npm - solana-privacy-scanner-core - Versions diffs - 0.3.0 → 0.3.1 - Mend

solana-privacy-scanner-core 0.3.0 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.cjs CHANGED Viewed

@@ -38,12 +38,14 @@ __export(index_exports, {
   collectTransactionData: () => collectTransactionData,
   collectWalletData: () => collectWalletData,
   createDefaultLabelProvider: () => createDefaultLabelProvider,
+  detectAddressReuse: () => detectAddressReuse,
   detectAmountReuse: () => detectAmountReuse,
   detectBalanceTraceability: () => detectBalanceTraceability,
   detectCounterpartyReuse: () => detectCounterpartyReuse,
   detectFeePayerReuse: () => detectFeePayerReuse,
   detectInstructionFingerprinting: () => detectInstructionFingerprinting,
   detectKnownEntityInteraction: () => detectKnownEntityInteraction,
+  detectMemoExposure: () => detectMemoExposure,
   detectSignerOverlap: () => detectSignerOverlap,
   detectTimingPatterns: () => detectTimingPatterns,
   detectTokenAccountLifecycle: () => detectTokenAccountLifecycle,
@@ -1152,8 +1154,8 @@ function detectAmountReuse(context) {
       severity: "LOW",
       category: "behavioral",
       reason: `${roundNumbers.length} round-number transfers detected (e.g., 1 SOL, 10 SOL).`,
-      impact: "Round numbers are common on Solana and relatively benign alone. Combined with other patterns, they can contribute to fingerprinting.",
-      mitigation: "Vary amounts slightly if possible, but this is low priority on Solana.",
+      impact: "Round numbers are common on Solana. Combined with other patterns, they can contribute to fingerprinting.",
+      mitigation: "Vary amounts slightly if possible, but this is low priority.",
       evidence: [{
         description: `${roundNumbers.length} round-number transfers: ${roundNumbers.slice(0, 5).join(", ")}...`,
         severity: "LOW",
@@ -1206,7 +1208,7 @@ function detectAmountReuse(context) {
       severity: "LOW",
       category: "behavioral",
       reason: `${signerReuse.length} amount(s) are reused multiple times with consistent signers.`,
-      impact: "Amount reuse alone is relatively weak on Solana, but combined with other signals it contributes to behavioral fingerprinting.",
+      impact: "Amount reuse alone is relatively weak, but combined with other signals it contributes to behavioral fingerprinting.",
       mitigation: "Vary transaction amounts to reduce pattern visibility.",
       evidence
     });
@@ -1240,62 +1242,128 @@ function detectAmountReuse(context) {
 // src/heuristics/timing-patterns.ts
 function detectTimingPatterns(context) {
+  const signals = [];
   if (!context.timeRange.earliest || !context.timeRange.latest) {
-    return null;
+    return signals;
   }
   if (context.transactionCount < 3) {
-    return null;
+    return signals;
   }
   const timeSpanSeconds = context.timeRange.latest - context.timeRange.earliest;
   const timeSpanHours = timeSpanSeconds / 3600;
   if (timeSpanHours === 0) {
-    return null;
+    return signals;
   }
   const txRate = context.transactionCount / timeSpanHours;
-  let severity = "LOW";
   let isBurst = false;
+  let burstSeverity = "LOW";
   if (txRate > 10) {
-    severity = "HIGH";
+    burstSeverity = "HIGH";
     isBurst = true;
   } else if (txRate > 5) {
-    severity = "MEDIUM";
+    burstSeverity = "MEDIUM";
     isBurst = true;
   } else if (timeSpanHours < 1 && context.transactionCount >= 3) {
-    severity = "MEDIUM";
+    burstSeverity = "MEDIUM";
     isBurst = true;
   }
-  if (!isBurst) {
-    return null;
-  }
-  const evidence = [
-    {
-      type: "timing",
-      description: `${context.transactionCount} transactions in ${timeSpanHours.toFixed(1)} hours`,
-      data: {
-        transactionCount: context.transactionCount,
-        timeSpanHours: timeSpanHours.toFixed(2),
-        transactionRate: txRate.toFixed(2)
+  if (isBurst) {
+    signals.push({
+      id: "timing-burst",
+      name: "Transaction Burst Pattern",
+      severity: burstSeverity,
+      confidence: 0.8,
+      category: "behavioral",
+      reason: `Concentrated activity: ${context.transactionCount} transactions in ${timeSpanHours.toFixed(1)} hours`,
+      impact: "Concentrated transaction activity creates timing fingerprints that can be used to correlate your transactions and link them to specific events or behaviors.",
+      mitigation: "Spread transactions over longer time periods, use scheduled transactions, or batch operations to reduce timing correlation.",
+      evidence: [{
+        description: `${context.transactionCount} transactions in ${timeSpanHours.toFixed(1)} hours (${txRate.toFixed(2)} tx/hour)`,
+        severity: burstSeverity,
+        reference: void 0
