Wallet Intelligence Engine
Developer Specification
Complete technical specification for the WIE attestation engine - 42 fraud signals across 6 categories, real-time scoring, verdict pipeline, and integration API for pre-settlement fraud prevention.
Overview
Purpose
The Wallet Intelligence Engine (WIE) is a pre-settlement fraud signal architecture that evaluates counterparty wallets before a transaction settles. It produces a deterministic YES / NO / REVIEW verdict by analyzing 42 discrete signals across 6 risk categories. The engine operates in the critical path between intent submission and settlement finality, with a target latency of under 200ms for the p50 case.
WIE is not a post-hoc analytics tool. It is a real-time gate. Every transaction processed by the JIL settlement layer passes through WIE before funds move. The verdict is cryptographically signed and recorded on-chain as an immutable attestation.
Design Principles
- Pre-settlement, not post-settlement. Fraud detection happens before funds leave the sender's custody, not after.
- Deterministic scoring. Given the same inputs, WIE always produces the same verdict. No probabilistic black boxes.
- Fail-closed. If any signal source is unavailable, the engine defaults to REVIEW, never YES.
- Auditable. Every verdict includes the full signal breakdown, weights applied, and data sources consulted. The complete decision trail is stored for regulatory review.
- Chain-agnostic. Signal collection adapts to 11 supported chains without changing the scoring model.
- Latency-bounded. Hard timeout at 2 seconds. If scoring cannot complete, the verdict is REVIEW with a timeout flag.
Verdict Definitions
| Verdict | Composite Score | Meaning | Settlement Action |
|---|---|---|---|
| YES | < 0.40 | Counterparty passes all risk thresholds. No adverse signals detected or signals are within acceptable tolerance. | Proceed to settlement immediately. |
| REVIEW | >= 0.40 and < 0.75 | Elevated risk detected. One or more signals exceed advisory thresholds but do not trigger hard blocks. | Hold settlement. Route to compliance queue for manual review within 24 hours. |
| NO | >= 0.75 | High risk or hard-block condition met. Counterparty fails one or more critical thresholds. | Reject settlement. Log reason. File SAR if required by jurisdiction. |
Architecture
High-Level Component Diagram
Technology Stack
| Component | Technology | Purpose |
|---|---|---|
| Gateway | Express.js + TypeScript | REST and gRPC ingress, request validation (Zod) |
| Signal Collectors | TypeScript workers | Parallel on-chain and off-chain data retrieval |
| Scoring Engine | TypeScript (pure functions) | Deterministic weighted scoring, no side effects |
| Cache | Redis 7 | Signal caching with tiered TTLs per data source |
| Queue | Kafka (RedPanda) | Async verdict events, dead-letter retry |
| Database | PostgreSQL 16 | Audit log, verdict history, signal snapshots |
| Cryptography | Dilithium (PQC), Ed25519 | Verdict signing, attestation proofs |
| Observability | Prometheus + Grafana | Latency histograms, signal hit rates, verdict distribution |
Signal Categories
WIE evaluates 42 discrete signals organized into 6 categories. Each signal produces a normalized score between 0.0 (no risk) and 1.0 (maximum risk). Signals within a category are averaged, then categories are combined using the weighted formula defined in the Scoring Engine section.
Evaluates the age, origin, and initial funding pattern of the counterparty wallet. New wallets funded from mixing services or freshly created before a high-value transaction are significantly riskier than established wallets with organic history.
| Signal ID | Signal Name | Description | Weight |
|---|---|---|---|
| WAG-001 | Wallet Age | Time since first on-chain transaction. Wallets under 30 days score 0.9, under 90 days score 0.5, under 1 year score 0.2, over 1 year score 0.0. | 0.25 |
| WAG-002 | Genesis Funding Source | Origin of the wallet's first deposit. CEX withdrawal scores 0.1, known bridge scores 0.2, mixer/tumbler scores 0.95, unknown contract scores 0.7. | 0.20 |
| WAG-003 | Transaction Count | Total historical transaction volume. Under 10 txns scores 0.8, 10-50 scores 0.4, 50-500 scores 0.1, over 500 scores 0.0. | 0.15 |
| WAG-004 | Dormancy Reactivation | Wallet was dormant for over 180 days then suddenly reactivated with high-value activity. Dormancy reactivation scores 0.7. | 0.15 |
| WAG-005 | Multi-Chain First Activity | First transaction appears on multiple chains within 24 hours of wallet creation - indicates automated deployment. Scores 0.6 if detected. | 0.10 |
| WAG-006 | ENS / Domain Association | Wallet has a registered ENS name or on-chain identity binding. Present scores 0.0 (trust signal), absent scores 0.15 (neutral). | 0.15 |
Measures the degree to which a wallet has interacted with known-bad addresses, sanctioned entities, or flagged clusters. This category includes hard-block signals that override the composite score and force an immediate NO verdict.
