Smart Contract Alert Solutions: Catching Exploits Before It’s Too Late

Real-Time Alerts: Your Essential Guide for Onchain Success in 2025

In 2025, having real-time, actionable alerts is a must for any team that's shipping onchain. This guide is designed to help decision-makers sift through the noise and pinpoint the alerting stacks that really work. We’ll break down how to set them up and what you should be monitoring, so you can actually prevent losses instead of just being notified when they happen.

---

Why this matters now

• Losses are still soaring, and they’re happening fast. Chainalysis has estimated a whopping $2.2 billion was stolen in 2024, mainly due to key thefts and hacks of centralized platforms. You can check out more about it here.
• We’re still seeing million-dollar exploits wrapped up in just a matter of minutes. When it comes to Ethereum, your window to react is pretty tight--only 1 to 3 blocks (which amounts to about 12 seconds these days), and sometimes you're just racing against the mempool. For more details, hit up this link.
• The alert tooling scene is evolving: OpenZeppelin is winding down its hosted Defender platform but is putting more focus on the open-source Monitor and Relayer options that you can self-host. (Just a heads up, signups wrapped up on June 30, 2025, and the shutdown will happen on July 1, 2026.) More info can be found here.

Here, we lay out some solid options that are effective right now and show you how to implement them with specific monitors that can detect the actual attack patterns emerging in 2024-2025.

---

The 2025 alert stack at a glance

Pick at least one option from each row. A lot of teams like to combine two options from the same row for extra reliability.

• Network-level detection:
  • Forta Network bots, whether community-driven or custom-made, are available for various uses, like Attack Detector feeds and starter kits specifically designed for DeFi, bridges, and stablecoins. Check it out here: (docs.forta.network).
  • There are also some solid commercial platforms that take a proactive approach, like Hypernative, which uses machine learning, graph heuristics, and policy actions. And then there's BlockSec Phalcon, which specializes in mempool detection, auto-blocking, and chain programs. You can explore more at (hypernativeio.com).
• Developer-centric monitors and serverless actions:
  • Tenderly has got you covered with its Alerts + Web3 Actions feature, which lets you set up triggers for CRON, transactions, or events with a quick 30-second runtime. They also offer key-value storage and a neat alert-to-action wiring system. More details can be found at (docs.tenderly.co).
• Data firehoses for custom rules and invariants:
  • QuickNode Streams provide reliable delivery, ensuring data goes through exactly once and is reorg-safe. Plus, they support traces and backfills to services like webhook, S3, Snowflake, or your database.
  • On the other hand, Alchemy Webhooks keep you in the loop with address activity, mined or dropped transactions, and custom GraphQL filters that operate at a high scale. Check them out at (quicknode.com).
• Self-hosted, auditable monitoring:
  • If you're looking for something open-source, the OpenZeppelin Monitor could be your answer. It’s multi-chain and integrates with Slack, Discord, email, and webhooks, plus it comes with an open-source Relayer for automated responses. Get the details here: (github.com).
• Risk/compliance oracles you can gate transactions on:
  • Chainalysis offers a Sanctions Oracle/API that facilitates on-chain checks across EVMs, and the best part? They provide free tools! Get to know more at (go.chainalysis.com).
• Private order flow to land emergency transactions safely:
  • For those critical moments, Flashbots Protect RPC and MEV-Share settings help maintain privacy versus refund adjustments, and they offer fast multiplexing to builders. You can find out more about it at (docs.flashbots.net).

---

What changed since last year (and why it affects your playbook)

• Defender is on its way out → self-hosting is in: OpenZeppelin rolled out their open-source Monitor/Relayer back in April 2025 and announced a formal sunset for Defender on June 30, 2025. The final shutdown will happen on July 1, 2026, so make sure to plan any migrations ahead of time! Check out the details here.
• Circuit breakers are evolving from an idea to a new standard: The ERC‑7265 proposal is looking to introduce a protocol-wide outflow limiter that you can connect to runtime detectors. It’s still a community proposal for now, but there are plenty of pilots and discussions happening around it. Dive into it here.
• Faster and richer pipelines are here: QuickNode Streams just got an upgrade with traces and backfill templates! This means you can create invariant detectors based on internal calls rather than just relying on logs. All the info you need is in this blog post.
• Making alert to action a breeze: Tenderly has made it super easy to fire off Web3 Actions directly from your alerts, whether you’re using the UI or CLI. Check the details in their documentation.
• Operations that are aware of MEV: Flashbots made some interesting tweaks to Protect RPC semantics and signatures towards the end of 2025. This lets you pause operations in emergencies without having to expose your calls to public mempools. Want to know more? Look into it here.

