Introduction
Bridging is a vital function of blockchain interoperability, allowing users to transfer tokens from one chain to another. As such, there are a large number of bridges operating across a number of chains and with that, a number of different methods in which the assets are bridged. Some of these bridge transactions are easier to trace than others, whilst some are . This blog looks at how to trace assets moving across some of the most commonly used bridges.
Chain IDs
In bridge tracing, a chain identifier (Chain ID) is an important piece of information. A Chain ID is a unique identifier assigned to a specific blockchain. For example, the Ethereum mainnet typically has chain ID 1, devnet Ropsten has Chain ID 3, Rinkeby is 4 and so on.
Most of the time, Chain IDs are consistent with those listed on chainlist.org. However, this is not always the case. Sometimes it’s necessary to read the documentation of the bridge protocol used to find this information. Here are a few examples:
Some bridges may not show the destination chain ID. This is also true for the destination address which may or may not be displayed and vice versa if we have the destination and want to know the origin. Whilst some bridges are easy to figure out, some require some more in-depth analysis.
Same Wallet Different Chain
The simplest bridge transactions to trace, are ones that transfer from one EVM compatible chain to another using the same wallet address. An EVM-compatible blockchain is one that can run the Ethereum Virtual Machine (EVM) and execute smart contracts on Ethereum. Smart contracts used on one chain can be deployed across multiple EVM blockchains, without significant changes to the code.
Synapse Bridge
Below is a bridge transaction that used Synapse, which Etherscan tells us was a bridge transaction to Polygon.
The bridge uses the sending wallet address as the destination address so checking the wallet on Polygonscan will show the incoming bridge transaction. Other protocols using the same wallet address include:
- Orbiter Bridge
- Socket
- Mayan Swap
- Except when sending to Solana which uses a different wallet format, this can be traced via timing analysis (see below) on the Mayan Swap contract.
Decoding Input Data
Taking it a step up, the next set of protocols can bridge to different wallet addresses but record the relevant information within the Input Data field under More Details in a transaction. By clicking Decode Input Data we can see the relevant details.
Across Protocol
The destination chain and recipient can be found by decoding the transaction inputs or in the transaction logs. In the example below the originChainId is chain 137. If we search for ID 137 on ChainList, it indicates the destination chain was Polygon.
ThorChain
Perhaps not quite as obvious, ThorChain’s recipient address is found in the memo field.
Gala
Some protocols like Gala go one step further and use hex to encode the recipient address in the transaction.
Using a hex to text converter, drop the leading 0x and convert the rest of the hash. The decoded result is the recipient on Gala.
Transaction Logs
Bridges that don’t show any relevant information when decoding input data may instead include the information within the transaction logs.
Axelar Gateway
In this bridge transaction using Axelar, the destination chain and recipient address can be found within the data section. The recipient address is shown without the leading 0x.
Timing Analysis
Not all bridge transactions display information on where assets are sent to or received from. Some of these bridge transactions can be traced using a technique called timing analysis where the time and amount of assets being sent or received is used to find the other end of the transaction. Tools like Arkham Intelligence’s visualiser can make this task simpler by showing transactions across multiple chains at the same time.
Fixed Float
In this example, we have 2 Fixed Float transactions on 17 April for 276 BNB and 75.84 BNB respectively. Using this data we can find the transactions within Arkham.
With the ‘More Info’ table open this is where we’ll narrow down and find the above deposits.
Filter by token amount (value), token type and USD amount. The important thing here is to search by USD amount since Fixed Float is a swap and we don’t know what the BNB is being swapped to or the amount of tokens that would be received. 75.84 BNB was approx 25.8k at the time so we set the filter to $25k-$26k. Note: If you don’t see the deposit you are looking for try widening the filter. Scan site values may vary slightly.
Date slider or Data Filter. The example above was deposited on 17 April 2023 so use the date slider or date filter to cover this range.
With the filters in place, we are left with a few transactions for roughly the same value, on the same date. We can see the 75.84 BNB deposit from the transaction above. Taking into account that Fixed Float charge either a 0.5% or 1% fee (approx $200 in this example) we look for withdrawals of around $25.6k.
Arkham doesn’t support all the chains/tokens that are on Fixed Float so it is possible there will be no outgoing transactions here that are a good match for the deposit.
In this instance we have a transaction that could match our deposit activity. 12.337 ETH to 0x2f7 less than 60 seconds after the deposit. Fixed Float transactions are processed instantly so funds should be received within a couple of minutes after they are sent, dependent on network congestion.
Taking a look at the Ethereum address we can see that there are two transactions from Fixed Float.
In the original deposit, we saw there was also a 276 BNB swap via Fixed Float. This aligns with the 44.88 ETH received by 0x2f79 both in terms of value and timing. Whilst this is not direct confirmation that 0x2f79 was the receiver of the BNB deposits, we can say with high probability that given the timing and amounts of both transactions that it is likely.
There are a number of additional bridges for which the above timing analysis method can used. Though not exhaustive, they include:
Conclusion
Bridge tracing is an important part of understanding the movement of assets across blockchains. Malicious actors handling stolen assets may use bridges to attempt to obfuscate the origin of funds, if only to hide their trail from exchanges and avoid asset freezing. This blog has explored some of the methods to trace assets, including Chain IDs, the use of transaction logs and timing analysis. By leveraging these methods, one can effectively analyze and trace cross-chain transactions.
To keep up to date on the latest incident alerts and fund flow analysis follow @certikalert on X.
