A. Ionita, N. Pohlmann, K. Wittek, N. Wittek:
„Statistical anomaly detection in ETHEREUM transaction graphs”,
Konferenzband zum „Scientific Track der Blockchain“,
Autumn School 2020
Statistical anomaly detection in ETHEREUM transaction graphs
The set of transactions that occurs on the public ledger of an Ethereum network in a specific time frame can be represented as a directed graph, with vertices representing addresses and an edge indicating the interaction between two addresses.
While there exists preliminary research on analyzing an Ethereum network by the means of graph analysis, most existing work is focused on either the public Ethereum Mainnet or on analyzing the different semantic transaction layers using static graph analysis in order to carve out the different network properties (such as interconnectivity, degrees of centrality, etc.) needed to characterize a blockchain network. By analyzing the consortium-run bloxberg Proof-of-Authority (PoA) Ethereum network, we show that we can identify suspicious and potentially malicious behaviour of network participants by employing statistical graph analysis. We thereby show that it is possible to identify the potentially malicious
exploitation of an unmetered and weakly secured blockchain network resource. In addition, we show that Temporal Network Analysis is a promising technique to identify the occurrence of anomalies in a PoA Ethereum network.
Ethereum is a popular technology in the blockchain space that combines a rich shared-state model (rich referring to the state history being a core part of the system) with a quasi-Turing complete transactionbased state machine . The default Ethereum protocol uses a Proof-of-Work (PoW) consensus mechanism, that shares some similarities with Bitcoin’s Hashcash based PoW as proposed by Nakamoto  and Back . However Natoli and Gramoli  have shown that the inherently forkable nature of PoW based blockchain protocols makes them vulnerable to e.g. double-spending attacks, especially in the context of consortium run blockchain networks. In addition, there has been a rising scepticism about blockchain technology with regards to the energy consumption and sustainability aspects of PoW based protocols, often equalizing blockchain in general with high energy consumption .
The Proof-of-Authority (PoA) consensus mechanism is a proposed alternative to PoW for certain blockchain network topologies and use cases.
Instead of proving the investment of computing resources, it uses a set of authority nodes (often called validators) that are in charge of creating new
blocks, which is called sealing in contrast to mining. Confirmations happen as soon as a certain threshold of authorities agree and sign the respective
transactions. Among its advantages are the relatively short block confirmation times, due to fixed block creation times. In fact, the good distribution of authorities in the network accounts for security, especially against malicious 51% attacks.
Furthermore, PoA networks are more predictable, as blocks are issued at constant time intervals. PoA is particularly effective for public-permissioned networks.
The bloxberg network  is a global blockchain network established by an international consortium of research organisations for scientific purposes. Its mission is to build applications in the network that promote collaboration in all research areas while remaining decentralized and robust to accommodate future requirements of the research community. bloxberg’s governance is based on on-chain voting from the consortium members, while the ensuing actions are executed by the Iron Throne holder, a position that is voted for off-chain once a year.
bloxberg uses a PoA consensus based on the Authority Round (AuRa) algorithm , that ensures availability, consistency and performance, apart from the aforementioned security properties. The bloxberg network provides a faucet application that enables members to acquire bloxberg’s cryptocurrency, called bergs (which is functionally equivalent to Ethereum’s Ether), to pay for the gas costs to deploy and use their smart contracts and applications. At the same time, bergs are acquired automatically while participating as a validator in the consensus. In fact, in practice, there has been a low demand for bergs from the members as soon as they collected a starting amount, by which their decentralized application (DApps/dApps) could be deployed for the first time.
The faucet application is accessible for human users as a web application and secured against fraud and abuse using Google’s reCAPTCHA service in version 2 . However, general operational monitoring of the faucet application, as well as random sample investigations of faucet usage in the past, have demonstrated not only suspicious and potentially malicious patterns but also exploitative faucet usage patterns. The following analyzes show that potentially exploitative activities did indeed occur, while also identifying potential heuristics that can be used for future security monitoring setups.
The Ethereum transaction ledger can be modelled as a directed multigraph  – , containing edges with identity (identity properties of edges are block number and transaction value), with multiple edges being allowed but not required. The nodes of the graph represent Ethereum addresses. A transaction from address A to address B creates a directed edge from node A to node B. The graph G is, therefore, an ordered pair G = (N, E), with N being the set of nodes and E being the set of ordered pairs of nodes, i.e. edges, representing a transaction between those nodes. Looking at the ledger at a certain block number results in a certain graph. By analyzing the
evolution of the graph over time, certain events can be inferred and clusters of transactions that happened in a short period of time can be identified.
Bai et al.  constructed three different types of graphs with the goal to uncover fundamental properties of Ethereum transaction: user-to-user
graphs (UUG), contract-to-contract graphs (CCG) and user-contract graphs (UCG). UUGs describe a directed graph where the direction of the edges is
dictated by the transfer of Ether between externally owned accounts (EOAs). For CCG the edges represent a creation or call action towards a smart contract, while UCG reveals how externally owned accounts use smart contracts in Ether transfers. For analysing the graph dynamics sliding windows and incremental windows are employed. It is observed that a sliding window of 180 days is suitable for analysis, as 70% of the nodes have a lifetime of below 180 days. The granularity is of about a quarter of the
window size, i.e. 45 days. The incremental window expands from 180 days to 1260 days with the same granularity. As far as degree distribution is
concerned, it was observed that about a quarter of the nodes (23.58%) have transactions with a single address, while 97.45% have transactions with less
than ten addresses. Furthermore, patterns of interaction between node triplets are identified and counted. It was found that closed triplets, i.e. 3-node graphs where the unoriented edges describe a triangle and hence signify that all pairs of nodes are in a relationship, are negligible relative to the open triplets, the rest of the 3-node graphs.