Test Cases
Automated compliance and risk assessment rules that run against on-chain data to surface findings.
Overview
Test cases are the compliance backbone of ChainGraph. Each test case is a rule that queries chain data looking for specific patterns — sanctioned address interactions, structuring behavior, mixer usage, and more. When a pattern matches, a finding is created with a severity level.
How test cases work
- A scheduler runs enabled test cases on a configurable interval (default: every hour)
- Each test case executes one or more queries against ClickHouse or Memgraph
- Results that match the rule criteria become findings
- Findings are stored in the database with severity, details, and affected addresses
- Users are notified of new findings based on their notification preferences
Built-in test cases
ChainGraph ships with 25 pre-built compliance test cases:
Sanctions & Compliance
- OFAC Sanctions Check — direct interaction with OFAC-listed addresses
- Indirect Sanctions Exposure — 2-hop proximity to sanctioned addresses
- Mixer Interaction — interaction with known mixing services
- High-Risk Jurisdiction — transfers to/from addresses associated with high-risk jurisdictions
Transaction Patterns
- Structuring Detection — multiple transfers just below reporting thresholds
- Rapid Fund Movement — funds received and forwarded within minutes
- Round-Trip Transfers — circular fund flows (A→B→C→A)
- Dormant Account Activation — sudden activity from long-inactive addresses
DeFi & Protocol
- Flash Loan Usage — potential flash loan attacks
- MEV Activity — sandwich attacks, frontrunning patterns
- Bridge Hop — rapid bridge-out after receiving funds
- Token Approval Exploit — suspicious unlimited token approvals
Behavioral
- Unusual Volume Spike — transfer volume far above historical average
- New Counterparty Clustering — sudden increase in unique counterparties
- Whale Movement — large transfers above configurable thresholds
Severity levels
| Severity | Description | Action |
|---|---|---|
| Critical | Direct sanctions violation or confirmed fraud | Immediate review |
| High | Probable compliance issue or high-risk pattern | Review within 24h |
| Medium | Suspicious pattern requiring investigation | Review within 1 week |
| Low | Informational or minor anomaly | Periodic review |
Custom test cases
Enterprise users can create custom test cases using SQL or Cypher queries. Custom test cases follow the same scheduling and findings workflow as built-in ones.
Findings
View all findings in the Findings section. Each finding includes:
- The test case that generated it
- Severity level
- Affected addresses
- Transaction details
- Timestamp and status (open, reviewing, resolved, false positive)