Most exploits on cross-chain bridges last from one transaction to a few minutes. The Wormhole attack ($326M) was a single signed transaction — zero reaction time. The Ronin Bridge ($620M) had 5 out of 9 validators compromised, and the bridge operated for 6 days before detection. If your monitoring system doesn't analyze both on-chain activity and validator state, funds are lost irreversibly. Our task: build a system that catches the attack before or during execution, giving time to pause the protocol.
We don't just build dashboards with charts. This is a production-grade system with alert logic, circuit breakers, and clear incident response playbooks. Our experience includes integration with OpenZeppelin Defender and Tenderly Web3 Actions for automated bridge pausing when anomalies are detected. Over 5+ years, we have delivered 15+ monitoring systems for DeFi protocols, which allows us to guarantee a reliable solution.
Key Threats to Cross-Chain Bridges
Bridges are critical DeFi infrastructure. The main attack vectors:
- Reentrancy in smart contracts — classic attack amplified by cross-chain calls.
- Validator/relayer compromise — attacker gains majority of signatures and confirms fraudulent transactions.
- Oracle manipulation — tampering with price feeds for unfair exchange.
- Flash loan attacks — instant borrowing to create pool imbalance.
The monitoring system must track each of these scenarios on both the source and target chains.
How the System Detects Anomalies
The system operates on three tiers, each with a different reaction time:
Tier 1 — On-chain real-time (< 1 block). Monitor pending transactions in the mempool for suspicious patterns: multiple cross-chain calls, unusual volumes, interactions with new contracts. Technically challenging (requires access to private mempool via Flashbots or Eden), but provides the earliest warning.
Tier 2 — On-chain per-block (< 12 seconds on Ethereum). Analyze each new block: bridge events (BridgeInitiated, BridgeFinalized), balance changes in liquidity pools, abnormal accumulation of validator votes.
Tier 3 — Off-chain aggregated (minutes to hours). Aggregate data over a period, trend analysis, cross-chain correlations. Catches slow-developing attacks: limit drifting, accumulation of signatures by inactive validators.
How On-Chain Circuit Breakers Work for Bridges
The most valuable component is the ability to automatically or semi-automatically pause the bridge when an attack is detected. Unlike the standard Pausable (OpenZeppelin), we use rate limiting at the contract level that triggers automatically on abnormal transfer volume:
contract BridgeWithCircuitBreaker is Pausable, AccessControl {
bytes32 public constant GUARDIAN_ROLE = keccak256("GUARDIAN_ROLE");
uint256 public maxTransferPerBlock;
uint256 public maxTransferPerHour;
uint256 private _transferredThisBlock;
uint256 private _transferredThisHour;
uint256 private _lastBlockNumber;
uint256 private _lastHourTimestamp;
modifier withinRateLimit(uint256 amount) {
_updateRateLimitCounters();
require(_transferredThisBlock + amount <= maxTransferPerBlock, "Block rate limit exceeded");
require(_transferredThisHour + amount <= maxTransferPerHour, "Hour rate limit exceeded");
_transferredThisBlock += amount;
_transferredThisHour += amount;
_;
}
function transfer(address token, uint256 amount, address to) external whenNotPaused withinRateLimit(amount) {
// ... transfer logic
}
function emergencyPause() external onlyRole(GUARDIAN_ROLE) {
_pause();
emit EmergencyPause(msg.sender, block.timestamp);
}
function _updateRateLimitCounters() private {
if (block.number > _lastBlockNumber) {
_transferredThisBlock = 0;
}
if (block.timestamp >= _lastHourTimestamp + 1 hours) {
_transferredThisHour = 0;
_lastHourTimestamp = block.timestamp;
}
}
}
Rate limits don't block normal operations but stop drain attacks with large volumes. Setting limits at 2–3x the typical bridge volume strikes a balance between UX and security.
Why Invariant Monitoring Is Effective Against Exploits
Every cross-chain bridge has mathematical invariants that must always hold. Monitoring these invariants is an elegant way to catch exploits:
- Mint/burn bridge:
sum(totalSupplyOnSource) + sum(totalSupplyOnDestination) == constant(excluding fees). - AMM bridge:
reserve0 * reserve1 >= kfor each pair.
