Blog Post: Crypto Analysis Transaction Visualization (CATV) User Guide

#1

The Crypto Analysis Transaction Visualization (CATV) tool in the Sentinel Portal provides insights on how a given wallet is being funded and where these funds are sent. This document provides an explanation of its features and serves as a guide on how to use it.

Search Input

Explanation of input fields

Wallet Address: A valid Ethereum wallet address. Only Ethereum is supported at this time.

Distribution Depth: This controls how far you would like to trace the funds leaving the given address. For example, a distribution depth of 4 means that the graph will show the paths leaving the address up to 4 hops away.

Source Depth: This is just like distribution depth, except that instead of tracing funds leaving the address, the CATV will trace funds entering the address from up to the input number of hops.

Transaction Limit: This is a stopping criterion for tracing the funds. If the funds reach an address with more transactions than the specified limit, it will display that address on the graph but no addresses beyond it, regardless of the maximum depths.

Date Range: This filters the transactions in the first hop for both source and destination. Only transactions that fall within this date range are shown in both initial outgoing and incoming hops.

Tips for best results

  1. Try to keep your depths to 5 and below for better speed and a readable output.

  2. If you are not sure what to do with transaction limit, leave it at 2000.

  3. For addresses that are highly active (with many transactions a day), use the Date Range filter to narrow down the search to only the day(s) of interest.

  4. Depending on the address, one side of the search could be fast, and the other side of the search could be slow. For example, splitter addresses may have only a few source transactions and a large number of distribution transactions.

  5. If the search is still slow despite the above optimisation steps, you can consider doing source and depth searches separately by setting either one of them to 0.

Search Result: Graph

Explanation of display

To describe the features of the graph, we will use an example. This is the address ‘ 0x03527c0610F9735438B6D491e4EBCa060314F39c ’ with both depths set to 2.

Below the “Tracking Activity Result” is a legend containing colour codes for nodes (addresses) grouped by category. Addresses in our Threat Reputation Database (TRDB) will be labelled as “ Blacklist ” or “ Whitelist ”. Additionally, “ Annotated ” refers to an address with an annotation that does not fall into any other category. The rest of the categories are self-explanatory.

The green or blue nodes are addresses that neither belongs to any category nor have any known annotations. The intensity of green or blue is scaled according to their depth level in relation to the “Origin” address.

Explanation of interaction

You can interact with the graph in two ways, either directly or indirectly using the buttons at the upper right corner.

Direct Interaction

Click on the nodes and connecting lines, and relevant information will be displayed in a bar along the bottom of the frame. You can also move nodes around by dragging them, or zoom in and out with the mouse wheel.

When you double-click a node, you can expand or collapse that node to hide/unhide the neighbouring nodes and lines.

This is an important definition : Distribution nodes are referred to as “child nodes and outgoing lines”, whereas source nodes are referred to as “parent nodes and incoming lines”.

Interaction via Buttons

On the top right, the first buttons you see are the source and depth buttons. Negative depths refer to source depths, and positive depths refer to distribution depths. These are dropdowns for you to decide which depths you want to show or hide.

The “Hide HVN” button refers to “High Volume Nodes”, and its input field on the left of the button is for you to define the threshold for high volume. The default is 8, which means that when you click “Hide HVN”, nodes that exceed 8 neighbouring lines will be hidden. To be clear on the definition of neighbouring lines, for nodes that appear on the source side, neighbouring lines refer to incoming transactions. For nodes that appear on the distribution side, neighbouring lines refer to outgoing transactions. You can change the HVN number in the input field.

“Fit Graph” is a button to fit the graph back to the frame. This is used to reset the default size of the graph after zooming in or out.

Search Result: Transaction List

The transaction list shows the full list of transactions that were displayed in the graph. This section is self-explanatory.

1 Like