7Block Labs
Contact Us
Blockchain Analytics

ByAUJay

RFP Questions for Blockchain Analytics Tools: 30 Must-Ask Items

Description: Selecting a blockchain analytics platform now means vetting cross-chain coverage, sanctions-readiness, L2/L3 decoding, and MEV-aware forensics—not just Bitcoin graphs. Use these 30 concrete questions (with examples and evaluation tips) to run a rigorous, modern RFP.

Why this list now

  • Regulators are tightening expectations on sanctions screening and Travel Rule implementation while expanding guidance; FATF’s 2024 update called out slow Travel Rule adoption, and in June 2025 FATF streamlined Recommendation 16 data requirements to improve cross-border transparency. (fatf-gafi.org)
  • OFAC continues to list virtual currency addresses and sanction mixers (e.g., Sinbad, Nov 29, 2023), which requires near-real-time screening and robust lookback methods. (ofac.treasury.gov)
  • Illicit activity is shifting chains (not disappearing): TRM’s 2025 data shows TRON carried the largest share of illicit volume in 2024 (58%), with much of it in stablecoins—demanding analytics beyond Ethereum/Bitcoin. (trmlabs.com)
  • Ethereum’s account abstraction (ERC‑4337) and L2 blobs (EIP‑4844) change how wallets transact and how rollup data is stored—your tool must decode smart accounts and preserve ephemeral L2 data. (eips.ethereum.org)
  • OP Stack “Superchain” L2s (Base, OP Mainnet, and others) are converging under shared standards and interop; analytics must understand this topology and governance-driven upgrades. (docs.optimism.io)

Use this RFP as a checklist. For each item, we include why it matters and what “good” looks like.

Section A — Chain, Token, and Protocol Coverage (Ask 1–6)

  1. Which chains and assets do you support today—and how fast do you add new ones?
  • Why it matters: Criminal flows follow low-fee chains and stablecoins (e.g., TRON USDT). Your vendor should already support TRON, Solana, and new OP Stack L2s. (trmlabs.com)
  • What good looks like: Publicly documented chain count with recent additions (e.g., vendors advertising 90–100+ chains and hourly refresh for new chains like Linea, Mantle). Ask for a dated changelog. (trmlabs.com)
  1. Depth of token support across networks
  • Why it matters: Many stablecoins (USDT, USDC, DAI) run on multiple chains; screening must be token‑aware across EVM and non‑EVM ecosystems. (developers.elliptic.co)
  • What good looks like: A published matrix of token coverage per network (including TRC‑20, SPL on Solana) and an ETA/SLA for new token listings.
  1. L2 and L3 rollup literacy (OP Stack, Base, Arbitrum, zkSync, Scroll, Linea, Blast, etc.)
  • Why it matters: OP Superchain aims for shared bridging, governance, and 1‑block interop; analytics must attribute funds across OP Chains reliably. (docs.optimism.io)
  • What good looks like: Native rollup decoding; awareness of Superchain Registry; support for synchronized upgrades and chain metadata mappings. Request proof they ingest the Superchain Registry. (docs.optimism.io)
  1. Solana and SVM specifics
  • Why it matters: Solana’s Sealevel parallel runtime, program accounts, and Jito MEV infrastructure require specialized parsers and MEV-aware heuristics. (spl.solana.com)
  • What good looks like: Decoding SPL program events, support for block-engine bundles where relevant, and documented handling of sandwich attack telemetry sources. (jito.wtf)
  1. DeFi, DEX routers, bridges, and cross‑chain swaps
  • Why it matters: Bridges are persistent targets and cross‑chain laundering routes; your tool must reconstruct pathing through DEXes and bridges across chains. (chainalysis.com)
  • What good looks like: Automatic recognition of bridge contracts, LP routers, and aggregators; normalized “hop” semantics across chains; exploit labeling for past bridge incidents.
  1. NFT and real‑world asset protocols
  • Why it matters: Fraud, wash trading, and sanctioned party evasion can hide in NFTs and RWAs.
  • What good looks like: Collection-level labeling, wash-trade heuristics, marketplace attribution, and compliance-oriented risk flags for NFT flows.