| Signal ID | Signal Name | Description | Weight |
|---|---|---|---|
| CPC-001 | OFAC SDN Direct Match | Wallet address appears on the OFAC Specially Designated Nationals list. Direct match is a hard block - immediately returns NO regardless of other signals. | HARD BLOCK |
| CPC-002 | OFAC SDN 1-Hop | Wallet has transacted directly with an OFAC-listed address. One-hop contamination scores 0.85. | 0.20 |
| CPC-003 | OFAC SDN 2-Hop | Wallet is two hops from an OFAC-listed address. Two-hop contamination scores 0.45 (decays with distance). | 0.10 |
| CPC-004 | Chainalysis Risk Score | Normalized Chainalysis KYT risk assessment. Maps their severe/high/medium/low to 0.9/0.6/0.3/0.05. | 0.15 |
| CPC-005 | TRM Labs Cluster | TRM Labs entity cluster analysis. Flagged cluster scores 0.75, associated cluster scores 0.4, clean scores 0.0. | 0.15 |
| CPC-006 | Mixer/Tumbler Interaction | Direct deposit or withdrawal from Tornado Cash, Wasabi, or similar mixing protocols within 90 days. Detected scores 0.9. | 0.10 |
| CPC-007 | Darknet Market Association | Funds traceable to known darknet marketplace addresses within 3 hops. Hard block if 1-hop. 2-3 hop scores 0.7. | HARD BLOCK (1-hop) / 0.10 |
| CPC-008 | Ransomware Cluster Proximity | Wallet appears in known ransomware payment clusters. Any association within 2 hops scores 0.85. Hard block if direct recipient. | HARD BLOCK (direct) / 0.10 |
| CPC-009 | Terrorism Financing Flag | Address flagged by any intelligence-sharing partner for terrorism financing. Hard block - immediate NO with mandatory SAR filing. | HARD BLOCK |
Hard Block Policy: Signals CPC-001, CPC-007 (1-hop), CPC-008 (direct), and CPC-009 bypass the scoring engine entirely. When any hard-block signal fires, the verdict is immediately NO and a SAR trigger event is generated. The remaining signals are still evaluated and recorded for audit purposes but do not affect the verdict.
Detects abnormal transaction patterns that deviate from the wallet's historical baseline. Sudden spikes in volume, frequency, or counterparty diversity are strong indicators of compromised credentials or money laundering layering.
| Signal ID | Signal Name | Description | Weight |
|---|---|---|---|
| VEL-001 | 24h Volume Spike | Transaction volume in the last 24 hours exceeds 3x the 30-day rolling average. 3-5x scores 0.4, 5-10x scores 0.7, over 10x scores 0.95. | 0.20 |
| VEL-002 | Frequency Acceleration | Transaction frequency (txns per hour) exceeds 5x the historical average. Measures burst behavior indicative of automated draining. | 0.15 |
| VEL-003 | Round-Number Transfers | Over 60% of recent transfers are exact round numbers (e.g., 1.000 ETH, 10000 USDC). Common in layering schemes. Percentage above 60% maps linearly to 0.3-0.7. | 0.10 |
| VEL-004 | Rapid Counterparty Diversification | Wallet sends to more than 20 unique addresses in 24 hours with no prior relationship. 20-50 unique scores 0.5, over 50 scores 0.85. | 0.15 |
| VEL-005 | Structuring Pattern | Multiple transactions just below reporting thresholds (e.g., repeated $9,900 transfers). 3+ structured txns in 48 hours scores 0.8. | 0.15 |
| VEL-006 | Time-Zone Anomaly | Transaction activity occurs outside the wallet's established time-zone pattern. Useful for detecting account takeover. Anomaly detected scores 0.35. | 0.05 |
| VEL-007 | Chain-Hop Velocity | Assets bridge across 3+ chains within 1 hour. Rapid chain-hopping is a hallmark of obfuscation. 3-5 chains scores 0.5, over 5 chains scores 0.85. | 0.10 |
| VEL-008 | Dust Attack Pattern | Wallet receives high volume of micro-transactions from unknown addresses - often used for address poisoning or tracking. Over 50 dust txns in 7 days scores 0.6. | 0.10 |
Evaluates the wallet's DeFi positions to assess financial stability and sophistication. Unlike the other categories, DeFi signals primarily act as trust reducers - they decrease the composite risk score when healthy positions are detected. A wallet with diversified, well-managed DeFi positions is empirically less likely to be a fraud vehicle.