+      }]
+    });
+  }
+  if (context.transactions && context.transactions.length >= 5) {
+    const timestamps = context.transactions.map((tx) => tx.blockTime).filter((time) => time !== void 0).sort((a, b) => a - b);
+    if (timestamps.length >= 5) {
+      const gaps = [];
+      for (let i = 1; i < timestamps.length; i++) {
+        gaps.push(timestamps[i] - timestamps[i - 1]);
+      }
+      const avgGap = gaps.reduce((sum, gap) => sum + gap, 0) / gaps.length;
+      const variance = gaps.reduce((sum, gap) => sum + Math.pow(gap - avgGap, 2), 0) / gaps.length;
+      const stdDev = Math.sqrt(variance);
+      const coefficientOfVariation = stdDev / avgGap;
+      if (coefficientOfVariation < 0.3 && avgGap > 60) {
+        const intervalMinutes = Math.round(avgGap / 60);
+        const intervalHours = avgGap / 3600;
+        let severity = "LOW";
+        if (intervalHours >= 23 && intervalHours <= 25) {
+          severity = "HIGH";
+        } else if (intervalHours >= 0.9 && intervalHours <= 1.1) {
+          severity = "HIGH";
+        } else if (gaps.length >= 10) {
+          severity = "MEDIUM";
+        }
+        signals.push({
+          id: "timing-regular-interval",
+          name: "Regular Transaction Interval",
+          severity,
+          confidence: 0.85,
+          category: "behavioral",
+          reason: `Transactions occur at regular ${intervalMinutes < 60 ? `${intervalMinutes}-minute` : `${intervalHours.toFixed(1)}-hour`} intervals.`,
+          impact: "Regular timing patterns are highly distinctive fingerprints. They suggest automated behavior and can reveal timezone, schedule, or bot configuration.",
+          mitigation: "Add random delays between transactions. Vary the timing to avoid predictable patterns.",
+          evidence: [{
+            description: `${gaps.length} transactions with average ${intervalMinutes}-minute intervals (${(coefficientOfVariation * 100).toFixed(1)}% variation)`,
+            severity,
+            reference: void 0
+          }]
+        });
       }
     }
-  ];
-  return {
-    id: "timing-correlation",
-    name: "Transaction Burst Pattern",
-    severity,
-    reason: `Concentrated activity: ${context.transactionCount} transactions in ${timeSpanHours.toFixed(1)} hours`,
-    impact: "Concentrated transaction activity creates timing fingerprints that can be used to correlate your transactions and link them to specific events or behaviors.",
-    evidence,
-    mitigation: "Spread transactions over longer time periods, use scheduled transactions, or batch operations to reduce timing correlation.",
-    confidence: 0.8
-  };
+  }
+  if (context.transactions && context.transactions.length >= 10) {
+    const timestamps = context.transactions.map((tx) => tx.blockTime).filter((time) => time !== void 0);
+    if (timestamps.length >= 10) {
+      const hours = timestamps.map((ts) => new Date(ts * 1e3).getUTCHours());
+      const hourCounts = /* @__PURE__ */ new Map();
+      hours.forEach((hour) => {
+        hourCounts.set(hour, (hourCounts.get(hour) || 0) + 1);
+      });
+      const maxCount = Math.max(...Array.from(hourCounts.values()));
+      const concentration = maxCount / hours.length;
+      if (concentration > 0.4) {
+        const mostActiveHours = Array.from(hourCounts.entries()).filter(([_, count]) => count >= maxCount * 0.8).map(([hour]) => hour).sort((a, b) => a - b);
+        signals.push({
+          id: "timing-timezone-pattern",
+          name: "Consistent Time-of-Day Pattern",
+          severity: "MEDIUM",
+          confidence: 0.7,
+          category: "behavioral",
+          reason: `${Math.round(concentration * 100)}% of transactions occur during specific hours (${mostActiveHours.map((h) => `${h}:00`).join(", ")} UTC).`,
+          impact: "Time-of-day patterns can reveal timezone or daily schedule, contributing to identity fingerprinting.",
+          mitigation: "Vary transaction times across different hours of the day. Use scheduled transactions or automation to obscure your timezone.",
+          evidence: [{
+            description: `${maxCount}/${hours.length} transactions during ${mostActiveHours.length} hour(s)`,
+            severity: "MEDIUM",
+            reference: void 0
+          }]
+        });
+      }
+    }
+  }
+  return signals;
 }
 // src/heuristics/known-entity.ts
 function detectKnownEntityInteraction(context) {
+  const signals = [];
   if (context.labels.size === 0) {
-    return null;
+    return signals;
   }
-  const entityInteractions = [];
+  const entityTypeGroups = /* @__PURE__ */ new Map();
   for (const [address, label] of context.labels.entries()) {
     let interactionCount = 0;
