🎉 Welcome to the MetaSleuth User Manual! 🎉
MetaSleuth is a comprehensive platform designed to track and investigate on-chain assets, catering to diverse analysis needs. To facilitate a quick start with this tool, we have included four key topics in the "Getting Started" section:
Start by a Simple Search: Quickly find specific addresses or transactions using the search function to access relevant data and insights.
Start by a Shared Chart: Collaborate and build upon existing visualizations by exploring shared charts created by other users.
Understand the concept of nodes, which represent entities such as addresses or contracts within the blockchain network.
Learn about edges, which illustrate the relationships and transactions between nodes, providing context to the data you analyze.
The fund flow in MetaSleuth consists of nodes and edges, where the "nodes" represent addresses on the blockchain, also referred to as wallets or accounts.
There are two types of nodes on the MetaSleuth canvas:
Standard Address Nodes: These are displayed as rounded rectangles.
Resolvable Bridge Nodes: These are represented as octagons.
Address nodes on the canvas typically have two states.
Reading State: The default state of the node, shown on the left, which provides only readable information.
Analyzing State: The state that appears on the right when you hover your mouse over the node, offering various analysis functions.
In addition to the two basic states mentioned above, you may also see various useful icons on the nodes (as shown in the image below). We will introduce these icons one by one.
When MetaSleuth identifies that an asset transfer likely involves cross-chain activity, it links that transfer to a bridge node. The specifics of the interaction address, including the chain, address, and label, are omitted, and instead, a bridge logo and name are used to represent it.
Clicking on a bridge node allows you to view the specific interactions, including detailed asset transfers, transactions, and the bridge address involved. You'll also see a Track button; clicking this will enable MetaSleuth to automatically analyze the cross-chain destination of the funds.
Common tool links
These links allow you to quickly jump to the details page for the current address on the respective platform. Clicking on them will provide you with more information about the address's activities and status.
No
Incomplete Data Indicator
This indicates that the data for the current address is incomplete. Analysts requiring full data integrity should take note and may need to use additional methods to obtain complete information.
No
Risk Indicator
This indicates that the address is associated with risky behavior, and users should be cautious when interacting with it. Specific risk details can be found in the address panel.
No
Analyze Button
Yes. Clicking the Analyze button initiates a detailed analysis of the current address.
Analysis Completed
No. Completion of the analysis indicates that the basic analysis is finished. Users can still perform additional analyses, such as Advanced Analyze or Load More to access further data.
Advanced Analyze Button
Yes. Clicking the Advanced Analyze button enables you to perform a detailed analysis of the current address, allowing you to specify parameters such as token type, time frame, and amount.
Private Label (Edit Address Label)
Yes. Users can add or modify a label for an address, which will be stored as a private label in their user data.
Delete Address Node
Yes
Unidirectional Analysis
Yes. Click the button on the left side of the node to analyze the source of funds, and click the button on the right side to analyze the destination of funds.
Blockchain
No
Entity logo
When an address is associated with an entity that has a logo, the entity's logo will be displayed on the node. This helps to visually identify the organization or project linked to that address.
No
Address Info
No
Address label
Address labels are displayed in the following order: user private labels > BlockSec labels. If neither is available, no label will be shown.
No but user can use to edit
On-chain investigations serve various purposes. You might be a law enforcement officer tracing illicit funds, a compliance officer assessing a user's financial risk, or an investor checking for potential issues with a project. You may also need to investigate a fraudulent transaction to track where your money went. In any case, the analysis always starts with an address or a transaction.
Using MetaSleuth requires no preparation. Simply visit our website at metasleuth.io. You don’t even need to register or log in; you’ll find the analysis entry point right away—just a simple input box.
You can enter an address, transaction hash, or ENS domain name. If you're unsure what to search for, click the search box to see popular addresses and choose one to start.
If you enter an address, wait about 1 second for a dropdown box to appear, showing all the chains where the address has been active. Click on the chain you want to analyze to view the fund flows associated with that address.
