Jul 16, 2025

On-chain Monitoring for Web3 Security

On-chain monitoring is a continuous process of analyzing the flow of data within a blockchain network. Its purpose is to generate actionable insights that support decision-making, particularly for Web3 security.

This encompasses a wide range of tasks, from simply tracking Total Value Locked (TVL) or market capitalization to sophisticated, automated approaches for preventing attacks the moment a threat emerges.

Blockchain data is stored in an optimized format, which makes it challenging for end-users to easily read and aggregate information. To make this information accessible, various methods and platforms exist for extracting and processing blockchain data.

Modern protocols often operate across multiple blockchains, sometimes even those with different architectures. This complexity further increases the need for tools that can extract and normalize data from various blockchains.

Goals of On-chain Monitoring

Financial Metrics

A fundamental use case for on-chain monitoring in any Web3 protocol is collecting data for key financial metrics such as TVL, Proof of Reserves (PoR), and protocol transaction volumes.

To display these values conveniently in a user interface, raw data is first collected from the blockchain and accumulated on a backend. Periodic data collection from finalized blockchain blocks is suitable for this purpose, with data typically requested on demand.

Protocol Performance and Health Indicators

On-chain monitoring can be configured to collect relevant data to assess a protocol's current state and operational health.

This includes metrics like the percentage of successful transactions, volume change dynamics, and capital outflow and inflow. Monitoring these indicators allows teams to determine if the protocol is functioning as expected. If deviations are detected, necessary measures can be taken to resolve issues.

For this type of monitoring, continuous data collection from the very latest block is required as soon as it's formed on the blockchain. In addition to building dashboards from the collected data, an alerting system should be set up to flag any deviations from expected metrics.

Threat and Incident Detection

The most advanced monitoring systems can detect attempted attacks either before or during their execution.

Cutting-edge systems can analyze transactions within the mempool (the pool of pending transactions), meaning they can identify threats even before an attack is executed on-chain. When combined with automated systems for pausing smart contracts and blacklisting malicious addresses, these measures can stop attacks or significantly reduce their impact.

To function effectively, such systems must operate in a fully automated mode, without requiring human intervention to initiate emergency protocols.

Values Tracked by On-chain Monitoring

Core Values

The primary core values read during on-chain monitoring are address balances and smart contract state variables. These values describe the current financial and logical state of the entire blockchain network. Changes in these values reflect all processes occurring at the blockchain's logical layer.

Reading events generated by smart contracts provides a more complete picture of network activities.

Analysis of protocol invariants is performed based on data obtained from reading these core values.

Qualitative Characteristics

The next level of blockchain activity analysis involves reading and processing data such as the invocation of specific functions, for example, administrative ones. This includes identifying the characteristics of the address that initiated a transaction, such as an administrative function being called by an address outside of a trusted circle.

Movement of funds exceeding a predefined threshold can be considered suspicious activity, as can the unexpected use of a protocol's governance function.

Additional Values

Other data points useful for protocol monitoring include the percentage of failed transactions and liveness indicators of underlying protocols.

Types of Monitoring System Deployment

In-house

Simple on-chain monitoring systems designed for periodic statistical collection can be developed and deployed by a protocol's development team.

More complex systems requiring high throughput and processing speed should only be developed and maintained in-house if you're prepared for increased costs, perhaps for unique functionalities. You'll also need to allocate highly skilled personnel for this undertaking.

SaaS

In most cases, utilizing advanced SaaS (Software-as-a-Service) products is the optimal choice.

Leading solutions from industry pioneers provide access to technologies refined by specialized teams and proven over time.

Top monitoring systems offer the fastest possible access to mempools across all available blockchains. Achieving such capabilities in-house by developing a custom system would incur significantly greater financial and time costs.

The best SaaS solutions allow you to integrate early detection systems with your automated emergency response service. By using such products, you also gain access to both an analytical platform and a team alerting system with granular event and delivery channel settings.

Hybrid

In practice, you'll likely use a hybrid system. An early detection and incident response system integrates with your backend to trigger response protocols. Additionally, data collected by the SaaS system may require further processing or enrichment, which is conveniently performed on your end.

Data Sources for Monitoring

Regardless of the system type you plan to use—SaaS or in-house—you need to understand exactly where your blockchain data is coming from.

Beyond the fact that blockchains often have different, incompatible architectures, it's crucial to be aware of who the data provider is.

RPC/Node

For an in-house system, you can use access to free or paid RPC (Remote Procedure Call) providers, node providers, or even run your own blockchain node. Each option has different usage limits and costs.

If you opt for a SaaS solution, you should clarify with your provider which sources they use. Top-tier services typically employ their own clusters of nodes.

Block/Mempool

Depending on the specific problem your on-chain monitoring system aims to solve, you'll receive data either from finalized blocks or from the mempool.

A finalized block represents a snapshot of the network's state at a specific moment in time. Data from such a block can be considered an accomplished fact, formed from a set of transactions. This data is well-suited for compiling statistics and any other analysis of protocol functionality.

However, if we want to see participants' intentions before those intentions become an accomplished fact, we must monitor the blockchain node's mempool.

This type of monitoring requires direct access to a blockchain node and is a resource-intensive process. Instead of periodically reading new blocks, which appear at predictable intervals, we need to continuously react to every new transaction that appears in the mempool.

Mempool access allows for the emulation of each transaction's execution before it's applied to the network, helping determine if such a transaction poses a threat to our protocol. If a threat is detected, the system can trigger mechanisms to pause the protocol, blacklist a malicious address, or revoke a position if a threat to an underlying protocol is found.

Monitoring Outcomes

On-demand Data

In the simplest scenario, on-chain monitoring collects information from the blockchain, pre-processes it, and stores it for subsequent retrieval and analysis.

Alerts and Alarms

More advanced systems, in addition to storing information, can analyze collected data, compare it against defined rules, and notify relevant recipients of deviations.

Alerts can be triggered by financial events, such as reaching specified volumes or prices.

Alarms might be triggered by deviations from established behavioral boundaries, like a sudden liquidity outflow or a token price drop. Furthermore, violations of AML (Anti-Money Laundering) policies and signals of fraudulent behavior should also alert the team.

Using advanced SaaS products allows for seamless integration with crucial providers of critical information.

Automated Actions

A cutting-edge solution offered by the best SaaS products is the capability for automated responses to detected threats.

Suspicious behavior detected in the mempool and identified as an attack can activate an emergency protocol without human intervention.

Ensuring the functionality of such a system requires significant effort from the protocol's development team. The ability to pause the protocol, blacklist addresses, and revoke positions must be built into the protocol during the design and coding phases.

Building and debugging a system that will react to such signals from the monitoring system and send the necessary transactions also requires considerable attention.

However, a well-built automated response system for detected threats pays for itself many times over with the very first potential incident.