     const relatedTxs = [];
@@ -1308,101 +1376,243 @@ function detectKnownEntityInteraction(context) {
       }
     }
     if (interactionCount > 0) {
-      entityInteractions.push({
-        type: "label",
-        description: `${interactionCount} interaction(s) with ${label.name} (${label.type})`,
-        data: {
-          entityName: label.name,
-          entityType: label.type,
-          address,
-          interactionCount,
-          transactions: relatedTxs
-        },
-        reference: address
+      if (!entityTypeGroups.has(label.type)) {
+        entityTypeGroups.set(label.type, []);
+      }
+      entityTypeGroups.get(label.type).push({
+        address,
+        label,
+        count: interactionCount,
+        txs: relatedTxs
       });
     }
   }
-  if (entityInteractions.length === 0) {
-    return null;
+  if (entityTypeGroups.size === 0) {
+    return signals;
   }
-  let severity = "MEDIUM";
-  const hasExchangeInteraction = Array.from(context.labels.values()).some((label) => label.type === "exchange");
-  if (hasExchangeInteraction) {
-    severity = "HIGH";
-  } else if (entityInteractions.length >= 3) {
-    severity = "HIGH";
+  const exchanges = entityTypeGroups.get("exchange");
+  if (exchanges && exchanges.length > 0) {
+    const evidence = exchanges.map((entity) => ({
+      description: `${entity.count} interaction(s) with ${entity.label.name}`,
+      severity: "HIGH",
+      reference: entity.address
+    }));
+    const totalExchangeTxs = exchanges.reduce((sum, e) => sum + e.count, 0);
+    signals.push({
+      id: "known-entity-exchange",
+      name: "Centralized Exchange Interaction",
+      severity: "HIGH",
+      confidence: 0.95,
+      category: "identity-linkage",
+      reason: `Wallet interacted with ${exchanges.length} centralized exchange(s) in ${totalExchangeTxs} transaction(s).`,
+      impact: "Centralized exchanges have KYC data. Direct interactions can link your on-chain address to your real-world identity through account records, IP addresses, and withdrawal/deposit patterns.",
+      mitigation: "Use intermediate wallets to break the direct link. Deposit to privacy protocols before going to CEX. Consider DEXs for better privacy.",
+      evidence
+    });
   }
-  return {
-    id: "known-entity-interaction",
-    name: "Known Entity Interaction",
-    severity,
-    reason: `Wallet interacted with ${entityInteractions.length} known entit${entityInteractions.length === 1 ? "y" : "ies"}`,
-    impact: "Interactions with centralized exchanges, bridges, or other known entities can link your on-chain address to your real-world identity through KYC data, IP addresses, and off-chain records.",
-    evidence: entityInteractions,
-    mitigation: "Use privacy-preserving bridges, avoid direct CEX interactions from privacy-sensitive wallets, or use intermediate wallets to break the link.",
-    confidence: 0.95
-  };
+  const bridges = entityTypeGroups.get("bridge");
+  if (bridges && bridges.length > 0) {
+    const evidence = bridges.map((entity) => ({
+      description: `${entity.count} interaction(s) with ${entity.label.name}`,
+      severity: "MEDIUM",
+      reference: entity.address
+    }));
+    signals.push({
+      id: "known-entity-bridge",
+      name: "Bridge Protocol Interaction",
+      severity: "MEDIUM",
+      confidence: 0.85,
+      category: "identity-linkage",
+      reason: `Wallet interacted with ${bridges.length} bridge protocol(s).`,
+      impact: "Bridge transactions can link your Solana address to addresses on other chains, expanding the tracking surface.",
+      mitigation: "Use privacy-preserving bridges when available. Create separate addresses for cross-chain activity.",
+      evidence
+    });
+  }
+  const others = Array.from(entityTypeGroups.entries()).filter(([type]) => type !== "exchange" && type !== "bridge");
+  if (others.length > 0) {
+    const allOtherEntities = others.flatMap(([_, entities]) => entities);
+    const evidence = allOtherEntities.slice(0, 5).map((entity) => ({
+      description: `${entity.count} interaction(s) with ${entity.label.name} (${entity.label.type})`,
+      severity: "LOW",
+      reference: entity.address
+    }));
+    const totalOtherTxs = allOtherEntities.reduce((sum, e) => sum + e.count, 0);
+    signals.push({
+      id: "known-entity-other",
+      name: "Known Entity Interactions",
+      severity: "LOW",
+      confidence: 0.75,
+      category: "behavioral",
+      reason: `Wallet interacted with ${allOtherEntities.length} known entit${allOtherEntities.length === 1 ? "y" : "ies"} (${totalOtherTxs} transactions).`,