---

Real exploits to learn from -- and the monitors that would have caught them

1) Unauthorized Minting (Gala Games, May 20-22, 2024)

• What happened: A compromised minter role ended up minting a whopping 5 billion GALA tokens on Ethereum. Around 600 million tokens were sold off quickly, raking in about $22 to $29 million before anyone could react. Fortunately, most of that cash was eventually returned. (theblock.co)
• Monitors that work:
  • Look out for a “Mint volume spike” on ERC-20: set alerts for when the total supply jumps or when Transfer(mint) hits a certain threshold above the usual in a single block.
  • Keep an eye on any “Role/permission changes” in AccessControl/Ownable.
  • Track “Admin mint function calls” if they go above N in one block.
• Automatic responses:
  • Implement an ERC-7265 outflow rate-limit on treasury/token contracts; the Safe Delay module can introduce a 3 to 15-minute review period for admin actions; and use Proof-of-Reserve Secure Mint style checks to make sure your asset is backed offchain. (ethereum-magicians.org)

2) Lending Market “New Pool Activation” Edge (Radiant Capital, Jan 2024)

• What happened: There was a flash-loan exploit that struck just moments after a new USDC market got activated, taking advantage of a rounding window. Approximately $4.5 million got drained. (cointelegraph.com)
• Monitors that work:
  • A “new market activation” detector along with checks for any unusual jumps in reserve indexes during the first few blocks after a listing.
  • A spike in “Deposit/Withdraw loops” activity for the newly listed asset.
• Automatic responses:
  • Implementing a pause-guardian pattern that helps to halt only the Mint/Borrow/Transfer/Liquidate functions, while keeping Repay/Redeem open (think Governor Bravo style). (medium.com)

3) Bridge and Cross-Chain Balance Drift (Recurring)

• What’s going on: When there's a mismatch in minting or burning, or if there's a delay in finality, it can lead to some serious imbalance in assets.
• Working monitors:
  • Check out Forta’s “Bridge Balance Difference” along with their DeFi/Bridge kits; make sure to backtest with traces. You can find more info here.
• Automatic responses:
  • You can queue up redemptions or put a cap on withdrawals until everything’s back in balance. This fits perfectly with the ERC‑7265 “queue” mode. More details can be found here.

---

A reference architecture that actually stops loss

• Data sources
  • We grab logs and traces through Streams/Webhooks (thanks to QuickNode/Alchemy) with a focus on exactly-once delivery and handling any reorgs. You can learn more about it here.
  • For threat intel, we rely on the Forta Attack Detector and some curated bots that track everything from funding to preparation, exploitation, and laundering. Check it out here.
• Detection engine
  • We mix and match stateless rules (like event signatures and selectors) with stateful invariants, which include supply, NAV, and oracle deltas.
  • One cool feature is the “cold start” templates designed for DeFi, bridges, and stablecoins to help speed up your setup. You can dive deeper here.
• Response layer
  • Our self-hosted Relayer lets you execute commands like “pause,” “set caps,” “set guardians,” and handle Safe module operations. More info can be found here.
  • We also have a Protect RPC feature to discreetly land emergency transactions; plus, you can use /fast to quickly share across builders for faster inclusion. Learn more about it here.
• Paging and runbooks
  • We offer an open-source Monitor that can push notifications to Slack, Discord, Email, or Webhooks. If you need more integration, you can also link it with PagerDuty or Datadog through a webhook relay. Check it out on GitHub here.

