DeFi On-Chain Analytics
Core Principle: 「先固定資料可信度與上下文,再做最小足夠的讀取,之後才做歸因與敘事。」 First fix data confidence and context, then do minimum sufficient reads, then do attribution and narrative.
Every analysis session serves this hierarchy: confidence > efficiency > interpretation.
Two-Layer Architecture
Every step is tagged with its required tier:
| Tier | Tag | Requires | Free public RPC? |
|---|---|---|---|
| A | [CORE] | Standard JSON-RPC | Yes |
| B | [ARCHIVE] | Historical state >128 blocks | Rarely |
| C | [TRACE] | debug/trace namespace (Geth archive or Erigon) | No |
| D | [ENRICH] | External source (Etherscan API, Sourcify, 4byte) | Yes but not RPC |
Default = Tier A only. Higher tiers are opt-in. If unavailable, disclose the gap — never silently skip.
Looped Workflow
Real investigations evolve — discovery changes the question. The workflow supports iteration, not just linear execution.
digraph phases {
rankdir=LR;
P0 [label="Phase 0\nScoping" shape=box style=filled fillcolor="#ffcccc"];
P1 [label="Phase 1\nDiscovery" shape=box];
P2 [label="Phase 2\nCollection" shape=box];
P3 [label="Phase 3\nInterpretation" shape=box];
P4 [label="Phase 4\nSanity Check" shape=box];
P5 [label="Phase 5\nSynthesis" shape=box];
Rescope [label="Rescope?" shape=diamond style=filled fillcolor="#ffffcc"];
P0 -> P1 -> P2 -> P3 -> Rescope;
Rescope -> P0 [label="new question\nemerged" style=dashed];
Rescope -> P4 -> P5 [label="no"];
}
Why no skipping phases: Phase 0 prevents wasted RPC calls on wrong targets or wrong chains. A single eth_getLogs to the wrong address can eat your entire rate limit. Lock scope first, then query.
Scope Amendment (Re-entry)
When Phase 3 interpretation reveals a new analytical question that changes the objective, the investigation loops back to Phase 0 in amendment mode. Without strict rules, this loop degenerates into "ask again" — so the state machine below governs every re-entry.
Valid rescope triggers:
| Trigger | Example |
|---|---|
| New unit of analysis discovered | Investigating a vault → found the strategy contract is the real subject |
| Objective fundamentally changed | Started with "is this vault profitable?" → discovered potential exploit |
| Chain expansion needed | Fund flow leads to a bridge contract → need to trace on source chain |
NOT a rescope (handle in-phase):
| Situation | Instead |
|---|---|
| Need more data on same target | Continue Phase 2 — add queries |
| Found unknown contract during analysis | Load contract-inspection.md via cascade trigger |
| Confidence too low on a finding | Apply Layer 5 (Confidence Deepening) — don't restart |
Carry-forward rules: On rescope, the following are preserved unchanged unless explicitly overridden:
- Chain, anchor policy, anchor block, capability tier, RPC endpoint
- All existing evidence register entries
- All pattern files already loaded
Only these fields may change: target, objective, unit of analysis, hypothesis, timeframe, additional pattern files.
Completion criteria per mode:
| Mode | Done when |
|---|---|
| 🔍 Forensic | Root cause attributed with claim type + all fund hops traced to terminus or gap disclosed |
| 📊 Due Diligence | All decision-critical metrics computed + gaps flagged |
| 📈 Monitoring | Current state snapshot complete + health indicators evaluated |
| 🏗️ Protocol Assessment | Key metrics + risk dimensions scored |
| 🛡️ Security | Admin/upgrade/custody risk assessed + findings severity-ranked |
| 🔭 Exploratory | Survey breadth covers user's question + open questions listed |
Hard cap: Max 3 scope amendments per session. Beyond that, synthesize what you have and list remaining questions as Open Questions in Phase 5.