+      impact: "Interactions with known entities create reference points in your transaction history. These can be used to correlate activity and build behavioral profiles.",
+      mitigation: "While interacting with known protocols is often necessary, be aware it creates public association with those services.",
+      evidence
+    });
+  }
+  for (const [address, label] of context.labels.entries()) {
+    let interactionCount = 0;
+    for (const transfer of context.transfers) {
+      if (transfer.from === address || transfer.to === address) {
+        interactionCount++;
+      }
+    }
+    const concentration = interactionCount / context.transfers.length;
+    if (concentration > 0.3 && interactionCount >= 5) {
+      signals.push({
+        id: `known-entity-frequent-${address.slice(0, 8)}`,
+        name: "Frequent Single Entity Interaction",
+        severity: label.type === "exchange" ? "HIGH" : "MEDIUM",
+        confidence: 0.85,
+        category: "behavioral",
+        reason: `${Math.round(concentration * 100)}% of transfers (${interactionCount}/${context.transfers.length}) involve ${label.name}.`,
+        impact: "Heavy concentration of activity with one entity creates a strong link and behavioral dependency that is easily identified.",
+        mitigation: "Diversify your interactions across multiple services. Use different addresses for different service providers.",
+        evidence: [{
+          description: `${interactionCount} transfers with ${label.name} (${label.type})`,
+          severity: label.type === "exchange" ? "HIGH" : "MEDIUM",
+          reference: address
+        }]
+      });
+    }
+  }
+  return signals;
 }
 // src/heuristics/balance-traceability.ts
 function detectBalanceTraceability(context) {
+  const signals = [];
   if (context.targetType !== "wallet" || context.transfers.length < 2) {
-    return null;
+    return signals;
   }
-  const fullBalanceTransfers = [];
-  const suspiciousPatterns = [];
   const amountPairs = /* @__PURE__ */ new Map();
   for (const transfer of context.transfers) {
     const amountKey = transfer.amount.toFixed(6);
     amountPairs.set(amountKey, (amountPairs.get(amountKey) || 0) + 1);
   }
-  const matchingPairs = Array.from(amountPairs.entries()).filter(([_, count]) => count >= 2);
+  const matchingPairs = Array.from(amountPairs.entries()).filter(([_, count]) => count >= 2).sort((a, b) => b[1] - a[1]);
   if (matchingPairs.length >= 2) {
-    suspiciousPatterns.push("Multiple matching send/receive amounts detected");
+    const evidence = matchingPairs.slice(0, 5).map(([amount, count]) => ({
+      description: `Amount ${amount} appears in ${count} transfers`,
+      severity: count >= 4 ? "HIGH" : "MEDIUM",
+      reference: void 0
+    }));
+    const severity = matchingPairs.length >= 4 ? "HIGH" : matchingPairs.length >= 3 ? "MEDIUM" : "LOW";
+    signals.push({
+      id: "balance-matching-pairs",
+      name: "Matching Send/Receive Amounts",
+      severity,
+      confidence: 0.7,
+      category: "traceability",
+      reason: `${matchingPairs.length} amount(s) appear in multiple transfers, suggesting balance movements.`,
+      impact: "Matching amounts can be used to trace balance flows. If you receive X and later send X, observers can link these transactions.",
+      mitigation: "Split large transfers into multiple smaller ones with varied amounts. Avoid sending exact amounts you received.",
+      evidence
+    });
   }
+  const sequentialPairs = [];
   for (let i = 0; i < context.transfers.length - 1; i++) {
     const current = context.transfers[i];
     const next = context.transfers[i + 1];
     if (current.blockTime && next.blockTime) {
       const timeDiff = Math.abs(next.blockTime - current.blockTime);
-      if (timeDiff < 3600 && Math.abs(current.amount - next.amount) < current.amount * 0.1) {
-        suspiciousPatterns.push("Sequential transfers of similar amounts");
-        break;
+      const amountDiff = Math.abs(current.amount - next.amount);
+      const percentDiff = amountDiff / Math.max(current.amount, next.amount);
+      if (timeDiff < 3600 && percentDiff < 0.1 && current.amount > 0.1) {
+        sequentialPairs.push({
+          index: i,
+          amount1: current.amount,
+          amount2: next.amount,
+          timeDiff
+        });
       }
     }
   }
-  if (suspiciousPatterns.length === 0 && matchingPairs.length === 0) {
-    return null;
-  }
-  const evidence = [];
-  if (matchingPairs.length > 0) {
-    evidence.push({
-      type: "pattern",
-      description: `${matchingPairs.length} matching send/receive amount pair(s)`,
-      data: { matchingPairs: matchingPairs.length }
+  if (sequentialPairs.length >= 2) {
+    const evidence = sequentialPairs.slice(0, 3).map((pair) => ({
