Daniel Francis

What is on-chain monitoring?

It is crucial to pay daily attention to security in Web3 infrastructure. A question that often arises is, what is the longest duration DeFi can go without a hack? In Q3 of 2023, hackers stole $700 million. However, according to a report by Cyvers, their on-chain monitoring tool detected 85% of the hacks ($600 million). If the hacked protocols had used Cyvers monitoring tools, they could have prevented the loss of $515 million.

What is on-chain monitoring?

The stages of Web3 Security are divided into two stages before and after contract deployment. Pre-deployment security measures generally involve using template libraries, e.g., OpenZeppelin, and performing a smart contract audit. These usually mitigate any dangers before launching a protocol. However, the hard part starts once it’s gone live; bug bounties, real-time monitoring, alerting, and incident response are crucial here. Web3 security protocols often neglect due diligence and ongoing monitoring of third parties while focusing solely on auditing. I’ll focus on real-time monitoring in today’s post.

On-chain monitoring: why is it possible?

Anyone can track Blockchain transactions in real-time as Defi transactions are added to the blockchain instantly. Since all activities on the blockchain are public, it provides an opportunity for analysis and monitoring.

Do you know what real-time monitoring is? This is monitoring the blockchain ecosystem in real-time, searching for anomalies that may indicate an attack, and flagging suspicious activities. It consists of a few things: transaction monitoring, each transaction needs to make sense, and no mixers and transactions to and from privacy protocols might need to be flagged. All incoming or outgoing transactions and their dependent oracles must be verified. Anomaly detection also can consist of large withdrawals and frequent small withdrawals. These activities could indicate suspicious behavior to undercut trackers focusing on higher withdrawal amounts.

Cyvers on-chain monitoring dashboard

Attack stages

Attackers generally follow a predictable pattern, making identifying conventional attack methods easier. We can respond quickly and minimize potential losses by monitoring and identifying these patterns. Understanding how attackers operate is valuable.

Stage 1: Typically, attackers need to obtain funding, often through privacy protocols like Turnado Cash.

Stage 2: They then move onto the preparation stage, deploying an attacker smart contract, such as a flash loan attack.

Stage 3: The exploit involves draining the targeted protocol or users’ funds using various methods, e.g., reentrancy attack, ice phishing, etc.

Stage 4: Finally, the money laundering using crypto mixers, chain-hopping services, and exchanges to hide their tracks and eventually cash out.

By monitoring these specific stages, we can identify potential attacks and flag individuals who engage in suspicious behavior related to the steps listed.

Incident response

There needs to be a good incident response with monitoring once a threat is detected. Can you pause the contract? If managed by multi-sig, can you get the signers to respond? Communication channels are clear. How do you discover an incident is happening without increasing the risk of it worsening? Who is monitoring and triaging the incident? Finally, conduct a postmortem to determine what went wrong and signal to the community you take security seriously.

Importance of on-chain monitoring:

Early Threat Detection: This involves detecting possible security threats, i.e., suspicious activities or vulnerabilities, and acting on them before the situation gets out of hand. This can mitigate damage from potential web3 hacks if spotted and addressed immediately and suppress widespread network/protocol disruption.

Scam Alerting: Scam alerting analyzes smart contract transactions for fraud(fraudulent projects, scams, or phishing attacks), alerting users to potential risks in real-time. The procedure analyzes smart contract transactions and interactions for unusual patterns or addresses. It aims to reduce financial loss and reputational harm.

Regulations and Compliance: On-chain monitoring ensures compliance with legal and regulatory requirements in the blockchain industry, including financial, AML, KYC, and tax regulations. Knows Your Transactions (KYT) is it coming from a legitimate source, a sanctioned party, or protocol and alerts users. AML compliance stops dirty money from getting in and promotes transparency and accountability.

Maintaining Network Stability: Due to attacks, blockchain networks can experience slow transactions or network congestion. Immediate detection and mitigation through monitoring are crucial.

Ensuring Data Integrity: Smart contracts rely on oracles for accurate and secure external data, which requires monitoring to prevent manipulation.

On-chain monitoring at AuditOne

Analyzing transactions can be challenging because the blockchain focuses on anonymity and security over readability. While block explorers and smart contracts provide transparency, non-experts may still need help understanding the specifics of a transaction. Tools like Cyvers help shine a light on a transaction’s who, what, and why, making previous hard-to-interpret information easy to read and act on when alerted.

Transaction Details on Etherscan

At AuditOne, we have teamed up with Cyvers to keep an eye out for any hacking attempts. We take measures to identify any malicious smart contract deployments, unauthorized usage of private keys, external calls from blacklists, and anomalies in transaction values, and you can check our dashboard for more. Cyvers uses Machine Learning (ML) algorithms to track transactions they gather from their nodes. They employ webhooks to alert us in real time once anything suspicious is detected.

This helps us prevent vulnerabilities and code exploits, safeguard user assets from theft, and ensure the safe use of decentralized applications. If you are interested in our tool, you can book a demo at