Target SLOs at 7Block Labs

Here's what we're striving for at 7Block Labs:

• MTTD: Keep it to 1 block or less for critical signatures; and aim for 0 seconds for mempool-aware detectors on L2s.
• MTTR: Aim for 2 blocks or less when it comes to “pause/cap” actions using Relayer + Protect.
• False Positives: We want to keep it under 0.1% for alerts that actually matter (we’ll fine-tune this with allowlists and combinations like “role-change + mint spike”).

---

Implementation recipes (copy/paste to get moving)

1. Forta → OpenZeppelin Monitor → Safe pause

• First things first, subscribe to Forta’s Attack Detector and any base bots that are relevant for your contracts. Then, set up the Monitor to regularly check Forta’s public API and send any CRITICAL alerts to a webhook that sets off your Relayer. You can find all the details here.
• For the Relayer action, either call pause() on the affected modules or go ahead and execute Safe's Delay-queued “setPause(true)” with a special override path for the Security Council. Check it out right here.

1. Tenderly alert → Web3 Action → Risk-off policy

• Set up an alert for “Transfer” where the amount is greater than 5σ above the baseline OR if the recipient is on the screening denylist; then direct it to Web3 Action.
• For the action, hit up your Relayer API to (a) reduce borrow caps; (b) block those risky senders using your allowlist; keep in mind the runtime limit is 30 seconds. (docs.tenderly.co)

3) Build Your Own Invariant Monitors with Streams

• Start by provisioning QuickNode Streams with “blocks+receipts+traces” to your webhook. You can then filter using JS for things like:
  • ERC-20 totalSupply changes for each block,
  • sudden deviations in oracle prices compared to the last N blocks,
  • any upgrades to beacon or implementation addresses that aren’t signed by the expected multisig.
• Don’t forget to use backfill templates to set up your baselines in advance; with features like exactly-once delivery and reorg-safe semantics, you'll keep everything running smoothly and accurately. Check out more details at (quicknode.com).

4) Sanctions/Blocked-Address Controls Onchain

• To keep sensitive actions secure, use the Chainalysis Oracle isSanctioned(address) for EVMs. For non-EVMs or when you need extra data, pair it with API offchain solutions. You can check out more details here.

1. Private inclusion for emergency tx

• Channel emergency pauses or upgrades through Flashbots Protect. By default, privacy only shares the transaction hash and some partial logs, but you can also set up max-privacy hints. For the quickest results, just use /fast to connect with builders. Check out the full details here: (docs.flashbots.net)

---

What to monitor: a concrete, prioritized checklist

Kick things off with these 20 detectors. Generally, most teams can roll out P0-P1 within a week.

P0 (life-or-death)

• Keep an eye on admin key rotations, and changes in AccessControl role grants and revocations, as well as any tweaks to proxy implementations. You can check out more info here.
• Watch out for ERC‑20/721 supply shifts--like minting and burning--especially when they’re coming from privileged roles. Take a look at the Gala case for more details. More info can be found here.
• New market activation guardrails are important (think Compound/Aave forks): be cautious about index jumps and deposit/withdraw loops in those first blocks. You can read about the Radiant case here.
• Keep track of bridge side-to-side balance drift beyond what’s tolerable, especially with any halted counterparties. For more on this, check docs.forta.network.
• Be aware of oracle anomalies--like when there’s a sudden price divergence beyond the median source-of-truth. Pro tip: use traces to spot any manipulation via internal calls. More insights are available here.

P1 (Strong Defense)

• Flashloan spikes and tornado-style fund transfers to and from protocol addresses using Forta kits. Check it out here!
• Quick governance moves right before timelock actions (think queue → execute with a weird quorum). More on this here.
• Keep an eye on sanctioned or blocked entities trying to interact with the protocol--thanks to the Chainalysis Oracle for that info. You can find more details here.
• Watch out for MEV-sensitive flows, like big DEX swaps and LP removals, that could front-run those liquidation cascades.

