RFP Questions for Blockchain Analytics Tools: 30 Must-Ask Items

Description: When you're picking a blockchain analytics platform today, it’s not just about checking out Bitcoin charts anymore. You’ve got to dive into things like cross-chain coverage, how ready they are for sanctions, L2/L3 decoding, and even MEV-aware forensics. To help you with a thorough and up-to-date RFP, check out these 30 solid questions (complete with examples and tips for evaluation).

Why this list now

Regulators are ramping up their expectations around sanctions screening and the implementation of the Travel Rule, all while providing more guidance. The FATF's 2024 update highlighted how slow the adoption of the Travel Rule has been, and in June 2025, they streamlined the data requirements of Recommendation 16 to enhance cross-border transparency. (fatf-gafi.org)
OFAC isn't holding back either; they're constantly adding virtual currency addresses and sanction mixers to their lists, like Sinbad on November 29, 2023. This means companies need to ramp up their screening processes in near-real time and use robust methods for lookbacks. (ofac.treasury.gov)
It’s clear that illicit activity is just shifting chains instead of disappearing altogether. TRM’s data from 2025 shows that TRON had the biggest slice of illicit volume in 2024, sitting at 58%, with a lot of it involving stablecoins. This trend calls for analytics that go beyond just Ethereum and Bitcoin. (trmlabs.com)
Ethereum’s innovations like account abstraction (ERC‑4337) and L2 blobs (EIP‑4844) are shaking things up, changing how wallets interact and how rollup data gets stored. Your tools now need to decode these smart accounts and keep track of ephemeral L2 data. (eips.ethereum.org)
The OP Stack “Superchain” L2s, like Base and OP Mainnet, are coming together under common standards and interoperability, making it crucial for analytics to grasp this new topology and the governance-driven upgrades that come with it. (docs.optimism.io)

Use this RFP as your handy checklist! We’ve broken down each item to explain why it's important and what "good" actually looks like.

Section A -- Chain, Token, and Protocol Coverage (Ask 1-6)

What chains and assets are you supporting right now, and how quickly do you add new ones?

Why this matters: Criminal activities usually gravitate towards low-fee chains and stablecoins like TRON USDT. So, it's crucial for your vendor to already be on board with chains like TRON, Solana, and any new OP Stack L2s. (trmlabs.com)
What to look for: A clear and public count of the chains they support, ideally with updates on recent additions (think vendors touting 90-100+ chains and providing real-time updates for new ones like Linea or Mantle). Don’t forget to ask for a dated changelog! (trmlabs.com)

2) Depth of Token Support Across Networks

Why it matters: A lot of stablecoins, like USDT, USDC, and DAI, are used across various chains. So, when screening, it’s super important to be token-aware, whether it’s in EVM or non-EVM ecosystems. Check this out for more details: (developers.elliptic.co).
What good looks like: Ideally, you’d want to see a clear matrix showing token coverage for each network, and that should definitely include TRC‑20 and SPL on Solana. Plus, it’s helpful to have a timeline or service level agreement (ETA/SLA) for when new tokens will be listed.

3) Understanding L2 and L3 Rollups (OP Stack, Base, Arbitrum, zkSync, Scroll, Linea, Blast, etc.)

Why it matters: The OP Superchain is all about creating a seamlessly connected environment with shared bridging, governance, and making it so that everything can work together in just one block. It's crucial for analytics to trace funds accurately across all OP Chains. Check out more here: (docs.optimism.io).
What good looks like: Ideally, we'd see smooth rollup decoding right out of the box, a solid understanding of the Superchain Registry, and support for keeping upgrades in sync along with chain metadata mappings. Plus, we need to see proof that they’re actively using the Superchain Registry. You can find more details here: (docs.optimism.io).

4) Solana and SVM specifics

Why it matters: The Sealevel parallel runtime, program accounts, and Jito MEV infrastructure on Solana need some pretty specialized parsers and MEV-aware heuristics. You can dive deeper into this here.
What good looks like: We’re talking about being able to decode SPL program events, offering support for block-engine bundles when it makes sense, and having a clear way to manage sandwich attack telemetry sources. Check out more on this here.