Section B — Data Freshness, Accuracy, and Methodology (Ask 7–12)

  1. End‑to‑end data latency SLOs
  • Why it matters: Sanctions screening should react to new designations within minutes; investigations need near‑real‑time graphs.
  • What good looks like: Vendor commits to ingestion and attribution update windows (e.g., block‑to‑graph latency targets and sanctions “time‑to‑list” SLOs).
  1. Ground‑truth attribution standards
  • Why it matters: “Who owns this cluster?” is the core; ask how they confirm ownership (e.g., merchant test deposits, operator disclosures) versus heuristic inference. See examples of “ground‑truth” methodologies. (chainalysis.com)
  1. Heuristic transparency and false‑positive controls
  • Why it matters: Common-input (multi‑input) and change‑address heuristics break under CoinJoin/PayJoin. You need explicit detection and suppression of misleading clusters. (mdpi.com)
  • What good looks like: CoinJoin classifiers, PayJoin detectors, confidence scoring per link, and “evidence audit trails” you can show regulators.
  1. EIP‑4337/Account Abstraction decoding
  • Why it matters: Smart accounts (UserOperations, EntryPoint) change wallet behavior and fraud patterns; analytics must decode bundlers, paymasters, and smart wallet flows. (eips.ethereum.org)
  • What good looks like: First‑class support for UserOperation traces, EntryPoint events, and smart‑wallet entity resolution.
  1. EIP‑4844 blob awareness and L2 data retention
  • Why it matters: Blob data is ephemeral and not accessible to the EVM; analytics should archive and reconcile rollup “blob” payloads (or equivalent proofs) for long‑term investigations. (eips.ethereum.org)
  • What good looks like: Clear strategy for capturing, indexing, and retaining L2 batch metadata and call data tied to blobs; documented fallback sources.
  1. Historical backfill and reorg policy
  • Why it matters: Reorgs and retroactive bug fixes happen; defense teams need immutable snapshots and reprocessing plans.
  • What good looks like: Versioned data snapshots, deterministic reprocessing with change logs, and “diff” APIs for auditors.

Section C — Sanctions, AML/CFT, and Policy Alignment (Ask 13–18)

  1. Sanctions list ingestion (OFAC, EU, UN) and wallet address handling
  • Why it matters: OFAC includes digital currency addresses and expects robust screening and lookbacks. (ofac.treasury.gov)
  • What good looks like: Automated ingestion of SDN updates; watchlist versioning; automatic backfill queries when new addresses are added.
  1. Typologies tuned to today’s risks
  • Why it matters: TRON‑based stablecoin flows and sanctioned actors dominate illicit share in 2024; rules must reflect this reality. (trmlabs.com)
  • What good looks like: TRC‑20 heuristics, stablecoin issuer freeze event detection, and cross‑jurisdiction sanctions evasion patterns.
  1. Mixer and obfuscation service detection
  • Why it matters: OFAC sanctioned Sinbad for DPRK laundering; tools must identify successor services and copycats. (home.treasury.gov)
  • What good looks like: Service‑level clustering of mixers, peel chains, peel‑recombines, and alerts for mixer influx/outflux patterns.
  1. Travel Rule alignment and data handoff
  • Why it matters: FATF’s latest updates push for consistent sender/receiver info in payments; analytics should map VASP flows to Travel Rule payloads. (fatf-gafi.org)
  • What good looks like: APIs to enrich originator/beneficiary risk signals; connectors to Travel Rule providers; auditing of payload ↔ on‑chain reconciliation.
  1. Privacy coin stance and limitations
  • Why it matters: Monero’s RingCT, stealth addresses, and ring signatures severely limit tracing; vendors must document capabilities and boundaries. (web.getmonero.org)
  • What good looks like: Heuristic coverage for off‑ramps, decoy detection caveats, and exchange‑centric workflows rather than false precision.
  1. Casework standards and sharing protocols
  • Why it matters: Incident intel must be shared responsibly (e.g., TLP 2.0) and machine‑readably (STIX/TAXII). (first.org)
  • What good looks like: Native TLP labels in cases; STIX/TAXII exports of entities, indicators, and sightings; role‑based sharing.

