This pillar covers the detection of anomalous activity, automated safeguards, incident response preparedness, on-call operations, and relationships with external security partners. Together, these controls determine how quickly a protocol can detect, contain, and recover from security events.
Critical program state changes, irregular multisig proposals (including durable nonce creation), large value transfers, upgrade authority changes on dependency programs, transfer hook program upgrades on held tokens, and anomalous transaction patterns are tracked in real time. Frontend and API availability are monitored. TVL deviations, liquidity shifts, and governance actions trigger alerts. Monitoring covers all deployed environments, not just mainnet.
On-chain safeguards trigger automatically when invariants are violated or thresholds are breached (e.g., per-epoch transfer caps, TVL drawdown limits). Circuit breakers are granular where possible (pause affected markets, not the entire protocol). Trigger conditions and reset procedures are documented.
Documented IR plan with assigned roles, escalation paths, and communication templates. The playbook covers common scenarios: compromised upgrade authority, an exploit in progress, an oracle failure, a frontend compromise, and a key compromise. Post-mortem process with root cause analysis and public disclosure timeline is defined. A pause authority with documented activation procedures exists for emergency use.
24/7 on-call rotation with defined response time SLAs. Alerting routes to PagerDuty or equivalent with escalation if unacknowledged. Alert fatigue is managed through tuning and severity tiering. Contact information is current and tested.
Relationships with security firms and ecosystem security contacts are established before an incident occurs. The responsible disclosure process is published. Protocol has a known point of contact for external security researchers. Cross-protocol communication channels exist for coordinated response to systemic events.