5 min read

Where the Funds Flow: an Introduction to On Chain Forensics

Where the Funds Flow: an Introduction to On Chain Forensics
Photo by Towfiqu barbhuiya / Unsplash
The following is a guest post by BowTiedPickle. I read an article he wrote and I learned a lot from it. I invited him to write an article here. Enjoy!

One of the key properties of a blockchain is transparency.

Anyone that wants to can spin up a node and validate the entire state of the blockchain from the genesis block to the present day. You can view transactions in real-time, see the entire balance of an account, and even see trades before they are made by watching the mempool.

This kind of visibility into the underlying data flow of finance is something that the private citizen has never had access to before. The best part is: it’s free. You don’t need some $30k/mo data broker subscription or a Bloomberg Terminal.

Part of engaging in DeFi as a responsible user is knowing the basics of navigating freely available information. Hopefully, you already know how to use block explorers like Etherscan or Ethtx.info.

Today we’re going to cover:

  • The basics of funds movement
  • How you can track funds flow
  • and how users can try to disguise their movements.

Why might you want to know this?

Tracking funding has a variety of purposes, including copy trading whales, shorting VC bags, avoiding projects with financial links to known scammers, or hunting down the hacker that stole your Bored Ape.

You don’t have to be Chainalysis or a cybersecurity gigabrain to engage in a little due diligence.

Fund Flows

Whether on Bitcoin, Ethereum, or some other chain, one of the key requirements of a blockchain is the ability to trace state alterations back through time.

This ensures that the state is provably correct, and no double-spending or other shenanigans have occurred. A side effect of this is that it is natively difficult to obscure where money is flowing.

In meatspace, if I hand my friend $100, and he hands it off to his friend, that money has effectively disappeared into a black hole. There’s little way of knowing whether it ended up in his friend’s mattress, in another person’s bank account, or in a cash register at Ikea. Tracing conventional funds is a massive exercise in detective work, and it may be literally impossible to track all of it.

Tracing funds on the blockchain involves no more work than pulling up Etherscan and looking at a series of “to” fields.

If you’re too lazy to do that, there are even a variety of tools that will generate pretty little graphs for you. Without engaging in some extra measures, there is absolutely no way to shake the transaction trail.

How to Hide and Obscure Fund Flows

To combat this, users can employ several different strategies. The predominant ones are:

  • Transferring funds to a CEX
  • Using a privacy mixer
  • Cashing out cross-chain to a privacy coin

/1 CEX Transfers

Wait a minute, you might say. Using a CEX for privacy? Isn’t that a bit ironic? Yes, if you’re trying to engage in money laundering. For legal users, like say a whale trying to escape wallet watchers, a CEX represents an opportunity to break the on-chain links between wallets.

This is due to the fact that centralized exchanges handle all transactions within their system internally. Meaning when you swap assets on a CEX, no on-chain transactions take place, just a balance change within the CEX’s database. Then, when you withdraw onchain, you can just transfer it into a different wallet and the CEX hot wallet will happily transfer it to the new destination.

This approach will obscure fund flow to casual observers like wallet watchers. There’s not much you can do as a private citizen to track it across a CEX. It will NOT, however, obscure funds flow to the exchange itself, or to government authorities who can subpoena the exchange.

/2 Privacy Mixers

Privacy mixers work on a simple principle: obscuring the link between “from” and “to”. The exact technology used for this depends on the blockchain. Bitcoin uses a technique called coinjoins to break the history of a particular coin.

The most popular obscuring protocol on Ethereum, Tornado Cash, uses zero-knowledge proofs to allow a user to withdraw their funds from a different account.

In both cases, the transaction link is not totally broken. Let’s introduce the concept of the anonymity set. In the instance of Tornado Cash, the anonymity set, or the set of users that the money could possibly have gone to, is only as large as the set of users who withdrew from Tornado Cash after the traced funds entered the washing machine. In the case of a coinjoin, the anonymity set is limited to a set of addresses defined in the coinjoining transaction.

To casual users, your options for tracking at this point are slim but not zero. You can either scour the transactions of the entire anonymity set hoping to find breadcrumbs or engage some sophisticated actor to search on your behalf.

Forensics firms like Chainalysis have demonstrated capabilities to cryptographically unravel some coinjoin transactions. Techniques like IP tracking or taking advantage of poor user privacy practices may also allow these sophisticated firms to trace users across Tornado Cash or similar protocols.

/3 Privacy Coins

The final primary method to wash funds is to swap either directly OTC, or through a CEX, for a privacy-enhanced coin like Monero. Monero uses techniques like ring signatures and zero-knowledge proofs to obscure addresses and transactions, while still providing a decentralized ledger.

If the swap to these privacy coins can be conducted in a secure manner, it is basically impossible for casual actors to trace further. If sophisticated entities have the ability to unravel them, it is not yet disclosed.

DIY Forensics

Great, you say. How do I track these things myself? Basic analysis using block explorers is enough to reveal fund flows like Sifu’s suspicious transactions around the Wonderland Finance treasury.

You can easily watch the disgraced former treasury manager launder his money through Tornado Cash.

For longer or more complex transaction flows, there are several tools like CertiK SkyTrace which can provide graphs and visual explorations. For example, you can see all the transactions surrounding the Opensea phishing attacker.

Other tools can provide additional information. Western Gate provides an interesting glimpse into arbitrage bot activities, in real-time. This is an example of what’s possible to uncover from publicly available, free information. You can of course build your own custom tools, and utilize many sources of information including The Graph or raw blockchain info.

I’ll leave you with a special bit of alpha: you can spy on Gnosis Safes, the most common flavor of multisignature wallet, by going to the gnosis safe app and punching in the address. If the wallet is using the central Gnosis Safe off-chain relayer, accessing the app lets you see pending transactions. It will also show transaction history, including the signers of each transaction. For example, here’s the Gnosis Safe for Wonderland Money’s DAO multisig on ETH Mainnet.

This all may be intimidating at first, but it doesn’t have to be complicated. You can find out a lot by simple tracing of public fund flows and transactions. Watch the wallet of that NFT influencer to find out what they’re minting before they tweet about it. Observe the majestic Tetranode moving markets. Watch Daniele Sesta moving millions to CEXs.

Final Thoughts

Getting philosophical for a moment. You are participating in a movement that provides you access to the most open and transparent financial system that has ever existed on this planet.

The same data that is available to whales and VCs is visible to you, the retail investor, for the first time. You are putting yourself at a disadvantage if you don’t make even minimal use of it.

Equal opportunities, unequal results.

This is a Guest Post by BowTiedPickle

Anonymous cartoon pickle inspired by BowTiedBull. Degen chemical engineer, moonlighting as a Solidity developer.

You can find more of his writings on BowTiedIsland and on Twitter