Section D — Investigations, MEV, and Cross‑Chain Forensics (Ask 19–24)

  1. Cross‑chain tracing with bridge/DEX hops
  • Why it matters: Bridging is a top attack surface and laundering vector; tools must show “end‑to‑end” provenance even after swaps. (chainalysis.com)
  • What good looks like: A unified path view that merges L1, L2, and non‑EVM chains with labeled bridges/routers and rate‑limited hop expansion.
  1. MEV‑aware analytics (Ethereum, Solana)
  • Why it matters: MEV bundles and sandwich attacks distort pricing and may signal predatory bots or victim flows; decoding builders/relays adds context. (docs.flashbots.net)
  • What good looks like: Recognition of private orderflow (e.g., MEV‑Boost, builder IDs) and Solana Jito bundle context; optional integration with MEV telemetry vendors.
  1. Smart‑contract exploit playbooks
  • Why it matters: When a protocol is drained, investigators need templated graphs: attacker funding, exploit tx, laundering, mixer/exchange off‑ramps.
  • What good looks like: One‑click “exploit graph template” with entity overlays and conversion to subpoenable endpoints.
  1. Stablecoin issuer events and freezes
  • Why it matters: Many illicit flows end in frozen stablecoins; tools should detect freeze/mint/burn events and reissues to victims/governments. (trmlabs.com)
  • What good looks like: Flags for blacklisted funds, reissuances, and reconciliation against issuer announcements.
  1. On‑chain identity growth and smart wallets
  • Why it matters: Post‑4337 smart accounts can add guardians, session keys, and batched ops; trace deviations from EOA patterns to catch drains or fraud. (eips.ethereum.org)
  • What good looks like: Alerts on anomalous paymaster usage, unusual UserOperation patterns, and guardian changes.
  1. Evidence management and chain‑of‑custody
  • Why it matters: Successful prosecutions depend on defensible exports.
  • What good looks like: Signed reports (e.g., PDF + JSON), cryptographic hashes of evidence exports, immutable case timelines, and role‑based access.

Section E — Security, Compliance Posture, and Deployment (Ask 25–28)

  1. FedRAMP, SOC 2, and government readiness
  • Why it matters: If you work with public sector or highly regulated clients, authorizations matter. TRM Labs publicly announced FedRAMP Moderate in Sept 2024 and High in Dec 2024; ask all vendors where they are on the FedRAMP path. (globenewswire.com)
  • What good looks like: FedRAMP Authorized (Moderate/High) or In‑Process status evidence, marketplace listing link, and security packages available under NDA.
  1. Data residency and private deployments
  • Why it matters: Some teams require sovereign hosting or air‑gapped analysis.
  • What good looks like: Options for dedicated VPCs, on‑prem extracts, or offline evidence viewers with update workflows.
  1. Audit logging, legal hold, and privacy controls
  • Why it matters: You’ll need immutable audit logs for regulator exams and court.
  • What good looks like: Tamper‑evident logs, SSO/SAML/OIDC, fine‑grained RBAC, field‑level masking for PII, and retention policies with holds.
  1. Vendor vulnerability management
  • Why it matters: Your analytics tool becomes critical infrastructure.
  • What good looks like: Documented SBOM, third‑party pen tests, coordinated disclosure, and SLAs for critical fixes.

Section F — Integration, Extensibility, and Commercials (Ask 29–30)

  1. Extensible APIs, data lake access, and SIEM connectors
  • Why it matters: You’ll want your own enrichment, scoring, and dashboards.
  • What good looks like: Bulk APIs, webhooks, GraphQL/SQL access, parquet exports to S3/BigQuery, and turnkey connectors (Splunk, Datadog, Elastic).
  1. Pricing model, SLAs, and enablement
  • Why it matters: Hidden overage fees or tight rate limits can cripple operations.
  • What good looks like: Transparent per‑seat and per‑API pricing, fair usage tiers, 99.9%+ uptime SLA with credits, 24/7 incident response, and expert training included.