+      description: `${pair.amount1.toFixed(4)} \u2192 ${pair.amount2.toFixed(4)} (${Math.round(pair.timeDiff / 60)} minutes apart)`,
+      severity: pair.timeDiff < 600 ? "HIGH" : "MEDIUM",
+      reference: void 0
+    }));
+    signals.push({
+      id: "balance-sequential-similar",
+      name: "Sequential Similar Amount Transfers",
+      severity: "MEDIUM",
+      confidence: 0.65,
+      category: "traceability",
+      reason: `${sequentialPairs.length} instance(s) of similar amounts transferred in quick succession.`,
+      impact: "Sequential similar amounts suggest balance movements and make it easy to trace funds through intermediate addresses.",
+      mitigation: "Add random delays between transactions. Vary amounts to obscure the flow path.",
+      evidence
     });
   }
-  for (const pattern of suspiciousPatterns) {
-    evidence.push({
-      type: "pattern",
-      description: pattern,
-      data: {}
+  const roundNumbers = context.transfers.filter((t) => {
+    const amount = t.amount;
+    if (amount === 0) return false;
+    return (amount === Math.floor(amount) || // Whole number
+    amount * 10 === Math.floor(amount * 10) || // One decimal
+    amount * 100 === Math.floor(amount * 100)) && (amount % 1 === 0 || // 1, 10, 100
+    amount * 10 % 1 === 0 || // 0.1, 0.5
+    amount * 100 % 1 === 0);
+  });
+  const roundNumberRatio = roundNumbers.length / context.transfers.length;
+  if (roundNumberRatio > 0.7 && context.transfers.length >= 5) {
+    signals.push({
+      id: "balance-round-numbers",
+      name: "High Proportion of Round Number Transfers",
+      severity: "LOW",
+      confidence: 0.6,
+      category: "behavioral",
+      reason: `${Math.round(roundNumberRatio * 100)}% of transfers use round numbers.`,
+      impact: "Round numbers are easier to remember and track. They can contribute to balance traceability when combined with other patterns.",
+      mitigation: "Use more varied amounts. Add small random values to make amounts less predictable.",
+      evidence: [{
+        description: `${roundNumbers.length}/${context.transfers.length} transfers are round numbers`,
+        severity: "LOW",
+        reference: void 0
+      }]
     });
   }
-  let severity = "MEDIUM";
-  if (matchingPairs.length >= 3 || suspiciousPatterns.length >= 2) {
-    severity = "HIGH";
+  const tokenTransfers = /* @__PURE__ */ new Map();
+  for (const transfer of context.transfers) {
+    const token = transfer.token || "SOL";
+    if (!tokenTransfers.has(token)) {
+      tokenTransfers.set(token, []);
+    }
+    tokenTransfers.get(token).push(transfer);
+  }
+  for (const [token, transfers] of tokenTransfers) {
+    if (transfers.length < 2) continue;
+    const receives = transfers.filter((t) => t.to === context.target);
+    const sends = transfers.filter((t) => t.from === context.target);
+    for (const receive of receives) {
+      for (const send of sends) {
+        if (!receive.blockTime || !send.blockTime) continue;
+        if (send.blockTime <= receive.blockTime) continue;
+        const timeDiff = send.blockTime - receive.blockTime;
+        const percentDiff = Math.abs(send.amount - receive.amount) / receive.amount;
+        if (percentDiff < 0.05 && timeDiff < 86400 && receive.amount > 1) {
+          signals.push({
+            id: `balance-full-movement-${token}`,
+            name: "Full Balance Movement Detected",
+            severity: "HIGH",
+            confidence: 0.8,
+            category: "traceability",
+            reason: `Received ${receive.amount.toFixed(4)} ${token}, then sent ${send.amount.toFixed(4)} ${token} shortly after.`,
+            impact: "Moving entire received balances makes fund flow trivially traceable. The path from source to destination is clear.",
+            mitigation: "Split received funds before sending. Mix with other funds. Add delays and intermediate steps.",
+            evidence: [{
+              description: `Received ${receive.amount.toFixed(4)} \u2192 Sent ${send.amount.toFixed(4)} (${Math.round(timeDiff / 60)} minutes later)`,
+              severity: "HIGH",
+              reference: void 0
+            }]
+          });
+          break;
+        }
+      }
+    }
   }
-  return {
-    id: "balance-traceability",
-    name: "Balance Traceability",
-    severity,
-    reason: "Wallet shows patterns that enable balance tracking",
-    impact: "Traceable balance movements allow observers to follow funds through the blockchain, linking your transactions and revealing your financial activity.",
-    evidence,
-    mitigation: "Split large transfers into multiple smaller ones, introduce timing delays, or use privacy protocols that obscure amounts.",