Negative Weights: Signals in this category use negative weights, meaning they reduce the composite risk score. A wallet with a strong DeFi portfolio gets a trust discount. The total trust reduction from this category is capped at 40% to prevent gaming.
| Signal ID | Signal Name | Description | Weight (Trust Reduction) |
|---|---|---|---|
| DFT-001 | Active Lending Positions | Wallet has active lending positions on Aave, Compound, or MakerDAO with healthy collateral ratios (above 150%). Present scores -0.15 (reduces risk). | -0.15 |
| DFT-002 | LP Position Duration | Liquidity provider positions held for over 90 days. Indicates long-term protocol participation, not hit-and-run behavior. Over 90 days scores -0.10. | -0.10 |
| DFT-003 | Governance Participation | Wallet has voted in DAO governance proposals. Active governance voters are strongly correlated with legitimate long-term holders. Any votes scores -0.10. | -0.10 |
| DFT-004 | Yield Position Stability | Yield farming positions maintained without frequent rebalancing. Stable positions over 60 days score -0.08. Positions with daily churn score +0.2 (positive risk). | -0.08 / +0.20 |
| DFT-005 | Protocol Diversity | Number of distinct DeFi protocols used. 5+ protocols scores -0.12 (diversified user). Single protocol scores 0.0 (neutral). | -0.12 |
| DFT-006 | Liquidation History | Wallet has been liquidated on a lending protocol. Recent liquidation (under 30 days) scores +0.3 (financial distress indicator). No liquidation history scores 0.0. | +0.30 |
Identifies assets or value that the wallet may be attempting to conceal through obfuscation techniques, cross-chain hiding, or non-standard token mechanics. Hidden assets often indicate layering or integration phases of money laundering.
| Signal ID | Signal Name | Description | Weight |
|---|---|---|---|
| HAS-001 | Cross-Chain Balance Disparity | Total value across chains exceeds declared/visible balance by more than 2x. 2-5x disparity scores 0.5, over 5x scores 0.8. | 0.20 |
| HAS-002 | NFT Value Obfuscation | Wallet holds high-value NFTs used as value transfer vehicles (wash-traded or transferred at off-market prices). Detected scores 0.65. | 0.15 |
| HAS-003 | Wrapped Token Layering | Excessive wrapping/unwrapping cycles (e.g., ETH to WETH to stETH to wstETH) without economic purpose. Over 4 layers in 7 days scores 0.55. | 0.15 |
| HAS-004 | Privacy Protocol Usage | Assets routed through privacy-enhancing protocols (Aztec, Railgun, etc.) within 30 days. Single use scores 0.4, repeated use scores 0.75. | 0.15 |
| HAS-005 | Unverified Token Holdings | Wallet holds significant value in tokens with no verified contract source, no CoinGecko listing, and under 100 holders. Over 20% of portfolio in unverified tokens scores 0.6. | 0.10 |
| HAS-006 | Create2 Vanity Contract | Wallet deployed contracts using CREATE2 with vanity addresses to mimic legitimate protocol addresses. Detected scores 0.7. | 0.15 |
| HAS-007 | Self-Transfer Loops | Wallet sends assets to itself through intermediary addresses to inflate transaction history. Over 5 self-referencing loops in 30 days scores 0.55. | 0.10 |
Evaluates wallet activity against jurisdiction-specific regulatory requirements. These signals check for compliance with financial regulations across the jurisdictions where JIL operates. Non-compliance with local regulations increases risk independent of other fraud signals.