Example Python function for checking:
async def check_invariants(block_number: int):
total_locked = await bridge.functions.totalLocked().call(block_identifier=block_number)
total_minted = await bridge.functions.totalMinted().call(block_identifier=block_number)
if total_locked != total_minted:
await alert_critical(f"INVARIANT VIOLATED at block {block_number}: locked ({total_locked}) != minted ({total_minted})")
An invariant violation is a sure sign of a bug or an active attack.
Automatic Pausing via Off-Chain Keeper
OpenZeppelin Defender Actions — serverless functions that react to on-chain events. Example: monitoring the bridge pool's TVL and automatically pausing on a sharp drop:
const { ethers } = require("ethers");
module.exports = async function(credentials) {
const provider = new ethers.providers.JsonRpcProvider(credentials.secrets.ALCHEMY_URL);
const vault = new ethers.Contract(VAULT_ADDRESS, VAULT_ABI, provider);
const currentTVL = await vault.totalAssets();
const previousTVL = await storage.get('previousTVL') || currentTVL;
const dropPercent = (previousTVL - currentTVL) * 100n / previousTVL;
if (dropPercent > 15n) {
const signer = credentials.relayer.getSigner();
const guardian = new ethers.Contract(GUARDIAN_ADDRESS, GUARDIAN_ABI, signer);
await guardian.emergencyPause();
await notifySlack(`CRITICAL: TVL dropped ${dropPercent}% — bridge paused`);
}
await storage.put('previousTVL', currentTVL.toString());
};
Alerting and Incident Response
Alert severity is configured as follows:
| Severity | Criterion | Reaction | Reaction Time |
|---|---|---|---|
| P1 Critical | Active attack, loss of funds | Immediate pause + team calls | < 2 minutes |
| P2 High | Invariant violation, oracle manipulation | Pause + review within an hour | < 15 minutes |
| P3 Medium | Abnormal volume, unusual behavior | Next-day review | < 4 hours |
| P4 Low | Statistical deviation | Weekly review | Async |
P1/P2 alerts are sent to PagerDuty with on-call rotation, P3 to a Telegram chat, P4 to a Slack daily digest.
Example Incident Response Playbook
Scenario: TVL drop > 15% in one block.
- On-call engineer receives PagerDuty alert (< 2 min).
- Check Etherscan: find the transaction, cause of TVL drop.
- If exploit — call
emergencyPause()via Defender Relayer. - Notify the team via Signal (not public Telegram).
- After 15 minutes: public message to users about the pause.
- Post-mortem analysis: how the attack occurred, how to fix, when to unpause.
The playbook is tested via drill exercises in a test environment.
What's Included in Our Work
- Audit of your bridge architecture and identification of critical invariants
- Development of smart contract circuit breakers with rate limiting (Solidity)
- Deployment of event indexer and anomaly detector (Python / TypeScript)
- Setup of alerting pipeline (PagerDuty, Telegram, Slack)
- ML model (Isolation Forest) for unknown attacks
- Documentation and tested incident response playbooks
- Training of your team on the system
- Post-launch support
Development Timeline
| Component | Technology | Development Time |
|---|---|---|
| Event indexer | web3.py / viem subscriptions | 1–2 weeks |
| Rule-based detector | Python rules engine | 1–2 weeks |
| Invariant monitor | Python + contract calls | 1 week |
| Circuit breaker contract | Solidity + OZ Pausable | 1 week |
| Alerting pipeline | PagerDuty + Telegram | 3–5 days |
| ML anomaly detection | scikit-learn | 2–3 weeks |
| Defender Autotasks | JavaScript + Defender SDK | 1 week |
| Dashboard | Grafana + InfluxDB | 1–2 weeks |
An MVP system (rule-based + alerting + basic circuit breaker) takes 4–6 weeks. A full system with ML, automatic pause, dashboard, and playbooks takes 10–14 weeks.
Cost is calculated after analyzing the bridge architecture. Given that an attack can cost hundreds of millions of dollars, investment in monitoring pays for itself with the first prevented attack. Contact us for a consultation — we will assess your project and propose an optimal solution. Request development of a monitoring system today.