Practical evaluation scenarios you should include in the RFP

  • DPRK‑linked laundering via a Bitcoin mixer → TRC‑20 stablecoins on TRON → high‑risk exchange

    • Expectation: The tool detects the mixer (with sanctions context) and the migration into TRON via a bridge or CEX, flags USDT flows consistent with sanctions evasion typologies, and surfaces feasible choke points (VASP endpoints) for action. (home.treasury.gov)

  • Post‑exploit DeFi tracing: bridge drains → DEX hops → privacy tools

    • Expectation: Automated labeling of bridge contracts, DEX routers, and liquidity pools; reconstruction of path through aggregators; alerts on peel chains, plus mixer entry/exit paths. (chainalysis.com)

  • Smart‑account fraud: anomalous ERC‑4337 UserOperations and paymaster misuse

    • Expectation: Decoding of EntryPoint events, linkages to bundlers, and risk policies for guardian changes or session‑key abuse. (eips.ethereum.org)

  • Solana MEV context: spike in sandwich attacks around a token listing

    • Expectation: Program‑level decoding, DEX pool attribution, and (if available) bundle/Block Engine context to identify bots and protect users. (jito.wtf)

Emerging best practices we recommend (bake these into your scoring)

  • Require explicit confidence levels and “evidence trails” for every entity link, with toggles to hide low‑confidence edges for compliance reviews. This reduces regulator friction where heuristics can mislead (e.g., CoinJoin breaks multi‑input clustering). (mdpi.com)
  • Treat L2 blob data as “perishable”; mandate the vendor’s archival strategy and proof of re‑assembly for investigative use. (eips.ethereum.org)
  • Standardize case sharing with TLP 2.0 labels and exportable STIX 2.1 indicators to your TIP/SIEM. (first.org)
  • Adopt chain‑specific playbooks: TRON stablecoin evasion patterns; Solana program‑account heuristics; OP Superchain bridge semantics. (trmlabs.com)
  • Demand dated public proof of chain coverage growth (e.g., “added Base, Linea, Mantle in 2025”), with update SLAs and hourly refresh claims backed by telemetry. (trmlabs.com)

Brief vendor-response template you can attach to your RFP

  • Coverage matrix (chains/tokens/protocols): URL or PDF; last updated date.
  • Data pipeline SLOs: block→graph latency; sanctions update SLA; reorg handling.
  • Methodology: ground‑truth sources; heuristic list; confidence scoring rubric; CoinJoin/PayJoin handling.
  • L2/EIP‑4844 policy: blob capture, retention duration, and gap mitigation.
  • ERC‑4337 support: decoded fields, bundler mapping, paymaster attribution.
  • MEV awareness: Ethereum (MEV‑Boost) and Solana (Jito) context availability and limitations. (docs.flashbots.net)
  • AML/policy: Travel Rule interoperability; sanctions lookback automation; privacy‑coin limits. (fatf-gafi.org)
  • Security/compliance: FedRAMP/SOC/ISO status; pen test cadence; SBOM availability; audit‑log design. If FedRAMP, provide Marketplace listing or authorization letter (e.g., vendors publicly announcing Moderate/High). (globenewswire.com)
  • Integrations: STIX/TAXII, SIEM, data lake exports (parquet); webhook examples. (oasis-open.org)
  • Pricing & SLAs: API quotas, overage pricing, uptime guarantees, support tiers, and training plans.

Red flags to watch

  • “Black box” labels with no evidence chain or confidence scores.
  • Coverage gaps on TRON or Solana while marketing “complete chain coverage.”
  • No documented strategy for EIP‑4844 data preservation or ERC‑4337 decoding. (eips.ethereum.org)
  • Slow sanctions list updates or lack of OFAC wallet‑address awareness. (ofac.treasury.gov)

Bottom line

Your next analytics partner must be sanctions‑ready, cross‑chain by default, L2/L3‑aware, and MEV‑literate. With the 30 questions above—and scenario tests that mirror how illicit actors actually move value—you’ll separate marketing claims from operational reality and select a platform that stands up to regulators, auditors, and incident response when it matters most.

Like what you're reading? Let's build together.

Get a free 30‑minute consultation with our engineering team.

Talk to usView services

Related Posts

7BlockLabs

Full-stack blockchain product studio: DeFi, dApps, audits, integrations.

7Block Labs is a trading name of JAYANTH TECHNOLOGIES LIMITED.

Registered in England and Wales (Company No. 16589283).

Registered Office address: Office 13536, 182-184 High Street North, East Ham, London, E6 2JA.

© 2025 7BlockLabs. All rights reserved.