| Signal ID | Signal Name | Description | Weight |
|---|---|---|---|
| REG-001 | KYC Verification Status | Counterparty wallet is linked to a verified KYC identity through an attestation registry. Not verified scores 0.3, verified scores 0.0, expired verification scores 0.5. | 0.25 |
| REG-002 | Jurisdiction Restriction | Transaction originates from or targets a FATF-blacklisted or grey-listed jurisdiction. Blacklist scores 0.9, grey-list scores 0.5, clear scores 0.0. | 0.20 |
| REG-003 | Travel Rule Compliance | For transactions over $3,000, checks whether originator and beneficiary information is available per the FATF Travel Rule. Non-compliant scores 0.6. | 0.15 |
| REG-004 | PEP Association | Wallet is associated with a Politically Exposed Person through KYC linkage or on-chain correlation. PEP association scores 0.55 (requires enhanced due diligence). | 0.15 |
| REG-005 | Cross-Border Threshold | Transaction crosses jurisdictional boundaries and exceeds local reporting thresholds. Over threshold scores 0.4 (informational - triggers reporting but not block). | 0.15 |
| REG-006 | GENIUS Act Readiness | For stablecoin transactions, verifies issuer compliance with GENIUS Act reserve and audit requirements. Non-compliant issuer scores 0.45, compliant scores 0.0. | 0.10 |
Data Sources
On-Chain Data Sources
| Chain | RPC Provider | Indexer | Block Finality |
|---|---|---|---|
| Ethereum | Alchemy / Infura (failover) | The Graph (subgraph) | 2 epochs (~12.8 min) |
| Bitcoin | Bitcoin Core RPC | Blockstream Esplora | 6 confirmations (~60 min) |
| Solana | Helius / Triton | Helius DAS API | 32 slots (~12.8 sec) |
| Polygon | Alchemy Polygon | The Graph (subgraph) | 256 blocks (~8.5 min) |
| Arbitrum | Alchemy Arbitrum | The Graph (subgraph) | L1 confirmation (~12 min) |
| Optimism | Alchemy Optimism | The Graph (subgraph) | L1 confirmation (~12 min) |
| Avalanche | Avalanche Public RPC | RouteScan indexer | 1 second (instant) |
| Base | Alchemy Base | The Graph (subgraph) | L1 confirmation (~12 min) |
| BNB Smart Chain | NodeReal | BscScan API | 15 blocks (~45 sec) |
Off-Chain Data Sources
| Source | Data Type | Integration | Update Frequency |
|---|---|---|---|
| OFAC SDN List | Sanctioned addresses and entities | Direct XML/CSV download | Daily (4:00 UTC pull) |
| Chainalysis KYT | Address risk scoring, cluster analysis | REST API (real-time) | Real-time per query |
| TRM Labs | Entity clustering, risk categorization | REST API (real-time) | Real-time per query |
| FATF Country Ratings | Jurisdiction risk (blacklist/grey-list) | Static config, quarterly update | Quarterly |
| Nacha Return Codes | ACH return code mapping for SAR triggers | Internal lookup table | On regulatory update |
Caching Strategy
Signal data is cached in Redis with tiered TTLs based on data volatility. Stale cache entries are served with a stale: true flag while fresh data is fetched asynchronously.
| Data Type | Cache TTL | Stale-While-Revalidate | Rationale |
|---|---|---|---|
| OFAC SDN matches | 24 hours | 4 hours | List updates daily; direct matches are high-confidence |
| Chainalysis risk score | 1 hour | 15 minutes | Risk scores can change rapidly on active investigations |
| Wallet age / tx count | 6 hours | 1 hour | Slowly changing data, expensive to re-query |
| DeFi positions | 30 minutes | 5 minutes | Positions can change with market movements |
| Cross-chain balances | 15 minutes | 3 minutes | Balances change with every transaction |
| FATF jurisdiction status | 7 days | 24 hours | Updates quarterly, very low volatility |
| ENS / domain lookups | 24 hours | 6 hours | Domain ownership changes are infrequent |
Scoring Engine
Category Weights
Each category produces a normalized score between 0.0 and 1.0 (average of its constituent signals). The composite score is the weighted sum of all category scores.
| Category | Weight | Signals | Rationale |
|---|---|---|---|
| Counterparty Contamination | 0.30 | 9 signals | Highest weight - direct exposure to sanctioned or criminal entities is the strongest fraud indicator |
| Velocity and Pattern Anomalies | 0.20 | 8 signals | Behavioral anomalies are second-strongest indicator of compromised accounts or layering |
| Wallet Age and Genesis Risk | 0.15 | 6 signals | Wallet maturity is a meaningful but not decisive factor |
| Hidden Asset Detection | 0.15 | 7 signals | Concealment techniques are significant but require confirmation from other categories |
| Regulatory Signal Alignment | 0.15 | 6 signals | Compliance signals inform risk but do not solely determine fraud |
| DeFi Position Trust Scoring | 0.05 | 6 signals | Trust reduction is capped and weighted low to prevent gaming through manufactured DeFi positions |
Verdict Thresholds
Composite Score Formula: composite = sum(category_weight[i] * category_score[i]) for i in 1..6
The DeFi trust reduction (category 4) applies as a negative modifier, capped at -0.40 on the category score before weighting. This prevents a wallet from manufacturing enough DeFi positions to overcome genuine risk signals.