-    confidence: 0.7
-  };
+  return signals;
 }
 // src/heuristics/fee-payer-reuse.ts
@@ -1931,12 +2141,284 @@ function detectTokenAccountLifecycle(context) {
   return signals;
 }
+// src/heuristics/memo-exposure.ts
+function detectMemoExposure(context) {
+  const signals = [];
+  if (context.transactionCount === 0) {
+    return signals;
+  }
+  if (!context.transactions || context.transactions.length === 0) {
+    return signals;
+  }
+  const MEMO_PROGRAM = "MemoSq4gqABAXKb96qnH8TysNcWxMyWCqXgDLGmfcHr";
+  const MEMO_PROGRAM_V1 = "Memo1UhkJRfHyvLMcVucJwxXeuD728EqVDDwQDxFMNo";
+  const memoInstructions = context.instructions.filter(
+    (inst) => inst.programId === MEMO_PROGRAM || inst.programId === MEMO_PROGRAM_V1
+  );
+  if (memoInstructions.length === 0) {
+    return signals;
+  }
+  const suspiciousMemos = [];
+  for (const inst of memoInstructions) {
+    if (!inst.data || typeof inst.data !== "string") continue;
+    const memoText = inst.data.trim();
+    if (memoText.length === 0) continue;
+    let severity = "LOW";
+    const patterns = [];
+    if (/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/.test(memoText)) {
+      patterns.push("email address");
+      severity = "HIGH";
+    }
+    if (/https?:\/\/[^\s]+/.test(memoText)) {
+      patterns.push("URL");
+      severity = severity === "HIGH" ? "HIGH" : "MEDIUM";
+    }
+    if (/(\+\d{1,3}[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}/.test(memoText)) {
+      patterns.push("phone number");
+      severity = "HIGH";
+    }
+    const capitalizedWords = memoText.match(/\b[A-Z][a-z]+(\s+[A-Z][a-z]+)+\b/g);
+    if (capitalizedWords && capitalizedWords.length > 0) {
+      patterns.push("likely name(s)");
+      severity = severity === "HIGH" ? "HIGH" : "MEDIUM";
+    }
+    if (memoText.length > 50 && !patterns.length) {
+      patterns.push("long descriptive text");
+      severity = "MEDIUM";
+    }
+    if (/invoice|payment|order|transaction|ref|reference|id|bill/i.test(memoText)) {
+      patterns.push("payment reference");
+      severity = severity === "HIGH" ? "HIGH" : "MEDIUM";
+    }
+    if (patterns.length > 0) {
+      suspiciousMemos.push({
+        content: memoText.length > 100 ? memoText.slice(0, 100) + "..." : memoText,
+        signature: inst.signature,
+        severity
+      });
+    }
+  }
+  if (suspiciousMemos.length === 0) {
+    signals.push({
+      id: "memo-usage",
+      name: "Memo Program Usage",
+      severity: "LOW",
+      confidence: 0.6,
+      category: "information-leak",
+      reason: `${memoInstructions.length} transaction(s) use memo program. Memos are permanently visible on-chain.`,
+      impact: "Memo data is public and permanent. Even non-sensitive memos can contribute to behavioral fingerprinting.",
+      mitigation: "Avoid using memos unless necessary. Never include personal information.",
+      evidence: [{
+        description: `${memoInstructions.length} transaction(s) with memos`,
+        severity: "LOW",
+        reference: void 0
+      }]
+    });
+  } else {
+    const highSeverity = suspiciousMemos.filter((m) => m.severity === "HIGH");
+    const mediumSeverity = suspiciousMemos.filter((m) => m.severity === "MEDIUM");
+    if (highSeverity.length > 0) {
+      const evidence = highSeverity.map((memo) => ({
+        description: `"${memo.content}"`,
+        severity: "HIGH",
+        reference: `https://solscan.io/tx/${memo.signature}`
+      }));
+      signals.push({
+        id: "memo-pii-exposure",
+        name: "Personal Information in Memo",
+        severity: "HIGH",
+        confidence: 0.9,
+        category: "information-leak",
+        reason: `${highSeverity.length} memo(s) contain personal identifying information (email, phone, name).`,
+        impact: "CRITICAL: Personal information in memos is permanently public. This can directly link your wallet to your real-world identity.",
+        mitigation: "Never put personal information in memos. Contact addresses involved to stop this practice if possible.",
+        evidence
+      });
+    }
+    if (mediumSeverity.length > 0) {
+      const evidence = mediumSeverity.slice(0, 5).map((memo) => ({
+        description: `"${memo.content}"`,
+        severity: "MEDIUM",
+        reference: `https://solscan.io/tx/${memo.signature}`
+      }));
+      signals.push({
+        id: "memo-descriptive-content",
+        name: "Descriptive Content in Memo",
+        severity: "MEDIUM",
+        confidence: 0.7,
+        category: "information-leak",
+        reason: `${mediumSeverity.length} memo(s) contain descriptive or identifying content.`,
+        impact: "Descriptive memos create behavioral fingerprints and can indirectly reveal identity or transaction purpose.",
