📡

Monitoring

On-Chain Security Monitoring

On-chain monitoring is your early warning system — the difference between losing $50K and losing $5M when a protocol gets exploited. This guide covers transaction monitoring tools, whale alert patterns, MEV watchers, wallet health monitoring, and multi-sig security best practices.

Avg Exploit Duration

12–30 sec

Time to fully drain

Alert-to-Action Window

5–15 sec

Realistic reaction time

Forta Detection Bots

500+

Active on mainnet

Defender Monitoring

30+ chains

Supported networks

🔧 Transaction Monitoring Tools

🌐

Forta Network

Decentralized monitoring

TypeDecentralized node network

TokenFORT

Chains30+ (Ethereum, Arbitrum, Polygon, etc.)

CostFree for public bots

Alert channelsDiscord, Slack, Telegram, Email

Decentralized monitoring network with 500+ pre-built detection bots. Anyone can run a node and earn FORT. Best for broad protocol-level coverage. Alerts are less actionable than Defender but cover more chains.

forta.org ↗

🛡️

OpenZeppelin Defender

Enterprise-grade monitoring + automation

TypeCentralized SaaS

CreatorOpenZeppelin (auditors)

Chains30+

CostFree tier + Pro ($250/mo)

ActionsPause, upgrade, transfer, execute

The most popular tool for DeFi developers. Monitors transactions and can actually execute automated responses — pause a contract, transfer tokens, upgrade proxy. Best for protocol teams. The 'Autotasks' feature lets you run serverless code on any transaction matching your rules.

defender.openzeppelin.com ↗

🐋

Whale Alert

Large transaction tracking

TypeWhale transaction aggregator

ThresholdConfigurable ($100K–$10M+)

ChainsBitcoin, Ethereum, Solana, more

CostFree + premium API

Alert channelsTwitter, Telegram, API

Tracks large on-chain movements. Primarily used for crypto markets intelligence (whale buying/selling) but also useful for spotting large protocol drains. Automated API allows programmatic response.

whale-alert.io ↗

🤖

MEV Watcher Bots

Sandwich / arbitrage surveillance

TypeCustom bots via Tenderly / EigenPhi

DataSandwich attacks, arbitrage, liquidations

CostFree + paid tiers

ChainsEthereum, Arbitrum, BSC

MEV watchers track extractive value extraction in real-time. Unusual MEV patterns — a bot suddenly doing 10x volume on a specific pool, or new arbitrage routes appearing — can signal market manipulation or an impending exploit. EigenPhi tracks liquidations and MEV across L2s.

eigenphi.io ↗

🐋 Whale Alert Patterns to Watch

Not all whale movements are exploits — some are legitimate large transfers, market makers moving inventory, or protocol treasury operations. Learn to distinguish between them.

🚨

Suspicious Patterns

Protocol → Unknown Wallet

Large drain from protocol treasury to non-exchange address. Could be admin operation — but could also be compromised key.

Threshold: >$500K to non-whitelisted address

Flash Loan Sequence

Borrow → Swap → Borrow → Repay, all within 3–12 blocks. Usually indicates price manipulation or arbitrage.

Pattern: same address executing across multiple protocols

Multisig Interaction Burst

A multisig suddenly interacting with many contracts in quick succession after a period of dormancy. Could be legitimate upgrade — or key compromise.

Pattern: first activity in 6+ months, then rapid execution

Liquidity Removal Before Exploit

Large LP removal from a pool right before a price manipulation. Attacker removes their own liquidity to avoid loss while exploiting others.

Pattern: LP tokens moved to new wallet before attack

✅

Normal Patterns

CEX to Exchange

Large movement from known exchange hot wallet to cold storage, or between exchange wallets. Normal operational activity.

Address tags: Coinbase Hot, Binance 18, Kraken, etc.

Tornado Cash Withdrawals

Large deposits/withdrawals from Tornado Cash are often flagged but are sometimes legitimate privacy use cases. Cross-reference with exploit timeline.

Pattern: 100 ETH deposits, 100 ETH withdrawals after delay

Protocol Treasury Rebalancing

DAO or protocol treasury moving funds between known multisigs, DeFi strategies, or CEX accounts. Usually announced in governance forum.

Address tagged as: DAO Ops, Treasury, Compound Governor

Institutional Custodian Moves

Fidelity, Coinbase Custody, BitGo moving between cold storage addresses. Follows predictable patterns and timing.

Address tagged as: Custodial (Fidelity, Copper, etc.)

📊 Security Monitoring Dashboard — Interactive Mockup

What a real-time security monitoring dashboard looks like. Toggle between alert types to see what each signal means.