| Verdict | Threshold | Action |
|---|---|---|
| NO | Composite score >= 0.75 OR any hard-block signal fires | Reject settlement. Log full signal breakdown. Generate SAR trigger if applicable. |
| REVIEW | Composite score >= 0.40 and < 0.75 | Hold settlement. Route to compliance queue. 24-hour SLA for human review. |
| YES | Composite score < 0.40 AND no hard-block signals | Proceed to settlement. Record attestation on-chain. |
Trust Reduction Cap
The DeFi Position Trust Scoring category (Category 4) can reduce the composite risk score by up to 40% of its weighted contribution. This cap exists because DeFi positions can be manufactured - a bad actor could deposit into Aave, provide Uniswap liquidity, and vote in a DAO governance proposal purely to lower their WIE score. The cap ensures that manufactured trust signals cannot override genuine risk signals from the other 5 categories.
Pseudocode for the cap:
defi_raw = average(DFT_001, DFT_002, ..., DFT_006)
defi_capped = max(defi_raw, -0.40) # cannot reduce more than 40%
composite = (CPC_weight * CPC_score)
+ (VEL_weight * VEL_score)
+ (WAG_weight * WAG_score)
+ (HAS_weight * HAS_score)
+ (REG_weight * REG_score)
+ (DFT_weight * defi_capped)Verdict Pipeline
End-to-End Flow (10 Steps)
Intent Received. Settlement consumer publishes a transaction intent to the settlement.intents Kafka topic. The intent includes sender address, recipient address, asset, amount, and chain.
Cache Lookup. WIE Gateway checks Redis for a recent verdict on the recipient address. If a cached verdict exists and is under 5 minutes old with no hard-block updates, return it immediately (cache hit).
Hard-Block Pre-Screen. Before full signal collection, check OFAC SDN list, terrorism financing flags, and ransomware cluster lists. If any hard-block signal fires, short-circuit to NO verdict immediately. Skip to step 9.
Parallel Signal Collection. Dispatch all 6 signal category collectors concurrently. Each collector has an independent 1.5-second timeout. Timed-out collectors return a default neutral score with a timeout: true flag.
Signal Normalization. Raw signal values are normalized to the 0.0-1.0 range using the mapping functions defined in each signal's specification. Out-of-range values are clamped.
Category Scoring. Signals within each category are averaged (weighted by their intra-category weights) to produce 6 category scores.
DeFi Trust Cap. Apply the -0.40 floor to the DeFi category score to prevent gaming.
Composite Scoring. Multiply each category score by its inter-category weight and sum to produce the final composite score.
Verdict Determination. Map the composite score to YES / NO / REVIEW using the threshold table. Sign the verdict with the node's Dilithium key. Publish to wie.verdicts Kafka topic.
Attestation Recording. Write the signed verdict, full signal breakdown, and metadata to the attestation service for on-chain recording. Store audit copy in PostgreSQL with S3 archive.
Short-Circuit Rules
The pipeline supports early termination in the following cases:
- Hard-block hit (step 3): Immediate NO. Full signal collection still runs asynchronously for audit purposes but does not block the verdict.
- Cache hit (step 2): Return cached verdict if under 5 minutes old and no new OFAC/sanctions updates since cache time.
- Timeout (step 4): If more than 3 collectors timeout, the verdict defaults to REVIEW with
reason: "insufficient_data". - Composite score exceeds 0.90 after 3 categories: If the weighted partial score from the first 3 categories already exceeds 0.90, short-circuit to NO (remaining categories cannot reduce below 0.75).
API Specification
POST /v1/attest
Primary attestation endpoint. Evaluates a counterparty wallet and returns a signed verdict.
Request{
"sender": "0x7Bcff27567cfE3e67020a0d771a445178756aBa2",
"recipient": "0x9347efffa3e8985e0d35536b408cab48599971e8",
"asset": "USDC",
"amount": "250000.00",
"chain": "ethereum",
"intent_id": "int_a1b2c3d4e5f6",
"metadata": {
"source_app": "settlement-consumer",
"urgency": "standard"
}
}{
"verdict": "YES",
"composite_score": 0.18,
"attestation_id": "att_8f7e6d5c4b3a",
"timestamp": "2026-04-12T14:30:22.441Z",
"latency_ms": 142,
"categories": {
"wallet_age_genesis": { "score": 0.08, "weight": 0.15, "signals_evaluated": 6 },
"counterparty_contamination": { "score": 0.02, "weight": 0.30, "signals_evaluated": 9 },
"velocity_pattern": { "score": 0.12, "weight": 0.20, "signals_evaluated": 8 },
"defi_trust": { "score": -0.22, "weight": 0.05, "signals_evaluated": 6 },
"hidden_assets": { "score": 0.05, "weight": 0.15, "signals_evaluated": 7 },
"regulatory_alignment": { "score": 0.10, "weight": 0.15, "signals_evaluated": 6 }
},
"hard_blocks": [],
"cache_hit": false,
"signature": "dilithium3_0xabc123...def789",
"chain_recorded": true
}GET /v1/wallet/{address}
Returns the most recent verdict and signal profile for a wallet address. Does not trigger a new evaluation.
