| title | On-Chain Monitoring Guidelines | Security Alliance | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| description | On-chain monitoring: track large fund transfers, token minting, and anomalies. Set up automated tools and real-time alerts via email, SMS, and messaging apps. | ||||||||||||||||
| tags |
|
||||||||||||||||
| contributors |
|
import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components'
Effective on-chain monitoring is complex and involves setting up systems and processes to continuously observe blockchain activities and detect any anomalies.
- Transparency: Prefer open-source or auditable tools so your monitoring infrastructure can itself be reviewed.
- Real-time detection: Minimize the time between an on-chain event and the alert reaching a responder.
- Automation: Automate repetitive detection tasks to reduce human error and ensure consistent coverage.
- Scalability: Design your monitoring setup to scale as protocol activity and the number of monitored contracts grows.
- Determine the critical metrics to monitor. Common categories include:
- Large fund transfers from protocol or treasury wallets
- Token minting and burning events
- Changes in contract ownership or admin roles
- Contract upgrades and proxy implementation changes
- Access control modifications (role grants, revocations)
- Unusual gas usage patterns that may indicate griefing or exploitation attempts
- Use automated monitoring tools that can continuously track blockchain activities and generate alerts for anomalies. See the Tools page for a catalog of available options.
- Supplement automated tools with periodic manual reviews.
- Set up real-time alerts to notify relevant project members of any suspicious activities or threshold breaches.
- Use multiple channels for alerts (Discord webhooks, Telegram bots, PagerDuty, Slack) to ensure timely delivery.
- Every alert must have a designated owner and a documented response. An alert with no one responsible is indistinguishable from no alert at all.
Structure monitoring coverage across these tracks:
- Large fund transfers above defined thresholds
- Unusual transaction frequency from key addresses
- Flash loan interactions with protocol contracts
- Token minting and burning
- Approval and transfer events outside normal patterns
- Contract upgrades and ownership transfers
- Admin role grants and revocations
- Unusual inflow or outflow volumes through bridge contracts
- Bridge contract state changes or ownership modifications
- Price feed deviations beyond expected bounds
- Unexpected governance proposals or accelerated vote execution
- Block propagation times and node health
- Network latency affecting transaction confirmation
- RPC endpoint availability
- Conduct regular reviews of your monitoring systems to ensure they are functioning correctly and covering all necessary metrics.
- Regularly update thresholds and alert configurations to reflect your current needs.
- Test your alerts periodically: verify that alert delivery actually works end-to-end, not just that the detection rule is configured. A misconfigured webhook or expired token can silently break your alerting.
- Alert on alert tampering: configure alerts for the disabling or modification of existing alerts. This protects against both accidental misconfiguration and adversarial tampering that could silently disable your detection coverage.
- Develop and maintain an incident response plan to handle alerts and anomalies as soon as possible.
- Document who gets paged for each alert category and what the first response steps are. This should be decided before an incident, not during one.
Monitoring detects anomalies. Forensic readiness ensures you can reconstruct and prove what happened with defensible evidence. These are complementary capabilities: monitoring without forensic readiness means you can notice an incident but may struggle to investigate, substantiate, or disclose it reliably. See Forensic Readiness for how to design evidence collection into your architecture.