+        mitigation: "Minimize memo usage. Use generic or coded references instead of descriptive text.",
+        evidence
+      });
+    }
+  }
+  return signals;
+}
+// src/heuristics/address-reuse.ts
+function detectAddressReuse(context) {
+  const signals = [];
+  if (context.targetType !== "wallet" || context.transactionCount < 5) {
+    return signals;
+  }
+  const activityTypes = /* @__PURE__ */ new Set();
+  const activityDetails = /* @__PURE__ */ new Map();
+  const DEFI_PROGRAMS = /* @__PURE__ */ new Set([
+    "JUP",
+    "Raydium",
+    "Orca",
+    "Marinade",
+    "Lido",
+    "Lifinity",
+    "Serum"
+    // Add more as needed
+  ]);
+  const NFT_PROGRAMS = /* @__PURE__ */ new Set([
+    "Magic Eden",
+    "Tensor",
+    "OpenSea",
+    "Metaplex"
+  ]);
+  const GAMING_PROGRAMS = /* @__PURE__ */ new Set([
+    "Star Atlas",
+    "Genopets",
+    "Aurory"
+  ]);
+  const DAO_PROGRAMS = /* @__PURE__ */ new Set([
+    "Realms",
+    "Squads",
+    "Tribeca"
+  ]);
+  for (const inst of context.instructions) {
+    const label = context.labels.get(inst.programId);
+    const programName = label?.name || "";
+    if (DEFI_PROGRAMS.has(programName) || /swap|pool|stake|lend|borrow/i.test(programName)) {
+      activityTypes.add("DeFi");
+      if (!activityDetails.has("DeFi")) {
+        activityDetails.set("DeFi", { count: 0, programs: /* @__PURE__ */ new Set() });
+      }
+      const details = activityDetails.get("DeFi");
+      details.count++;
+      details.programs.add(programName || inst.programId.slice(0, 8));
+    }
+    if (NFT_PROGRAMS.has(programName) || /nft|marketplace|mint/i.test(programName)) {
+      activityTypes.add("NFT");
+      if (!activityDetails.has("NFT")) {
+        activityDetails.set("NFT", { count: 0, programs: /* @__PURE__ */ new Set() });
+      }
+      const details = activityDetails.get("NFT");
+      details.count++;
+      details.programs.add(programName || inst.programId.slice(0, 8));
+    }
+    if (GAMING_PROGRAMS.has(programName) || /game|play/i.test(programName)) {
+      activityTypes.add("Gaming");
+      if (!activityDetails.has("Gaming")) {
+        activityDetails.set("Gaming", { count: 0, programs: /* @__PURE__ */ new Set() });
+      }
+      const details = activityDetails.get("Gaming");
+      details.count++;
+      details.programs.add(programName || inst.programId.slice(0, 8));
+    }
+    if (DAO_PROGRAMS.has(programName) || /dao|governance|vote/i.test(programName)) {
+      activityTypes.add("DAO");
+      if (!activityDetails.has("DAO")) {
+        activityDetails.set("DAO", { count: 0, programs: /* @__PURE__ */ new Set() });
+      }
+      const details = activityDetails.get("DAO");
+      details.count++;
+      details.programs.add(programName || inst.programId.slice(0, 8));
+    }
+  }
+  const hasExchangeInteraction = Array.from(context.labels.values()).some((label) => label.type === "exchange");
+  if (hasExchangeInteraction) {
+    activityTypes.add("Exchange");
+    activityDetails.set("Exchange", {
+      count: context.transfers.filter(
+        (t) => context.labels.has(t.from) || context.labels.has(t.to)
+      ).length,
+      programs: /* @__PURE__ */ new Set(["CEX"])
+    });
+  }
+  const simpleTransfers = context.transfers.filter((t) => {
+    const tx = context.transactions?.find((tx2) => tx2.signature === t.signature);
+    return tx && tx.programs && tx.programs.length <= 2;
+  });
+  if (simpleTransfers.length >= 3) {
+    activityTypes.add("P2P Transfers");
+    activityDetails.set("P2P Transfers", {
+      count: simpleTransfers.length,
+      programs: /* @__PURE__ */ new Set(["Direct"])
+    });
+  }
+  const diversityCount = activityTypes.size;
+  if (diversityCount >= 4) {
+    const evidence = Array.from(activityDetails.entries()).map(([type, details]) => ({
+      description: `${type}: ${details.count} transaction(s) across ${details.programs.size} program(s)`,
+      severity: "HIGH",
+      reference: void 0
+    }));
+    signals.push({
+      id: "address-high-diversity",
+      name: "High Activity Diversity on Single Address",
+      severity: "HIGH",
+      confidence: 0.85,
+      category: "linkability",
+      reason: `This address is used for ${diversityCount} distinct activity types: ${Array.from(activityTypes).join(", ")}.`,
+      impact: "Using one address for multiple unrelated activities links them all together. This creates a comprehensive behavioral profile.",
+      mitigation: "Use separate addresses for different purposes: one for DeFi, one for NFTs, one for DAO participation, etc. This isolates activities and prevents cross-linkage.",
