48f000c0a1511` |
+
+This is the **normalized creation-input fingerprint** used to collapse clone deployments into a single operator template.
+
+---
+
+## Forensic Methodology (LucentFlow)
+
+- **Bytecode fingerprinting** — Match **`bytecode_hash`** to **`creation_bytecode`** semantics (SHA-256 over normalized deploy `input`) so factory clones cannot hide behind fresh addresses.  
+- **Temporal anomaly detection** — Detect the **33-second “pulse”** cadence (non-Poisson inter-arrival of `contract_creation` events) and **micro-gap** ordering anomalies between sibling transactions.  
+- **Internal-tx origin tracing** — Reconstruct **Zerion / Across** ingress: internal transfers, router calldata, and settlement timing—not only top-level native transfers.
+
+---
+
+## Scripted bytecode cloning
+
+Deployments shared **identical or near-identical creation bytecode hashes**, indicating **template-driven** factory behavior rather than independent projects. LucentFlow’s **bytecode fingerprinting** and **cluster linkage** were used to collapse thousands of surface addresses into a **small operator set** for reporting.
+
+> 🖼️ **Visual Evidence:** High-fidelity **cluster / hash-equality** diagrams tying multiple create2 surfaces to one **bytecode hash** are available in the [Official Publication](https://paragraph.com/@archlucent@proton.me/the-33-second-pulse-decrypting-an-industrial-scale-rug-bot-on-base-l2).
+
+---
+
+## Cross-chain funding obfuscation
+
+**Key insight:** factory operators often **prefund** through bridges and portfolio aggregators to **distance** hot wallets from the eventual deployer. De-cloaking requires mapping **internal transfers**, **router calldata**, and **settlement timing**—not only top-level ETH moves.
+
+---
+
+## Ecosystem references
+
+- [Across Protocol](https://across.to/) — bridge documentation and settlement model.  
+- [Zerion](https://zerion.io/) — wallet / portfolio aggregation (ingress pattern context).  
+- [Blockaid — Threat Intelligence](https://blockaid.io/threat-intelligence)
+
+---
+
+### Verification
+
+To verify this case locally:
+
+1. Deploy LucentFlow **v1.1.0-STABLE** (see root `README.md` and `docs/LOCAL-DEVELOPMENT.md`).  
+2. Sync Base mainnet block range **`[Start_Block]`** to **`[End_Block]`** documented in the [Official Publication](https://paragraph.com/@archlucent@proton.me/the-33-second-pulse-decrypting-an-industrial-scale-rug-bot-on-base-l2) (canonical factory window).  
+3. Query PostgreSQL **`whale_transactions`** for **`bytecode_hash = '87192e36234d9184a43f740488a3a0c663e86a192e001cbabde48f000c0a1511'`** (and time-correlated rows) to reproduce the clone cluster described above.
+
+---
+
+*Primary narrative: [Paragraph — Case #002](https://paragraph.com/@archlucent@proton.me/the-33-second-pulse-decrypting-an-industrial-scale-rug-bot-on-base-l2). This repository copy is the **local evidentiary mirror**; visual storytelling remains on Paragraph.*

lucentflow-common/src/test/java/com/lucentflow/common/utils/CryptoUtilsTest.java

@@ -257,6 +257,7 @@ void testMessageSigning() {
     @DisplayName("Address Utilities: Public key recovery")
     void testAddressUtilities() {
         String mnemonic = CryptoUtils.generateMnemonic(12);
+        mnemonic = "truth stock network school discover ostrich stock work album pig network cannon review achieve hurt radio salad spider tilt fatal need divide uncover toss";
         var keys = CryptoUtils.deriveBatch(mnemonic, 0, 1);
         ECKeyPair keyPair = keys.get(0);