Phase 0: Scoping Gate — Active Consultation
This phase is a guided conversation, NOT a passive form. Read
references/scoping-guide.mdfor detailed consultation techniques, depth/angle options, field-by-field asking guidance, and anti-patterns. Silently assuming scope details is the #1 cause of wasted RPC calls. Surface your assumptions as explicit questions.
Analysis Modes
| Trigger | Mode | Emphasis |
|---|---|---|
| Suspicious activity / incident | 🔍 Forensic | Fund flows, timeline, counterparties |
| Investment / trading decision | 📊 Due Diligence | Risk, PnL, position health |
| Portfolio / position monitoring | 📈 Monitoring | Current state, health indicators |
| Protocol evaluation / comparison | 🏗️ Protocol Assessment | TVL, risk params, governance |
| Security review / audit prep | 🛡️ Security | Admin keys, upgrades, custody |
| General curiosity / learning | 🔭 Exploratory | Broad survey, teach as you go |
If the user's request clearly maps to one mode, propose it rather than asking from scratch.
Required Fields
| # | Field | Required? | Default |
|---|---|---|---|
| 1 | Target | Yes | — |
| 2 | Chain | Yes | — |
| 3 | Objective | Yes | — |
| 4 | Unit of analysis | Yes | — |
| 5 | Hypothesis | No | "Exploratory" |
| 6 | Timeframe | No | Per depth choice |
| 7 | Expected output | No | "Structured findings + narrative" |
| 8 | Data source policy | No | raw RPC only |
| 9 | Anchor policy | No | safe if supported |
| 10 | Capability tier | Auto | Probe-based |
| 11 | RPC endpoint | Auto | From references/rpc-endpoints.ts |
Unit of analysis — Declare what object is being analyzed: wallet / contract / vault / pool / protocol / token. This prevents scope drift by making the analytical focus explicit. When the unit changes mid-investigation, that's a scope amendment trigger.
Anchor Policy Options
| Policy | fromBlock | toBlock | Use Case |
|---|---|---|---|
safe | — | safe tag | Default. Finalized, no reorg risk. |
pinned | specific hex | specific hex | Reproducible snapshot at known block. |
latest | — | latest tag | Real-time data, accepts reorg risk. |
historical-scan | 0 or contract creation block | safe | Full-chain event scanning. Each event gets its own timestamp via eth_getBlockByNumber. Use adaptive chunking (see references/rpc-field-guide.md Section 5). |
Decision Dependencies
Some conditions — not just missing data sources — can flip the analytical conclusion entirely:
| Condition | Impact | Without Checking |
|---|---|---|
| External rewards (Merkl, Angle, etc.) | LP/vault alpha reversal | Raw alpha appears negative when net return is positive |
| Vesting schedule + unlock events | Supply shock | Circulating supply appears stable when unlocks are imminent |
| Oracle staleness + backup fallback | Protocol health misjudged | Protocol appears healthy when oracle is stale |
| Provider endpoint inconsistency | Data conflict | Two endpoints return different logs for the same range — analysis built on partial data |
| Proxy upgraded during scan window | ABI/layout mismatch | Events decoded with wrong ABI; storage reads return garbage for blocks after upgrade |
| Unresolved bridge leg | Incomplete fund flow | Funds appear to vanish at bridge contract; actual destination chain not traced |
| Token/share conversion uncertainty | Value miscalculation | Vault share counted as underlying token; 1 share ≠ 1 token |
Partial eth_getLogs coverage | Silent truncation | Provider hit result cap but returned no error; event history appears complete but is missing entries |
If any decision-critical condition is unverified, flag it as: ⚠️ DECISION-CRITICAL GAP: [condition] unverified. Conclusion may reverse.
Blind Spot Disclosure
Before confirming, proactively flag what the analysis CANNOT see. See references/scoping-guide.md for templates.
Confirmation Gate
Present a structured summary before proceeding. Skipping confirmation