Detecting Bot Activity in the Ethereum Blockchain Network


The Ethereum blockchain network is a decentralized platform enabling smart contract execution and transactions of Ether, its designated cryptocurrency. As is well known by academicians and practioners alike, Ether is the second most popular cryptocurrency with a market cap of more than 23 billion USD as of October 10th 2018, according to coinmarketcap data, with hundreds of thousands of transactions executed daily by hundreds of thousands of unique wallets. Tens of thousands of those wallets are newly generated each day. The Ethereum platform enables anyone to freely open multiple new wallets free of charge, resulting in a large number of wallets that are controlled by the same entities. This attribute makes the Ethereum network a breeding space for activity by software robots (the well notorious bots). The existence of bots is widespread in different digital technologies and there are various approaches to detect their activity such as rule-base, clustering, machine learning and many more. Four academicians (Altshuler, Pentland, Somin, Zwang, 2018) from the MIT in Cambridge and Endor Ltd. try to demonstrate how bot detection can be implemented using a network theory approach which can be defined as the study of graphs as a representation of either symmetric or asymmetric relations between discrete objects. In computer science and network science, network theory is a part of graph theory: a network can be defined as a graph in which nodes and/or edges have attributes (e.g. names).

Indeed, being a platform used for human interactions, the Ethereum network can be described and modeled by means of the Network Theory approach. The degree distribution of such networks, for example, often displays a power law distribution, . This phenomenon can also be observed when constructing a network that represents Ethereum transactions between wallets—where each wallet is a vertex and a transaction between two wallets is an edge.

Previous research has demonstrated that time differences between consecutive events in many human activities display a power law distribution. This phenomenon can be seen in waiting time for call centers and e-mail communication as well as in pausing time between transactions in a foreign currency exchange. In their analysis, the authors shed light on whether the time difference between consecutive Ethereum transactions shows a power law distribution as well. More precisely, the time difference between consecutive transactions refer to the number of minutes between every transaction and its prior transaction. The time difference is calculated for the transactions of each wallet separately, and a histogram from the time difference of all the transactions of all wallets in the Ethereum network was created.

Every bin in the histogram distribution contains a group of wallets which have made two consecutive transactions with the same time difference. It can be observed that the distribution of time differences between the consecutive transactions of all Ethereum wallets does not perfectly fit the power law model and is characterized by multiple spikes. Anomalies from the power law model in human behavior networks might represent the occurrence of potentially interesting events. They distinguish between two types of anomalies: Periodic anomalies: Anomalies consisting of a specific time difference which repeats itself in any random sample of a fixed time range. For example, when sampling a period of two days beginning at any random date and time, there will be a spike at the time difference of 24 hours. The same spike will appear when sampling any random period of one week. In a one-week period, there are additional repeated spikes at a time difference of 48, 72, 96, 120 and 144 hours. Analyzing the transactions which created these spikes reveals that many of the transactions were executed by mining pools distributing mining reward to pool members (mining pools are groups of users sharing their processing power in order to compete for the right to generate a block and win the mining reward). Irregular anomalies: Anomalies consisting of a specific time difference, taking place only at a particular time period. For instance, a spike at a time difference of 1032 minutes (i.e. 17 hours), observed on a particular day only (the authors find this circumstance on May 18th 2018). Analyzing the wallets whose transactions create these irregular spikes, they find that those wallets took part in token “airdrops”—a distribution of free tokens. By creating many unique wallets and participating in an airdrop, one entity can collect a large number of tokens. Such wallet activity is usually executed by bots. The presence of non-human activity provides an explanation for observed behavioral patterns which deviate from the power law model.

To sum up, each spike in both types of anomalies represents a collection of highly correlated wallets which deviate from the expected power law distribution rather than resembling spontaneous human activity. In some cases, anomalies from the power law model in human interaction networks may be evidence for emergency events. In this case, the authors assume that transactions which are anomalous to the power law model represent non-human behavior executed by bots. This assumption is based on the nature of the anomalies (spikes occurring at a very specific time difference) and on the observation of other properties common to the anomalous transactions, such as having the same transaction value or the same destination wallet. The use of a network theory approach, and the analysis of the distribution of time differences between consecutive transactions enable them to detect this non-human activity.