5) DeFi, DEX Routers, Bridges, and Cross-Chain Swaps

Why it matters: Bridges often get a lot of attention (and not always the good kind). They're key routes for cross-chain laundering, so your tools need to be able to map out paths through DEXes and bridges across different chains. Check out more about it here.
What good looks like: Ideally, you'd want a system that automatically spots bridge contracts, LP routers, and aggregators. It should also have consistent “hop” semantics that work across chains, plus be able to label and identify past exploits related to bridges.

6) NFT and Real-World Asset Protocols

Why it matters: Fraud, wash trading, and evasion of sanctioned parties can easily slip through the cracks in the world of NFTs and real-world assets (RWAs).
What good looks like: We want to see collection-level labeling, smart heuristics to spot wash trading, clear attribution for marketplaces, and risk flags focused on compliance for NFT movements.

Section B -- Data Freshness, Accuracy, and Methodology (Ask 7-12)

7) End‑to‑end data latency SLOs

Why it matters: When it comes to sanctions screening, speed is key. We need the system to respond to new designations in just a matter of minutes, and investigations should have access to almost real-time graphs.
What good looks like: A solid vendor will set clear expectations for how quickly they’ll update data ingestion and attribution. This means having specific latency targets for things like block-to-graph updates and sanctions "time-to-list" SLOs.

Ground‑truth attribution standards

Why it matters: At the heart of this is the question, “Who owns this cluster?” It’s crucial to dig into how ownership is confirmed--think merchant test deposits or operator disclosures--rather than just relying on guesswork. Check out some real-world examples of “ground‑truth” methodologies. (chainalysis.com)

9) Heuristic Transparency and False-Positive Controls

Why It Matters: When you're dealing with common-input (multi-input) and change-address heuristics, things can get a bit tricky with CoinJoin and PayJoin. To handle this, it’s crucial to have clear detection methods and ways to filter out misleading clusters. For more on this, check out this link.
What Good Looks Like: Imagine having robust CoinJoin classifiers, PayJoin detectors, and a solid confidence scoring system for each link. Plus, it helps to have “evidence audit trails” that you can present to regulators when needed.

10) EIP‑4337/Account Abstraction Decoding

Why it matters: So, smart accounts like UserOperations and EntryPoint are shaking things up in the wallet world. They’re changing how wallets behave and how we spot fraud. This means that analytics need to get good at breaking down the roles of bundlers, paymasters, and the whole smart wallet process. Check out more about it here.
What good looks like: We’re aiming for top-notch support when it comes to UserOperation traces, EntryPoint events, and figuring out smart wallet entities.

11) EIP‑4844 Blob Awareness and L2 Data Retention

Why it matters: Blob data is temporary and can't be accessed through the EVM. This means that for any long-term investigations, it's super important to archive and reconcile those rollup "blob" payloads (or their equivalent proofs). You can dive deeper into this here.
What good looks like: A solid plan for capturing, indexing, and keeping L2 batch metadata along with call data linked to those blobs. And don't forget to have documented fallback sources in place!

12) Historical Backfill and Reorg Policy

Why it matters: Reorgs and retroactive bug fixes are just part of the game. It’s crucial for defense teams to have solid, unchangeable snapshots and plans for reprocessing.
What good looks like: You’ll want to see versioned data snapshots, reliable reprocessing with clear change logs, and "diff" APIs that auditors can easily work with.

Section C -- Sanctions, AML/CFT, and Policy Alignment (Ask 13-18)

13) Sanctions List Ingestion (OFAC, EU, UN) and Wallet Address Handling

Why it matters: The OFAC is serious about including digital currency addresses in their sanctions lists. They expect companies to have solid screening processes and do thorough lookbacks. Check it out for yourself: (ofac.treasury.gov)
What good looks like: Think automation here! You should have a system for automatically pulling in updates for SDNs, managing watchlist versions, and running automatic backfill queries whenever new addresses pop up.

