Proposal for the monitoring service

Application Status

Status: Completed on 30.08.2021, approved on the 20.01.2021, submitted on the 14.01.2021
Last updated: 14.01.2021
Submited by: Dimitar Ivanov (@dimitar.chain)
Team: Dimitar Ivanov (@dimitar.chain), Ulf Wiger (@uwiger), Dincho Todorov (@dincho.chain)
Approved Budget (in h):
Used Budget (in h):
Planned Delivery:

Specify the funding category

Open Source Development

Application Title

ae_canary, as in “canary in a coal mine”

Applicant

Ulf, Dincho and Dimitar are the maintenance team

Value Application

We will build a service that tracks suspicious accounts. If you consider an
account to be suspicious - you can mark it as so. Then the service will track
any account that the suspicious account sends tokens to. The primary goal of
this is to track the movement of the tokens of the 51% attack.

The service will track current exposure of the exchanges: meaning what is the
current amount to be stolen at the moment if there is a 51% attack now. This
is to be used by exchanges for an early alarm. Since it would be based on
heuristics, it could give a false positive.

The service would inform stakeholders when a certain event happens.

Since it will be open source, anyone can deploy it on their server, set their
own accounts to track and own contacts to be informed.

Definition of Terms

We will build as simple a tool as possible, as described above. We aim at
delivering fast so we will cut corners where possible. Let’s call it version
0.1.

Status Quo

No such open source tool is currently available.

Required Work

Ulf and I will build the tool, while Dincho will have our backs.

Estimate

For this v.0.1, we expect a total of 90 man hours.

Known Limitations

The system is expected to work with a limited amount of suspicious accounts and if their count goes in the scope of milions, it will not work; the exposure of accounts alert depends on heuristics which could lead to false positives.

The UI would be as simple as possible. It would be really nice to have proper histograms for example for the exposure but this would certainly require more work.

This system could be extended further in different directions, ex. big fork monitoring across a set of nodes and more.

Outlook

A tool would be given to the community so anyone could set it up for their own needs. Since exchanges are one of the primary users of the network, they are to be its first user but risk management would be important literally for every business on the chain. Basically if you want to be safe, you need all the bells and whistles you can get. This project is one of the bells.

Publishment

It will be open source, sharing the same license as the aeternity node.

Maintenance

This is a one-off, to get it out there as soon as possible. No budgeting had been applied for updating if the APIs it depends on are changed in a backwards incompatible way and etc.

Support support！！！

Good job,when this can be finished?

Maybe in 2 weeks time, once we start working on it. Bear in mind we would still be working on the maintenance as well.

Dear @dimitar.chain,
thank you very much for your extremly useful application for cyber attacks prevention. The application is approved by AF Board. Thanks to the whole team for the commitment to implement security tool and protect exchanges and aeternity users against cyber attacks. AF appreciate your work!

this feature could be build into the blockexplorer (middleware frontend)

Hi @dimitar.chain ,I would like to ask, will this tool be helpful to AE network if others use it? Will AE tokens be used？

Hi @Winfield - Aeternity is a decentralised network. This means there is no central point to keep your interest. Of course, the Anstalt and the Foundation do their best to help the ecosystem but if you want to track tokens - you shall do that in a trestles manner. In the context of the tool - that would mean host it yourself So short answer would be - if you find the tool useful, yes, do host it. It would not cost you tokens to run it but you’d need to have a MDW running.

I am still developing iris functionality and have not started working on this yet.

Hi @dimitar.chain, In fact, we would like to see you do something to make AE tokens to be used, this will help AE networks get better.

Ah, please don’t shoot the piano player - he is doing the best he can! I am not a marketing guy, nor a token economics expert or anything. I for myself am a software developer and I develop software. I would be really happy to see better adoption but this is outside of my sphere of competence.

No shooting of the piano player - it is sad that he’s the only one talking, though. Better adoption and (any at all) active marketing are topics that would be amazing for people like @YaniUnchained (hey, we can dream, right?) to update the community on.

not sure whether this still relevant when hyperchain went live.

@dimitar.chain will AeCanary be applicable to æternity main chain in a setting with hyperchains as well?

Yes, the AeCanary is (being) built on top of the MDW and since there is no issue with MDW and hyperchains, AeCanary will work just fine.

A long due update: AeCanary v1 is released. It uses the MDW and tracks exposure of exchanges. There is a lot of work yet to be done but so far we have a great better view of exchanges.

A new metric is defined - a daily exposure of an exchange - the difference between deposited and withdrawn tokens from an address. It can be both a positive and negative number, depending of the AE flow. A big spike in exposure across exchanges’ addresses could be a sign for a 51% attack, that’s why AeCanary keeps track of this and performs some statistical analysis on it.

An example what I am talking about (I’ve hidden the actual amounts)

Screenshot 2021-05-28 at 18.07.102358×1254 222 KB

In the green line is the exposure of this address and the red dashed lines are the two fences. If there is a daily exposure above the lower one - this is not unexpected and could happen. Crossing the upper one is less expected but still is nothing to be concerned: it is simply a marker that there might be a suspicious activity. It could also easily be a false positive. Crossing the lines is simply telling us “take a look here”.

AeCanary is also tracking suspicious transactions so if we decide that there might be an attack going on, we know which exchange to warn regarding specific transactions.

AeCanary comes batteries included: you can host it yourself quite easy. There is a proper description how to do that from source code or from a docker container. What you have to do is provide some setup (a MDW URL, really).

Here comes the tricky part: AeCanary is wrapped in layers of authentication and authorisation. There are different user types and if you are not logged in - you can not see anything of importance. What is more, changing the setup radically changes the shown data and the data that the analysis is built on. AeCanary does come with some nice default values but you are expected to change them as you see fit. We are not using the defaults. Or maybe using some of the defaults. The point is that a potential attacker can still has access to the same software but will having no idea for our settings, they will know little about what we see.

So it is a bit sad but sharing a link (http://canary.aepps.com) with you will do you little favour. You have to host it yourself, which is the only way to be safe in a trestles environment anyway.

I plan on focusing now on different aspects of the node but stay tuned for further updates.

You can find weekly updates in the core team’s application page: