Contrary to popular belief, blockchains often aren’t as immutable as we wish them to be. Most blockchain reorganizations and the resulting orphaned blocks are not negative, but are results of block propagation limitations. Some, however, might be an indication of a potential attack on the network. Following best practices of IT security, we avoid being the arbiters of “the truth” and instead relay all information collected from our nodes and third parties to clients while providing tools to help our clients analyze the data.
For BTC, one way to spot orphaned blocks is to construct a search which counts the number of events that have the same block height, but a different block hash.
index=bitcoin sourcetype=block | fields _time content.hash content.height | dedup content.hash | stats count as number earliest(_time) as _time by content.height | where number>1 | fields _time content.height number
For convenience, we have also created a summary search to easily return these results:
For BCH and LTC, you can use the following blockchain connector metrics to count orphaned blocks:
| getblockchainmetric blockchain=litecoin metricname=orphan-count
| getblockchainmetric blockchain=bitcoin-cash metricname=orphan-count
For ETH and ETC, uncle blocks can be counted by also using blockcain connector metrics:
| getblockchainmetric blockchain=ethereum metricname=uncle-count
| getblockchainmetric blockchain=ethereum-classic metricname=uncle-count