Response (200 OK){
"address": "0x9347efffa3e8985e0d35536b408cab48599971e8",
"last_verdict": "YES",
"last_score": 0.18,
"last_evaluated": "2026-04-12T14:30:22.441Z",
"evaluation_count": 47,
"signal_profile": {
"wallet_age_days": 412,
"total_transactions": 1893,
"kyc_verified": true,
"defi_protocols_used": 7,
"hard_block_history": [],
"jurisdiction": "US"
}
}POST /v1/sweep
Batch re-evaluation of all wallets with a previous REVIEW verdict. Typically run daily as a scheduled job. Returns a summary of verdict changes.
Request{
"scope": "review_pending",
"max_wallets": 1000,
"priority": "high_value_first"
}{
"sweep_id": "swp_x9y8z7w6",
"wallets_evaluated": 312,
"verdict_changes": {
"review_to_yes": 198,
"review_to_no": 14,
"review_unchanged": 100
},
"duration_ms": 48200,
"next_sweep_recommended": "2026-04-13T04:00:00Z"
}POST /v1/attest/batch
Evaluate multiple wallets in a single request. Maximum 100 wallets per batch. Returns individual verdicts for each wallet.
Request{
"sender": "0x7Bcff27567cfE3e67020a0d771a445178756aBa2",
"recipients": [
{ "address": "0xaaa...111", "asset": "USDC", "amount": "50000.00", "chain": "ethereum" },
{ "address": "0xbbb...222", "asset": "ETH", "amount": "25.5", "chain": "ethereum" },
{ "address": "0xccc...333", "asset": "SOL", "amount": "1000.0", "chain": "solana" }
],
"intent_id": "int_batch_001"
}{
"batch_id": "bat_q1w2e3r4",
"total": 3,
"results": [
{ "address": "0xaaa...111", "verdict": "YES", "score": 0.12, "latency_ms": 134 },
{ "address": "0xbbb...222", "verdict": "REVIEW", "score": 0.52, "latency_ms": 189 },
{ "address": "0xccc...333", "verdict": "YES", "score": 0.08, "latency_ms": 156 }
],
"total_latency_ms": 203
}DeFi Position Enumeration
The DeFi Enumerator scans the counterparty wallet's positions across the following protocol categories. Position data is used exclusively by Category 4 (DeFi Position Trust Scoring) signals.
Supported Protocol Categories
| Category | Protocols | Data Extracted |
|---|---|---|
| Lending | Aave v2/v3, Compound v2/v3, MakerDAO, Spark, Morpho, Radiant | Collateral value, borrow value, health factor, liquidation threshold, position duration |
| DEX Liquidity | Uniswap v2/v3, SushiSwap, Curve, Balancer, PancakeSwap, Trader Joe | LP token value, pool share percentage, impermanent loss, position age, fee earnings |
| Yield Aggregators | Yearn v2/v3, Convex, Beefy, Harvest, Sommelier | Vault deposits, strategy type, APY, deposit duration, withdrawal frequency |
| Staking | Lido, Rocket Pool, Coinbase cbETH, Frax, StakeWise, Swell | Staked amount, staking duration, validator association, reward history |
| Multisig / DAO | Safe (Gnosis Safe), Aragon, Governor Bravo, Snapshot (off-chain) | Signer count, signer threshold, proposal votes, treasury participation |
| Vesting / Lockups | Sablier, Superfluid, LlamaPay, Hedgey, custom vesting contracts | Locked amount, unlock schedule, cliff date, vesting duration, beneficiary address |
Enumeration Timeout: DeFi position scanning has a dedicated 800ms budget within the overall 1.5-second collector timeout. If scanning does not complete in 800ms, the DeFi category defaults to a neutral score of 0.0 (no trust reduction, no risk addition). The timeout is logged for observability.