P2 (Hygiene and Ops)

• Event Parity Coverage: Make sure each privileged method generates a specific event. This way, monitors won't be left in the dark. Check out the readiness guidance from OpenZeppelin for more details. (OpenZeppelin Readiness Guide)
• L2 Sequencer Health: Watch out for any changes in halt/latency, as these can kick off “oracle sentinel” behaviors. You can find a helpful guide on protocol risk controls over at Gauntlet. (Gauntlet Risk Controls Guide)

---

Response automation patterns that won’t brick your protocol

• Circuit breakers with governance guardrails
  • Let's implement ERC‑7265 semantics as a module: this way, we can queue outflows above certain rates or just revert them altogether. Plus, we can tie the “release” to a multi-sig or have it reviewed by a Security Council. Check it out here: (ethereum-magicians.org)
• Pause-guardian scoped actions
  • We can use the Governor Bravo pattern for this: pause actions like Mint, Borrow, Transfer, and Liquidate, but keep Redeem and Repay open so users can safely unwind their positions. More info here: (gauntlet.xyz)
• Safe delay and roles
  • How about we add the Zodiac Delay Module with a 3-15 minute buffer? In case of a crisis, we can “mark invalid” any queued transactions before they execute. You can find it on GitHub: (github.com)
• Security councils for L2s and rollups
  • Let's take a page from Arbitrum’s book: they have a 9-of-12 model for emergency actions, along with documented transparency reports and DAO-adjustable powers. This could be a solid model for rollup governance. Read more about it here: (docs.arbitrum.foundation)
• Proof of Reserve “Secure Mint”
  • We should gate minting and redemptions based on reserve feeds; this helps avoid those pesky “infinite mint” issues that can pop up with wrapped or offchain-backed assets. Dive deeper into it here: (blog.chain.link)

---

Tool-by-tool: strengths and when to choose them

• Forta Network
  • Best for: getting your community involved and having custom bots tailor-made for your protocol; it's a solid layered defense when paired with your internal invariants.
  • Why now: they've got curated starter kits for DeFi, bridges, and stablecoins, plus an Attack Detector that connects the dots across the kill-chain stages with all the underlying alerts. (docs.forta.network)
• Tenderly Alerts + Web3 Actions
  • Best for: super quick “alert → action” setups without the hassle of managing your own infrastructure; you can create playbooks that are specific to each contract and event; the developer experience is fantastic. (docs.tenderly.co)
• QuickNode Streams
  • Best for: teams wanting rock-solid, reorg-aware data pipelines and comprehensive traces for machine learning or invariants; you can easily push this data to your storage or microservices. (quicknode.com)
• Alchemy Webhooks
  • Best for: monitoring a large number of addresses (think 100k+ per webhook) and setting up simple triggers; it even supports multiple chains, including Solana. (alchemy.com)
• OpenZeppelin Monitor/Relayer (open source)
  • Best for: teams in regulated environments or enterprises that want control over hosting, custom notification channels, and clear audit trails for responses. (github.com)
• Hypernative / BlockSec Phalcon
  • Best for: predictive detections, scanning the mempool, and implementing automated policy blocks; this is often the go-to choice for chains and bigger DeFi protocols. (hypernativeio.com)
• Flashbots Protect
  • Best for: handling vital governance and security transactions without making calldata visible to the public mempool; you can tweak privacy settings and refund hints as needed. (docs.flashbots.net)

---

Measuring success: alert quality and operational readiness

• Precision over volume
  • Platforms like BlockSec and Hypernative are pretty vocal about their super low false positive rates; aim to keep your stack under 0.1% for top-notch alerts by mixing signals (think “role-change + mint spike + source-of-funds anomaly”). Check out what they’ve got: (blocksec.com)
• SLOs we recommend
  • For critical cases, shoot for MTTD of ≤ 1 block and MTTR of ≤ 2 blocks when it comes to pausing or capping. Also, try to get an Ops review done within 10 minutes, and have a root cause analysis wrapped up in 24 hours with replayed traces.
• Game days and backtests
  • Take a trip down memory lane by re-running past incidents (like Gala/Radiant) using your pipeline with Streams backfills; this is the quickest way to tighten up your rules before hitting the mainnet. Dive into the details here: (docs.arbitrum.io)