+      evidence
+    });
+  } else if (diversityCount === 3) {
+    const evidence = Array.from(activityDetails.entries()).map(([type, details]) => ({
+      description: `${type}: ${details.count} transaction(s)`,
+      severity: "MEDIUM",
+      reference: void 0
+    }));
+    signals.push({
+      id: "address-moderate-diversity",
+      name: "Moderate Activity Diversity on Single Address",
+      severity: "MEDIUM",
+      confidence: 0.7,
+      category: "linkability",
+      reason: `This address is used for ${diversityCount} activity types: ${Array.from(activityTypes).join(", ")}.`,
+      impact: "Multiple activity types on one address create linkage between otherwise separate behaviors.",
+      mitigation: "Consider using separate addresses for different activities to improve privacy compartmentalization.",
+      evidence
+    });
+  }
+  if (context.timeRange.earliest && context.timeRange.latest) {
+    const timeSpanDays = (context.timeRange.latest - context.timeRange.earliest) / (60 * 60 * 24);
+    if (timeSpanDays > 180 && context.transactionCount > 50) {
+      signals.push({
+        id: "address-long-term-usage",
+        name: "Long-Term Single Address Usage",
+        severity: "MEDIUM",
+        confidence: 0.75,
+        category: "behavioral",
+        reason: `This address has been actively used for ${Math.round(timeSpanDays)} days with ${context.transactionCount} transactions.`,
+        impact: "Long-term address usage accumulates a rich behavioral history. All activities over time are permanently linked.",
+        mitigation: "Periodically rotate to new addresses to compartmentalize different time periods of activity.",
+        evidence: [{
+          description: `${context.transactionCount} transactions over ${Math.round(timeSpanDays)} days`,
+          severity: "MEDIUM",
+          reference: void 0
+        }]
+      });
+    }
+  }
+  return signals;
+}
 // src/scanner/index.ts
 var REPORT_VERSION = "1.0.0";
 var HEURISTICS = [
   // Solana-specific (highest priority)
   detectFeePayerReuse,
   detectSignerOverlap,
+  detectMemoExposure,
+  detectAddressReuse,
   detectKnownEntityInteraction,
   detectCounterpartyReuse,
   detectInstructionFingerprinting,
@@ -1980,15 +2462,24 @@ function generateMitigations(signals) {
   if (signalIds.has("token-account-churn") || signalIds.has("rent-refund-clustering")) {
     mitigations.add("Avoid closing token accounts if privacy is important - the rent refund creates linkage.");
   }
-  if (signalIds.has("known-entity-interaction")) {
+  if (signalIds.has("memo-pii-exposure") || signalIds.has("memo-descriptive-content") || signalIds.has("memo-usage")) {
+    mitigations.add("Never include personal information in transaction memos - they are permanently public.");
+  }
+  if (signalIds.has("address-high-diversity") || signalIds.has("address-moderate-diversity") || signalIds.has("address-long-term-usage")) {
+    mitigations.add("Use separate addresses for different activity types to compartmentalize your behavior.");
+  }
+  if (signalIds.has("known-entity-exchange") || signalIds.has("known-entity-bridge") || signalIds.has("known-entity-other") || signalIds.has("known-entity-interaction")) {
     mitigations.add("Avoid direct interactions between privacy-sensitive wallets and KYC services.");
   }
   if (signalIds.has("counterparty-reuse") || signalIds.has("pda-reuse")) {
     mitigations.add("Use different addresses for different counterparties or contexts.");
   }
-  if (signalIds.has("timing-correlation") || signalIds.has("balance-traceability")) {
+  if (signalIds.has("timing-burst") || signalIds.has("timing-regular-interval") || signalIds.has("timing-timezone-pattern") || signalIds.has("timing-correlation")) {
     mitigations.add("Introduce timing delays and vary transaction patterns to reduce correlation.");
   }
+  if (signalIds.has("balance-matching-pairs") || signalIds.has("balance-sequential-similar") || signalIds.has("balance-full-movement") || signalIds.has("balance-traceability")) {
+    mitigations.add("Vary transfer amounts and add delays to reduce balance traceability.");
+  }
   if (signalIds.has("amount-reuse")) {
     mitigations.add("Vary transaction amounts to avoid creating fingerprints.");
   }
@@ -2128,12 +2619,14 @@ function createDefaultLabelProvider() {
   collectTransactionData,
   collectWalletData,
   createDefaultLabelProvider,
+  detectAddressReuse,
   detectAmountReuse,
   detectBalanceTraceability,
   detectCounterpartyReuse,
   detectFeePayerReuse,
   detectInstructionFingerprinting,
   detectKnownEntityInteraction,
+  detectMemoExposure,
   detectSignerOverlap,
   detectTimingPatterns,
   detectTokenAccountLifecycle,