14) Typologies tuned to today’s risks

Why it matters: In 2024, stablecoin flows linked to TRON and those involved in sanctioned activities are leading the pack when it comes to illicit transactions. It’s crucial that our regulations adapt to this shifting landscape. Check out more details here.
What good looks like: We’re aiming for a solid understanding of TRC‑20 heuristics, being able to identify when a stablecoin issuer gets frozen, and spotting patterns around evading sanctions across different jurisdictions.

15) Mixer and Obfuscation Service Detection

Why it matters: The Office of Foreign Assets Control (OFAC) recently sanctioned Sinbad for its involvement in North Korean money laundering. It's crucial that our tools can spot any successor services or copycats that might pop up. You can check out more about this here.
What good looks like: Ideally, we want to see service-level clustering of mixers, along with tracking peel chains and peel-recombines. Plus, it’s important to have alerts set up for any patterns of mixer influx or outflux that could indicate suspicious activity.

16) Travel Rule Alignment and Data Handoff

Why it matters: The latest updates from FATF are all about making sure that there's consistent info about both senders and receivers in payments. It's crucial for analytics to map Virtual Asset Service Provider (VASP) flows to the Travel Rule data. Check out more details on the FATF's take here.
What good looks like: Imagine having APIs that really beef up the risk signals for both the originator and beneficiary, plus some solid connectors to Travel Rule providers. It’d also be great to see thorough auditing that aligns payload data with on-chain records.

17) Privacy Coin Stance and Limitations

Why it matters: Monero is all about privacy, thanks to its features like RingCT, stealth addresses, and ring signatures. These tools make it tough to trace transactions, so vendors need to be clear about what they can and can't do. Check out more details here.
What good looks like: Ideally, we want to see strong heuristic coverage for off-ramps, be aware of decoy detection issues, and focus on workflows that revolve around exchanges instead of getting lost in false precision.

Why it matters: It's super important to share incident intel in a responsible way (think TLP 2.0) and make sure it's machine-readable (like STIX/TAXII). You can check out more on that here.
What good looks like: Imagine having native TLP labels right in your cases, plus STIX/TAXII exports that cover entities, indicators, and sightings. And don’t forget about role-based sharing! That’s how you do it right.

Section D -- Investigations, MEV, and Cross‑Chain Forensics (Ask 19-24)

19) Cross‑chain tracing with bridge/DEX hops

Why it matters: Bridging is a major target for attacks and is often used for laundering money; it’s crucial for tools to provide clear “end-to-end” provenance even after swaps. (chainalysis.com)
What good looks like: You want to see a unified path view that brings together L1, L2, and non-EVM chains, complete with labeled bridges and routers, plus a way to limit hop expansion.

20) MEV‑Aware Analytics (Ethereum, Solana)

Why it matters: MEV bundles and sandwich attacks can really mess with pricing and often point to predatory bots or the folks getting caught in their traps. By breaking down what's happening with builders and relays, we can get a clearer picture of the situation. Check out the details here.
What good looks like: A solid understanding of private order flow is key, like recognizing MEV‑Boost and builder IDs, plus keeping an eye on the Solana Jito bundle context. It'd also be great to have optional integration with MEV telemetry vendors.

21) Smart-Contract Exploit Playbooks

Why it matters: When a protocol gets drained, it's crucial for investigators to have ready-made graphs showing the attacker's funding, the exploit transaction, and the laundering process along with the mixer or exchange off-ramps.
What good looks like: Imagine a one-click “exploit graph template” that comes with entity overlays and can easily convert to endpoints that are ready for subpoenas.

Events and Freezes from Stablecoin Issuers

Why it matters: A lot of shady transactions end up in frozen stablecoins, so having tools that can spot freeze, mint, burn events, and any reissues to victims or governments is crucial. (trmlabs.com)
What good looks like: We’re looking for alerts on blacklisted funds, reissuances, and checks against what issuers announce.

