How Drainer Live Map works — and doesn't

The classifier, the data source, the honest limits, and the v0 → v1 roadmap. Methodology is git-reviewable. Every claim on this page is either shipping code or a disclosed gap.

🟡 v0 shipped · confirmed-tx flags only · pre-confirm warning is v1

⚠ The single most important disclosure

v0 flags transactions after they're included in a block. It does not warn you before you sign — that capability needs a self-run Reth mempool node (tracked as v1 on our internal roadmap). If you need a pre-sign guardrail today, use a wallet-approval-simulation extension. Drainer Live Map's purpose in v0 is public auditable forensics + an honest on-ramp for the v1 warning system.

The classifier, end to end

The classifier is a pure Go function that takes two arguments per transaction — the recipient address and the hex calldata — and returns a flag decision. The logic is source-available under NDA for customers and auditors; methodology is summarised in full on this page. Three rules in v0:

Rule 1 — known-drainer address. If the transaction's to address is in our hardcoded known-drainer registry (~10 families, ~30 addresses at launch), we flag with high confidence and attach the family name + the public provenance note.
Rule 2 — unlimited approve pattern. If the calldata is an ERC-20 approve(spender, maxUint256) to a non-registry contract, we flag with medium confidence and note the pattern. v0 keeps rule 2 narrow deliberately — a wider rule set means higher false-positive rate on launch week, which means lower trust.

Everything else is out of scope for v0. Permit2 typed-data signatures (off-chain) are detected by the Shield extension pre-sign, not by this confirmed-tx feed.

Data source (v0)

Every 15 seconds, a Go poller calls eth_blockNumber + eth_getBlockByNumber against a free public RPC endpoint (https://eth.llamarpc.com by default; operators can set DRAINERS_ETH_RPC_URL to point at any other JSON-RPC). For every transaction in every new block, it runs the classifier and persists hits.

The poller is supervised as a background goroutine inside the Zoza products gateway. Stats are exposed at /v1/stats so a watchdog or a curious user can verify the poller is alive, how far behind the chain tip it is, and whether it has hit any errors.

Data source (v1, planned)

For pre-confirm warnings, the classifier has to see transactions while they're pending in the public mempool — before miners include them in a block. That requires a node that exposes eth_subscribe to newPendingTransactions, which public RPCs generally don't. The scoping doc covers the four real options:

Self-run Reth (recommended; ~$600/mo VPS). Full public-mempool coverage, full redistribution rights, verifiable latency claims.
Blocknative Standard ($399/mo). Managed vendor feed; faster to ship, TOS around redistribution to a public dashboard is grey.
Flashbots MEV-Share (free). Opt-in hints only; partial coverage by design.
Alchemy / Infura / Chainstack. Cheapest commercial option but redistribution TOS is even greyer than Blocknative.

We'll start with self-run Reth because we want the viral tweet to survive fact-check — "every public-mempool tx we saw" is defensible only when we own the pipeline.

The 10 attack classes against Drainer Live Map itself

A public flag feed is itself an attack surface. Below is the honest list, each with what v0 does today and what's deferred.

Class	Example	v0 defense
Drainer-tx impersonation — attacker crafts txs that slip past our classifier	Pocket Universe false-negative history; published MEV-evasion papers	⚠ Partial. v0 has only 2 rules; expect <100% recall. We publish weekly FN rate against a curated ground-truth set.
Mempool DoS — spam drainer-looking pending txs to drown real alerts	2023 MEV-bot spam waves	⚠ Deferred to v1 (no mempool surface today). v0 scans confirmed blocks only, so spam must actually pay gas to land.
Label poisoning — attacker registers look-alike names to confuse our entity labels	Etherscan fake-labels	✓ Registry is hardcoded in git, not crowd-contributed. Every addition has to land in a signed commit.
Classifier overclaim — we flag benign txs, users panic	Permit2 looks drainer-adjacent in UX	✓ Rule 2 deliberately narrow. FPR published per week.
Exchange takedown — a flagged CEX deposit address demands removal	Binance/Coinbase public-blocklist disputes	✓ We flag contracts, not deposit addresses. CEX deposit addresses are out of v0 scope entirely.
Zero-day drainer — new pattern we have no rule for	Ledger Connect Kit supply-chain attack Dec 2023	❌ Honest gap. v1 adds a "suspicious unclassified" anomaly queue for human review.
Confirmation-timing spoof — private bundles evade our visibility	Flashbots private-tx volume	✓ v0 only claims to flag confirmed txs — private-bundle visibility is a v1 promise we won't make until we measure it.
Sybil on flagged addresses — attacker brigades innocent projects	ScamSniffer community-report brigading	✓ Only our classifier flags. No user-submitted flags in v0.
DNS / CDN compromise	Historical Cloudflare incidents	⚠ Dashboard lives on zoza.world (Cloudflare Pages). Classifier is on Fly (no CDN). Daily Merkle-hash of dashboard is planned v1.
Regulatory (OFAC) — do we "transmit" SDN-listed addresses by flagging them?	Tornado Cash sanctions 2022	⚠ v0 registry contains no SDN-listed addresses. Legal review required before adding any.