🛡️ DeFi Protocol Security Monitor

LIVE — 0 active threats

Time	Tx Hash	From	To	Value	Risk
Simulate by toggling the attack scenarios below

14:32:07

🐋 $2.4M USDC transferred

Aave V3 → Coinbase Hot · Age: 2y 4m · Tx: 0x8f2a...3b4c

Normal

13:18:55

🐋 $847K DAI → Unknown Wallet

MakerDAO CDP 0x3f... · No exchange tag · First large outbound in 8 months

Watch

Today's Sandwich Volume$12.4M

Arbitrage Opportunities847 txs

New Bot Activity3 new bots

DAOs Under Liquidation Threat2 protocols

🦈 Curve Finance: 3/5 Multisig

Last activity: 3 days ago

📊 Compound Governor: 8/20 Timelock

Last activity: 12 days ago

🔶 Aave V3: 4/8 Gnosis Safe

Active — last tx 2 hours ago

⚠️ Unknown: 2/3 EOA Multisig

New activity after 11 months dormant

Today 09:14

🔴 Large unlock schedule detected — 50M token unlock in 7 days for protocol with declining TVL

Yesterday 22:41

🟡 Governance proposal passed — emergency powers granted to 3-of-5 multisig for 30 days

2 days ago

🟡 Oracle price deviation — ETH price on Uniswap V3 diverged 3.2% from Chainlink for 4 blocks

5 days ago

🟢 All clear — no suspicious transactions across monitored protocols

🎮 Simulation Controls — Trigger Alert Scenarios

💼 Wallet Health Monitoring

For protocol operators and large DeFi participants, wallet health monitoring is the frontline of defense.

🔑

Admin Key Activity Tracking

Monitor all transactions from protocol admin addresses. Flag: transactions to non-standard addresses, unusual function calls (especially to unverified contracts), activity after dormancy periods. Set up PagerDuty alerts for any admin interaction outside business hours.

⏰

Timelock Countdown Monitoring

If your protocol uses a timelock, monitor the timelock queue for upcoming transactions. Know exactly what's scheduled to execute and when. If an unexpected transaction appears in the queue, you have a window to investigate before execution. Tools: Tenderly Alerting, Forta, or custom indexing script.

📊

TVL & Deposit Flow Tracking

Sudden TVL drops are often the first visible sign of an exploit. Track TVL in real-time and alert on drops >5% in a single block. Also watch for unusual deposit/withdrawal ratios — an attacker may be moving funds in/out as part of positioning before an attack.

🔗

Approval & Allowance Revocation

Set up alerts for new approvals to unknown contracts, especially for large token amounts. If you see a new approval to an unverified contract, revoke immediately. Tools: revoke.cash, approved.zone, or Rabby wallet extension. Check approvals monthly minimum.

🔐 Multi-Sig Security Best Practices

Hardware Wallets for All Signers

Every signer should use a dedicated hardware wallet (Ledger, Trezor Model T) that has never touched a hot computer. The hardware wallet private key never leaves the device — even if your laptop has malware, the seed phrase can't be stolen via keylogger.

Geographic Distribution of Signers

Signers should be in different jurisdictions, ideally with different language backgrounds, to resist social engineering. An attacker who compromises one signer via a translated phishing email still needs to compromise other signers independently.

Timelock on All Critical Operations

Every transaction from the multisig should have a timelock delay — minimum 24 hours, ideally 48–72 hours. This gives users time to exit if a suspicious transaction is queued. The timelock window is your users' escape hatch; don't let them bypass it.

Out-of-Band Confirmation for Large Txs

For transactions above a threshold (e.g., $1M+), require signers to confirm via a secondary channel (Signal message + email + on-chain) before signing. Attackers can compromise email, but compromising both email AND Signal AND convincing the signer to call the 'protocol team' is much harder.

Monitor for Key Rotation & New Signers

Set up alerts for any change to the multisig signers — new signer added, signer removed, threshold changed. Any of these is a critical event. An attacker who compromises a signer account might try to add themselves as a signer. Alert immediately on any signer change.

🛑 Emergency Shutdown Triggers

Every serious DeFi protocol should have documented emergency shutdown procedures. These are the scenarios that should trigger them.

🔴

Smart Contract Vulnerability Confirmed

A critical vulnerability has been identified — either by internal team, external researcher, or active exploitation in progress. Action: Pause all markets immediately, notify users, begin emergency governance vote.

Trigger: Any Critical finding from audit, bounty, or on-chain alert with active exploitation

🟠

Oracle Failure / Price Manipulation

Price feed has been manipulated or has become stale/unreliable. Assets may be incorrectly collateralized. Action: Pause affected markets, switch to backup oracle or pause all markets, notify users.

Trigger: Price deviation >5% from reference, oracle stale for >15 min

🟡

Governance Attack in Progress

Malicious governance proposal is passing or has passed, and the attacker can execute. Action: Alert all users, attempt to pause via emergency multisig before execution window closes.

Trigger: Proposal with unusual treasury drain, short execution window, or no on-chain discussion

🟡

Key Compromise / Social Engineering

One or more multisig signers report potential key compromise. Action: Pause protocol pending key rotation, do not execute any pending transactions from compromised keys.

Trigger: Signer reports suspicious email/Signal, hardware wallet suspected stolen

👤 Personal Monitoring Stack

For DeFi participants with significant positions, here's the minimum viable monitoring stack.

🔔 Alerts

📊 Nansen Portfolio Alerts — track wallet positions, get notified on large moves

📱 DeFiLlama API — TVL monitoring, alert on TVL drop

🤖 Tenderly Alerts — custom rules for any contract, any function call

🐋 Whale Alert Twitter — large transfers from protocols you use

🔍 Block Explorers

Etherscan — bookmark your positions, check approvals monthly

Revoke.cash — review and revoke old approvals

DeBank — see all DeFi positions across chains in one view

Zerion — portfolio tracking + gas optimization

⏱️ Response Playbook

Step 1: Confirm alert — check Etherscan for the tx hash

Step 2: Assess severity — is it your protocol? Is value being drained?

Step 3: Act immediately — call withdraw() if contract not paused

Step 4: Post-incident — document, report to protocol team, check recovery options