23) On-chain Identity Growth and Smart Wallets

Why it matters: With the updates from EIP-4337, smart accounts have some cool new features, like the ability to add guardians, session keys, and perform batched operations. This makes it easier to spot any unusual activity that strays from the typical EOA behavior, helping to catch potential drains or fraud. Check it out here: (eips.ethereum.org)
What good looks like: Imagine getting alerts for weird paymaster activity, strange UserOperation behaviors, or any unexpected changes in your guardians. That’s the kind of oversight we want!

24) Evidence Management and Chain-of-Custody

Why it matters: If you want your cases to hold up in court, you need rock-solid evidence management.
What good looks like: Think along the lines of signed reports (like PDF + JSON), cryptographic hashes for your evidence exports, unchangeable case timelines, and access that's based on everyone's role.

Section E -- Security, Compliance Posture, and Deployment (Ask 25-28)

25) FedRAMP, SOC 2, and Government Readiness

Why it matters: If you’re dealing with public sector clients or those in heavily regulated industries, having the right authorizations is crucial. TRM Labs shared some exciting news, securing FedRAMP Moderate in September 2024 and FedRAMP High in December 2024. It’s a good idea to ask all your vendors where they stand on their FedRAMP journey. Check out the details here.
What good looks like: You should look for FedRAMP authorization (either Moderate or High) or at least being in process. Having a clear link to their marketplace listing and security packages available under NDA is also a strong sign that they’re on the right track.

26) Data Residency and Private Deployments

Why it matters: Certain teams need to ensure their data is hosted within specific regions or kept completely offline for analysis.
What good looks like: You'll want to see choices like dedicated VPCs, on-premise data extracts, or offline evidence viewers that come with smooth update workflows.

27) Audit Logging, Legal Hold, and Privacy Controls

Why it matters: Having solid, unchangeable audit logs is crucial for dealing with regulators and in case you ever find yourself in court.
What good looks like: You want to make sure you’ve got tamper-evident logs, along with SSO/SAML/OIDC for easy access. Plus, it’s essential to have fine-grained RBAC, field-level masking for any PII, and clear retention policies that include holds.

28) Vendor Vulnerability Management

Why it matters: Your analytics tool is key to your operations. Treat it like critical infrastructure!
What good looks like: You should have a documented SBOM, conduct third-party penetration tests, ensure there's a process for coordinated disclosure, and establish SLAs for urgent fixes.

Section F -- Integration, Extensibility, and Commercials (Ask 29-30)

Extensible APIs, Data Lake Access, and SIEM Connectors

Why it matters: Having your own enrichment, scoring, and dashboards is key for a tailored experience.
What good looks like: Look for bulk APIs, webhooks, GraphQL/SQL access, parquet exports to S3/BigQuery, and ready-to-use connectors like Splunk, Datadog, and Elastic.

Pricing model, SLAs, and enablement

Why it matters: Unexpected overage fees or strict rate limits can seriously disrupt your operations.
What good looks like: You want clear per-seat and per-API pricing, reasonable usage tiers, an uptime SLA of 99.9% or better with credits for downtime, round-the-clock incident response, and top-notch training included.

Practical evaluation scenarios you should include in the RFP

Laundering linked to the DPRK through a Bitcoin mixer → TRC-20 stablecoins on TRON → a high-risk exchange
- What to expect: This tool is designed to spot the mixer (keeping in mind the sanctions), track the movement into TRON via a bridge or centralized exchange, flag USDT transactions that match those typical sanctions evasion patterns, and highlight actionable choke points (like VASP endpoints). (home.treasury.gov)
Post‑exploit DeFi tracing: bridge drains → DEX hops → privacy tools
- What to expect: We're looking at automated tagging for bridge contracts, DEX routers, and liquidity pools. This means we can map out the journey through aggregators and get alerts on peel chains, as well as track mixer entry and exit paths. (chainalysis.com)
Smart-account fraud: strange ERC‑4337 UserOperations and paymaster misuse
- Expectation: Decoding EntryPoint events, connecting them to bundlers, and reviewing risk policies for changes in guardians or any session-key mishaps. (eips.ethereum.org)
Solana MEV context: We've noticed a rise in sandwich attacks, especially when a new token gets listed.
- Expectation: We’re looking at program-level decoding, DEX pool attribution, and (when possible) bundle/Block Engine context to spot those pesky bots and keep users safe. Check it out on jito.wtf.

