Keys Defender bot - development update #3

in steem •  2 months ago  (edited)

Recently I introduced in this and in this posts my new STEEM blockchain defender bot.

Here is a Development update for my following:

  • I'm "nearly done" (have you ever heard a dev saying otherwise XD) with the development of the scanner bot's core features.
  • The Live scanner has now been running for about 3 days, scanning all new blocks published into the STEEM blockchain.

  • I tested the detection of leaked private keys end to end. The time elapsed between when the block containing a test account private posting key is published and my bot's detection is currently around 200 ms.

  • So far it detected one new private posting key leaked into the blockchain (I got a few false positives / duplicates before that).
    I sent this key to @guiltyparties (as usual) but despite the fact that they have ~600 STEEM in their wallet I won't send this user a transfer memo as their reputation is -5 and they are on a couple of big blacklists.

  • The bot at the moment of writing also supports the recovery of leaked MASTER keys. Testing is in progress with test accounts so hold your horses, don't start putting in comments your master keys just yet! 😅

Resetting the master key revealed itself as a harder task than I anticipated due to a steem api method not working as I expected. I eventually figured out how to programmatically change all private keys reverse engineering (not the most readable code TBH but maybe it was intentionally so on their side.. 😅).

I was then given a solution for the steem api method. It would lead to the use of much less and neater code so I'll give it a try soon.

  • At the moment I'm currently working on auto-transferring funds to the Wallet Savings when a leaked ACTIVE key is detected. (I'm dealing with some testing account creation issues first 🙈)

  • I also have in the works the auto-publishing of a Post on the new bot's (@keys-defender??) blog every time a MASTER or ACTIVE key is detected.

  • After those, the next feature I will work on is auto-replying as soon as possible to the comment/post in which any private key was leaked.

In case the key is compromised in other operation types (eg. account_update), a transfer memo will be sent instead (max 1 a day per user in order to prevent abuse) or I will reply to their last post (or both, still have to decide).

Here is a (not too accurate) history of the activities performed for this bot development so far and some future plans:

Feasibility study (Sprint 0):
✔️ Initial analysis (lots of reading and sketching)
✔️ Proof of Concept (POC) development
Feasibility test with 1000 blocks to estimate how long it would take to scan the whole blockchain
Total mining time: 39 000 000 blocks / (60 * 60 * 24) days / 30 req per s = ~15 days.
✔️ Further analysis, planning.

Development (Sprint 1):
✔️ Split the load across multiple instances of the blockchain scanner
✔️ Improved parallelism
✔️ Improved unhappy paths handling
✔️ Manual testing, bug fixes
✔️ Refactoring, Unit Testing for basic coverage
✔️ Stats collection (counters, blocks explored / h, avg time, ..)
✔️ Added support for additional runtime parameters

Development (Sprint 2):
✔️ Removed browser support
✔️ Results storage and backup
✔️ Refactoring, Unit Testing
✔️ Bugs fixes: Eg. why can't detect key if given only 3 blocks. It was able to, it was just a race condition for the block counter telling me the key was in some other block id.
✔️ End 2 end timer for private key detection
✔️ Last block poller and integration with existing scanner
✔️ Added retry mechanism for block failed reads
✔️ Automatically reset master keys

Successful Releases:

✔️ RELEASE 1: STEEM Blockchain history scanner - part 1
✔️ RELEASE 1.1: history scanner - part 2 (remaining 30 million blocks)
✔️ RELASE 2.0a: Live scanner for detection of all private keys + recovery of MASTER keys

  • ...


[...] Automatically move funds to savings for Active keys
[...] Auto-publish disclosures posts
[] Auto-reply/transfers
[] Improve logging
[] Beta testing
[] Monitor dead accounts and burn their RC if abused - checked though daily scheduler
[] Auto-publish weekly report with live scanning stats
[] Re-execute partial scans for failed block reads during full chain scan
[] Investigate valid keys without author in old generated reports
[] Improve monitoring of the bot activities
[] AWS Lambda as sanity check publishing testing account private posting key daily. Email/SMS if fails.
[] Automated Unit and Integration Tests
[] Basic UI?
[] Charts about steem blockchain usage (re-using RabbitMQ charts)
[] Additional abuse checks: eg. savings withdrawal with same leaked active key, pending power down checks, ..
[] Additional wallet transfer as reminders?
[] ... lots more !!

Next Post Candidates:

  • How many times in the STEEM blockchain history users accidentally leaked their keys and then reset them
    (spoiler: many!!)
  • Testing results (with KPI metrics)
  • Development update + # of new keys detected

That's all for today folks! Take care!   =]

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

It sounds like a nice project. I just don’t understand how you figured this happened that often . What kind of person leaks their private keys ?

Hi @xmauron3,
Thanks for passing by.   =]

As I explained in my first article about this topic, I started thinking about this when after reporting a phishing attack on steemit I started reading more about security issues on Steemit and came across this post with $ 7500 payout that gave me the idea.

I then verified that Steemit now displays an error when you accidentally paste a private key but other apps dont and future dapps may forget to as well.

Here is my latest update:

Right after I posted that, someone indeed accidentally leaked his private active key.. 🙈

So yes, it's quite common. Right now (with not that many active users) it happens about once a week I would say.

Congratulations @gaottantacinque! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :

You received more than 2000 upvotes. Your next target is to reach 3000 upvotes.

You can view your badges on your Steem Board and compare to others on the Steem Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

Vote for @Steemitboard as a witness to get one more award and increased upvotes!

Unique work!

@tipu curate

Congratulations @eii, you successfuly trended the post shared by @gaottantacinque!
@gaottantacinque will receive 0.04222125 TRDO & @eii will get 0.02814750 TRDO curation in 3 Days from Post Created Date!

"Call TRDO, Your Comment Worth Something!"

To view or trade TRDO go to
Join TRDO Discord Channel or Join TRDO Web Site

Hey @gaottantacinque, here is a little bit of BEER from @eii for you. Enjoy it!

Learn how to earn FREE BEER each day by staking.

Congratulations @gaottantacinque, your post successfully recieved 0.04222125 TRDO from below listed TRENDO callers:

@eii earned : 0.0281475 TRDO curation

To view or trade TRDO go to
Join TRDO Discord Channel or Join TRDO Web Site

As a follower of @followforupvotes this post has been randomly selected and upvoted! Enjoy your upvote and have a great day!