Cross-Chain Coverage
WIE supports signal collection across 11 chains. Not all signal capabilities are available on every chain. The matrix below shows coverage by chain and capability.
| Chain | Wallet History | DeFi Positions | Token Balances | NFT Detection | Contract Analysis |
|---|---|---|---|---|---|
| Ethereum | Full | Full | Full | Full | Full |
| Bitcoin | Full | N/A | Full | Ordinals only | N/A |
| Solana | Full | Full | Full | Full | Partial (no source) |
| Polygon | Full | Full | Full | Full | Full |
| Arbitrum | Full | Full | Full | Full | Full |
| Optimism | Full | Full | Full | Full | Full |
| Avalanche | Full | Partial | Full | Partial | Full |
| Base | Full | Full | Full | Full | Full |
| BNB Smart Chain | Full | Full | Full | Partial | Full |
| Gnosis | Full | Partial | Full | Partial | Full |
| zkSync Era | Full | Partial | Full | Partial | Partial |
Coverage Definitions:
- Full: Complete signal collection via native RPC and indexer APIs. All signals in the category can be evaluated.
- Partial: Limited signal collection. Some signals may return neutral scores due to missing data. Coverage percentage noted in signal metadata.
- N/A: Capability does not apply to this chain (e.g., DeFi positions on Bitcoin's base layer).
Legal and Regulatory
SAR Trigger Conditions
A Suspicious Activity Report (SAR) trigger event is generated automatically when any of the following conditions are met:
- Any hard-block signal fires (CPC-001, CPC-007 direct, CPC-008 direct, CPC-009)
- Composite score exceeds 0.85 (high-confidence NO verdict)
- Structuring pattern detected (VEL-005 score above 0.7) with aggregate value over $10,000 in 48 hours
- Three or more NO verdicts on the same wallet within 30 days
- Manual escalation from compliance review queue
SAR trigger events are published to the compliance.sar_triggers Kafka topic and stored in the audit log with a 7-year retention period.
Nacha Return Code Mapping
For ACH-adjacent transactions, WIE maps its verdicts to the appropriate Nacha return codes:
| WIE Verdict | Nacha Code | Nacha Description | Action |
|---|---|---|---|
| NO | R05 | Unauthorized Debit | Reject before settlement |
| NO (sanctions) | R29 | Corporate Customer Advises Not Authorized | Reject with compliance hold |
| REVIEW | R16 | Account Frozen / Entry Returned per OFAC | Hold for manual review |
GENIUS Act Compliance
Signal REG-006 evaluates stablecoin transactions against the GENIUS Act (Guiding and Establishing National Innovation for U.S. Stablecoins) requirements:
- Issuer must maintain 1:1 reserve backing with qualifying assets
- Monthly attestation reports from a registered public accounting firm
- Issuer must be a US-chartered entity or licensed foreign issuer
- Redemption at par value within 1 business day
Non-compliant stablecoin issuers receive a REG-006 score of 0.45, which contributes to but does not alone trigger a NO verdict.
Audit Log Schema
SQL - wie_audit_log tableCREATE TABLE wie_audit_log (
id BIGSERIAL PRIMARY KEY,
attestation_id VARCHAR(64) NOT NULL UNIQUE,
intent_id VARCHAR(64) NOT NULL,
sender VARCHAR(128) NOT NULL,
recipient VARCHAR(128) NOT NULL,
asset VARCHAR(32) NOT NULL,
amount NUMERIC(38,18) NOT NULL,
chain VARCHAR(32) NOT NULL,
verdict VARCHAR(8) NOT NULL CHECK (verdict IN ('YES','NO','REVIEW')),
composite_score NUMERIC(6,4) NOT NULL,
category_scores JSONB NOT NULL,
signal_details JSONB NOT NULL,
hard_blocks JSONB DEFAULT '[]',
cache_hit BOOLEAN DEFAULT FALSE,
latency_ms INTEGER NOT NULL,
signature TEXT NOT NULL,
sar_triggered BOOLEAN DEFAULT FALSE,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
archived_to_s3 BOOLEAN DEFAULT FALSE,
s3_key VARCHAR(256)
);
CREATE INDEX idx_wie_audit_recipient ON wie_audit_log (recipient);
CREATE INDEX idx_wie_audit_verdict ON wie_audit_log (verdict, created_at);
CREATE INDEX idx_wie_audit_sar ON wie_audit_log (sar_triggered) WHERE sar_triggered = TRUE;
CREATE INDEX idx_wie_audit_created ON wie_audit_log (created_at);Performance
Latency Targets
| Metric | Target | Hard Limit | Notes |
|---|---|---|---|
| p50 Verdict Latency | Under 150ms | 200ms | Median case with warm cache on 3+ signal categories |
| p99 Verdict Latency | Under 800ms | 2000ms | Cold cache, all collectors query live sources |
| Cache Hit Latency | Under 5ms | 10ms | Direct Redis lookup, no signal collection |
| Hard-Block Short Circuit | Under 20ms | 50ms | OFAC/sanctions pre-screen only |
Throughput Targets
| Tier | Sustained TPS | Burst TPS (30s) | Configuration |
|---|---|---|---|
| Standard | 500 | 1,000 | Single WIE instance, 4 vCPU, 8 GB RAM |
| High | 2,000 | 5,000 | 4 WIE instances, load-balanced, shared Redis |
| Enterprise | 10,000 | 25,000 | Horizontal cluster, sharded by address prefix, dedicated Redis per shard |
Availability
Target availability: 99.99% uptime (52.6 minutes of downtime per year). Achieved through:
- Active-passive failover with less than 5 second switchover
- Redis Sentinel for cache high availability
- Kafka consumer group rebalancing for queue resilience
- PostgreSQL streaming replication for audit log durability
- Circuit breaker on all external API calls (Chainalysis, TRM) with fallback to cached scores
Security
Verdict Signing
Every verdict is cryptographically signed using CRYSTALS-Dilithium (NIST PQC Level 3) to ensure post-quantum tamper resistance. The signed payload includes the composite score, all category scores, the verdict, the timestamp, and the intent ID. Signatures are verified by the attestation service before on-chain recording.