Make sure to include clear confidence levels and “evidence trails” for every entity link. Add options to hide low-confidence edges during compliance reviews. This helps cut down on confusion for regulators, especially since heuristics can sometimes be misleading (like when CoinJoin messes with multi-input clustering). (mdpi.com)
Think of L2 blob data as something that could go bad; it’s a good idea to enforce the vendor's archival strategy and proof of re-assembly for any investigations. (eips.ethereum.org)
Set a standard for case sharing using TLP 2.0 labels and make sure you can export STIX 2.1 indicators to your TIP/SIEM. (first.org)
Create specific playbooks for each chain: look into TRON stablecoin evasion patterns, Solana program-account heuristics, and OP Superchain bridge semantics. (trmlabs.com)
Require dated public proof showing growth in chain coverage (for instance, “added Base, Linea, Mantle in 2025”), along with update SLAs and claims of hourly refresh rates that are supported by telemetry. (trmlabs.com)

Brief vendor-response template you can attach to your RFP

Coverage matrix (chains/tokens/protocols): Check out the URL or PDF for the latest update. Last refreshed on [last updated date].
Data pipeline SLOs: We’ve got the block→graph latency, the sanctions update SLA, and how we handle reorganizations all covered.
Methodology: This includes our ground-truth sources, the list of heuristics we use, our confidence scoring system, and how we deal with CoinJoin/PayJoin.
L2/EIP-4844 policy: Here's the scoop on blob capture, how long we keep data, and our strategies for gap mitigation.
ERC-4337 support: We've laid out the decoded fields, bundler mapping details, and how we attribute paymasters.
MEV awareness: You can find context and limitations for Ethereum (MEV-Boost) and Solana (Jito). More details in the Flashbots docs.
AML/policy: We’re all about Travel Rule interoperability, automating sanctions lookbacks, and setting limits on privacy coins. Check out the full breakdown on FATF.
Security/compliance: Here's where we stand on FedRAMP/SOC/ISO status, how often we run pen tests, availability of our SBOM, and the design of our audit logs. If we’re FedRAMP compliant, we’ll also include the Marketplace listing or authorization letter (like vendors announcing Moderate/High status). You can read more about this in GlobeNewswire.
Integrations: We support STIX/TAXII, SIEMs, and data lake exports (parquet). Plus, we've got some webhook examples for you too. More info can be found on OASIS.
Pricing & SLAs: Check out our API quotas, overage pricing, uptime guarantees, support tiers, and training plans here.

Red flags to watch

“Black box” labels that come with zero evidence chains or confidence scores.
Coverage gaps on TRON or Solana, all while promoting “complete chain coverage.”
No real plan on how to handle EIP-4844 data preservation or decoding ERC-4337. (eips.ethereum.org)
Slow updates to sanctions lists and a lack of awareness regarding OFAC wallet addresses. (ofac.treasury.gov)

Bottom line

When you're looking for your next analytics partner, make sure they’re ready for sanctions, have cross-chain capabilities built-in, understand L2/L3, and know the ins and outs of MEV. By using the 30 questions above and running scenario tests that reflect how bad actors really shift value, you'll be able to tell the difference between just marketing fluff and real operational strength. This way, you’ll pick a platform that can hold its own against regulators, auditors, and in crisis situations when it counts.

Like what you're reading? Let's build together.

Get a free 30-minute consultation with our engineering team.

Talk to us View services