---

7Block Labs’ 14‑day rollout plan

• Day 1-2: Start by figuring out your threat model and creating a coverage map for each contract. Don’t forget to list out all privileged functions and events--make sure to fill in any gaps in your event coverage first! (openzeppelin.com)
• Day 3-5: Set up the OpenZeppelin Monitor/Relayer and link it with Slack, Email, and Webhooks. Also, make sure to wire up Protect RPC for those emergency lanes. (github.com)
• Day 5-7: Time to add Forta subscriptions and set up Tenderly Alerts that trigger actions for the top 10 events. Oh, and don’t forget to deploy two “kill switches”--a pause-guardian and an outflow rate-limit. (docs.forta.network)
• Day 8-10: Let’s implement Streams to your webhook and traces. Also, you’ll want to put in place three invariants: supply delta, oracle drift, and bridge imbalance. (quicknode.com)
• Day 11-12: It’s tabletop and live-fire time! Replay the Gala and Radiant sequences against your staging environment to confirm your SLOs. (theblock.co)
• Day 13-14: Finish up with some governance hardening--check out the Safe Delay module and look into Security Council escalation if you’re using L2/rollup. Don’t forget to get that runbook sign-off too! (github.com)

---

Bottom line

• Real-time detection is just background noise without a quick response. So, think about your alerts in terms of actions: pause, cap, queue, deny -- and make sure to deliver them privately and without delay. (docs.flashbots.net)
• With the move to open-source, you get to take charge of your monitoring and dodge the risks tied to relying on a single vendor, all while still tapping into Forta/Tenderly/Streams where they really shine. (github.com)
• It's smart to invest in invariants that are linked to known exploit classes like unauthorized minting, market activation edges, and bridge imbalances. Teams that spotted incidents early in 2024-2025 had these set up, and it paid off.

If you’re looking for a functional system in just two weeks, 7Block Labs has got your back! They’ll provide the tools, playbooks, and incident drills you need for your setup--plus, you’ll end up with a self-hosted, auditable pipeline that’s fine-tuned for the specific risks of your protocol.

---

Sources and further reading

• Ethereum's got these 12-second slots along with some cool concepts around confirmation and finality. Check it out here: (ethereum.org)
• So, OpenZeppelin's open-source Monitor/Relayer and Defender is reaching its end. You can find the deets on GitHub: (github.com)
• If you're into security, Forta's Attack Detector and those curated starter kits might interest you. Dive into the details here: (docs.forta.network)
• QuickNode Streams just rolled out some nifty features like exactly-once delivery and backfill templates. Learn more at: (quicknode.com)
• Check out Tenderly Alerts combined with Web3 Actions for limits, runtime, and triggers - it's pretty handy. More info can be found here: (docs.tenderly.co)
• Chainalysis has launched a Sanctions Oracle/API that you might want to look into. Get the scoop here: (go.chainalysis.com)
• Don’t miss Flashbots Protect and their MEV-Share privacy/refund settings - they’re working on some important stuff. Check it out: (docs.flashbots.net)
• There’s some interesting talk around the ERC‑7265 Circuit Breaker proposal that’s worth a read. Check the discussions here: (ethereum-magicians.org)
• And don’t overlook the case studies, like the Gala unauthorized mint and the Radiant new-market exploit. These stories are quite revealing: (theblock.co)

---

Meta description (1-2 sentences)

A 2025 Field Guide for Decision-Makers on Smart Contract Alerting

Hey there! If you're a decision-maker diving into the world of smart contracts, you’re in for a treat. This guide will give you the lowdown on the tools that actually help catch exploits, how to connect them with automated responses, and the solid monitoring systems that can prevent unauthorized mints, tackle tricky lending-market scenarios, and fix bridge imbalances before your funds go missing.

What’s New?

We’ve got all the latest updates, including changes like the Defender sunset, fresh ERC‑7265 patterns, and reference implementations that you can roll out in just a few days!

For more details, check out this link: blog.openzeppelin.com.