Validator Quorum for High-Value Verdicts
Transactions exceeding $1,000,000 in value require multi-validator consensus on the WIE verdict:
- The originating node produces the primary verdict
- The verdict and signal snapshot are broadcast to the validator set
- A minimum of 3 additional validators must independently confirm the verdict within 10 seconds
- If quorum is not reached, the verdict defaults to REVIEW regardless of the composite score
- Quorum responses are recorded on-chain as co-attestations
Key Management
| Key Type | Storage | Rotation | Purpose |
|---|---|---|---|
| Dilithium Signing Key | HSM (FIPS 140-2 Level 3) | 90-day rotation | Verdict signing and attestation proofs |
| Ed25519 Node Identity | HSM | Annual rotation | Inter-node communication authentication |
| AES-256-GCM Data Key | Encrypted at rest (KMS) | 30-day rotation | Signal data encryption in transit and at rest |
| API Authentication Key | Environment variable (encrypted) | 90-day rotation | External API access (Chainalysis, TRM) |
| HMAC Integrity Key | HSM | 90-day rotation | Audit log hash chaining |
Testing
Test Coverage Requirements
| Test Type | Scope | Coverage Target | Frequency |
|---|---|---|---|
| Unit Tests | All 42 signal scoring functions, normalization logic, threshold checks | 100% line coverage | Every commit (CI) |
| Integration Tests | End-to-end pipeline from intent to verdict, cache behavior, Kafka roundtrip | 95% path coverage | Every PR (CI) |
| Signal Accuracy Tests | Known-bad wallets (OFAC list, confirmed fraud cases) must produce correct verdicts | 100% true positive rate on known-bad set | Daily (scheduled) |
| Performance Tests | Latency and throughput under load (500/2000/10000 TPS scenarios) | Meet all p50/p99 targets | Weekly (scheduled) |
| Chaos Tests | Random failure injection on signal collectors, cache, database | Graceful degradation to REVIEW | Monthly |
False Positive Targets
| Use Case | Max False Positive Rate | Measurement |
|---|---|---|
| Institutional transfers (over $100K) | Under 0.1% | Legitimate institutional wallets incorrectly flagged as REVIEW or NO |
| Retail transactions (under $10K) | Under 0.5% | Legitimate retail wallets incorrectly flagged as NO |
| DeFi power users | Under 0.3% | Active DeFi users with complex position histories incorrectly flagged |
| Cross-chain bridge users | Under 1.0% | Legitimate bridge users flagged due to velocity or chain-hop patterns |
| New wallets (under 30 days) | Under 2.0% | Legitimate new wallets incorrectly blocked (higher tolerance for new wallets) |
Backtesting Requirements
Before any scoring weight change or new signal deployment, the following backtesting protocol must be completed:
- Historical Replay: Run the updated scoring model against the last 90 days of verdict history (minimum 100,000 verdicts). Compare old vs. new verdict distribution.
- Known-Bad Validation: Verify that all confirmed fraud cases in the validation set still produce NO verdicts. Zero regression tolerance on known-bad wallets.
- False Positive Delta: Calculate the change in false positive rate per use case. No single use case may increase by more than 0.1 percentage points.
- Sensitivity Analysis: Vary the changed weight by +/- 20% and verify verdict stability. Unstable weights (where small changes cause large verdict swings) require additional review.
- Sign-Off: Backtesting results must be reviewed and approved by at least two engineers before deployment to production.