Real-world conditions checklist

Network lossy. Dashboard polls + SSE reconnect are exponential-backoff. Works on 2G after first load.
Mobile. Responsive dashboard. No mobile warning integration in v0 — the Shield extension is desktop-only by definition.
Partial compromise. Classifier logic is in git; a silent edit shows in the commit history. Registry changes require human approval.
User coerced. Out of scope. Drainer Live Map protects against tricked approvals, not coerced ones.
Key leak. No private keys in this service; deploy-key compromise can't re-sign git history.
Regulation. No PII, no user accounts, all data is public-chain. DPDP/GDPR: nothing to process. OFAC: see above.

What's NOT built in v0

Mempool watcher — v1, needs self-run Reth.
Chrome-extension pop-up warning — v1, will piggyback on the existing Shield extension, not a new install.
L2 support (Base / Arbitrum / Optimism) — v1.
Solana support — v2.
USD-value oracle per flagged tx — v0 reports raw wei / token amount; dashboard formats ETH only.
User-submitted flags or review queue — v2.
Postgres persistence — v0 is in-memory on the gateway. Flags older than ~2,000 entries are dropped. Historical replay is v1 (moves to Postgres + audit log).
Hash-chained audit log of classifier rule changes — v1.
Weekly published false-positive rate — v1 (needs a ground-truth set first).
Warrant canary — v1 (shared root Ed25519 key with other Zoza products).

API reference (v0)

Base URL and SDK endpoints are published to pilot customers under NDA. A branded public subdomain (drainers-api.zoza.world) and an open package — coming soon. CORS is wide open — once you have the base URL you can consume from any browser.

Endpoint	Returns
`GET /health`	`{status,service,version}`
`GET /v1/flags?limit=200`	Recent flags, newest first. Max 2000.
`GET /v1/known`	Hardcoded known-drainer registry with provenance notes.
`GET /v1/stats`	Poller health — last block scanned, poll duration, error count.
`GET /v1/live` (SSE)	Server-Sent Events stream of new flags. `event: flag` per message.

Example — subscribe in 6 lines of JS

const es = new EventSource(ZOZA_DRAINERS_API + '/v1/live');
es.addEventListener('flag', (e) => {
  const f = JSON.parse(e.data);
  console.log('drainer tx:', f.tx_hash, f.drainer_name, f.reasons);
});

ZOZA_DRAINERS_API is provided at onboarding. A branded public subdomain is coming soon.

Known-drainer registry

v0 ships with ~10 drainer families / ~30 contract addresses. Each entry has a public-source provenance note attached. Additions are git commits — you can git blame any entry back to the commit that added it.

Full list: open the live feed dashboard and tap "Known-drainer registry" for an inline view.

Upgrade path — the v1 plan

Week 1: self-run Reth node on a Hetzner / Fly Enterprise VPS. ~$600/mo.
Week 2: swap the confirmed-block poller for a txpool_content/eth_subscribe mempool stream feeding the same classifier.
Week 3: Shield extension WebSocket subscription + overlay warning before the user taps Approve.
Week 4: measure real pre-confirm lead-time distribution for a full week. Tweet with real numbers. If the distribution is boring (e.g. median 12s), tweet it anyway — the honest-numbers story is the brand.

Full plan available to customers and auditors under NDA — email hello@zoza.world.

Contact & corrections

Think our classifier has a false positive in the feed? Email security@zoza.world with the tx hash and the reason. Valid corrections land in a git commit — no silent de-flagging.

Think our classifier missed a real drainer? Same email. If it's in scope for v0's two rules, we'll add the address to the registry with your name credited in the commit message (if you want credit; anonymous also fine).