For example, if you search for 0x0629b1048298ae9deff0f4100a31967fb3f98962 and select Arbitrum, you can view the fund flow of the Radiant Capital Exploiter on that chain. Note that not all fund transfers will appear on the canvas for readability. To explore what information you can access via the Analyze feature, visit the
If you enter a transaction hash, the dropdown will typically show only one result (assuming the hash is correct). Clicking on it will reveal all the fund flows associated with that transaction. For example, try entering 0x7856552db409fe51e17339ab1e0e1ce9c85d68bf0f4de4c110fc4e372ea02fb1, which is an attack transaction from the Radiant Capital hack event.
When you enter a transaction, MetaSleuth will display all asset transfers that occurred within that transaction. In this case, the attacker drained several pools from the project, so you will see funds coming from multiple addresses into the attacker's address.
Sometimes, you may receive a MetaSleuth analysis result shared by someone else, such as this link. In MetaSleuth, these links are referred to as Shared links. They allow users to view and edit the canvas associated with the shared analysis.
A shared canvas is essentially a snapshot of the analysis results provided by the sharer. When you open a shared link, you see the state of the entire canvas as it was when the link was created. You can click on the edges and nodes to view details, as well as check the sharer's notes. However, keep in mind that this is just one analysis result and does not represent the complete picture.
Clicking on an address node will display details such as the address label, associated tags, risk score, asset balance, and on-chain interactions. It's important to note that the asset transfers shown are only those selected by the sharer to be displayed on the canvas. To view a more comprehensive set of asset transfers, you will need to unlock the canvas for re-analysis.
Clicking on the edge will show you the asset transfer between the two nodes. Similarly, only the content selected by the sharer will be displayed here.
If you find the shared content valuable and want to continue your analysis, you can unlock the canvas for editing and then save it. Your edits will not sync back to the original sharer.
Unlocking is straightforward—just click on the "Start Editing" button in the top left corner.
Generally, the unlocking process is smooth, but sometimes you may encounter a prompt asking if you want to keep some of the sharer's private tags. If you're an experienced MetaSleuth user, you might want to consider which tags are valuable to retain. If you're a beginner, just select "Import"!
For more information about Private Labels, you can visit the Save and Share - section.
In MetaSleuth, edges represent the relationships between the connected nodes (addresses). Currently, there are three types of relationships displayed:
Standard Asset Transfer: The most common relationship type, indicating the flow of assets between two addresses.
Contract Creation Relationship: Represents the relationship between a contract creator and the created contract, labeled as 'Contract Creation'.
Cross-Chain Asset Transfer: This relationship indicates fund interactions between a standard address node and a cross-chain bridge node, typically suggesting that the funds have been transferred across chains. Users can further explore the source and destination of the funds using the InterChain Tracer feature.
In the example provided below, we can simultaneously observe these three types of relationships.
Next, let's examine the information contained in a standard asset transfer edge.
In the example below, the edge from the node Euler Finance Exploiter 2 (0xb66cd) to KyberSwap Exploiter (0x50275e) indicates that Euler Finance Exploiter 2 sent 0.110 Ether to KyberSwap Exploiter.
Please note that MetaSleuth consolidates asset transfers of the same direction and type between two addresses into a single edge. Therefore, an edge does not represent a single transaction.
To see more details about an edge, click on it to open the , then select Detail to view all transaction information.
In the transaction list, you can see that the Euler Finance Exploiter 2 has made two transactions, transferring a total of 0.111 Ether to the KyberSwap Exploiter.
Edges are typically gray by default, but to help distinguish different asset transfers, MetaSleuth uses the primary color of the major tokens' icons from each chain as the edge color. This aids users in better understanding the asset flows.
Users can modify edge colors in two ways:
Change the Color of a Single Edge: Click the canvas icon on the edge.
Change Color for All Edges of a Token: To modify the color of all edges representing a specific token, go to the Token Filters panel in the top left corner. Click the color circle next to the token you wish to change. After selecting your desired color, all edges associated with that asset will update to the new color.
Edge labels consist of three parts:
Index: All edges are sorted by the displayed time, with a smaller index indicating an earlier occurrence.
Time: The earliest timestamp of all transactions included in the edge (the time of the earliest transaction).
Transfer Amount: The total amount of asset transfers represented by the edge (for the selected transactions displayed on the canvas), along with the token symbol.
