Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions docs/build/security-docs/monitoring/README.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
title: Onchain Monitoring Templates
sidebar_label: Onchain Monitoring
sidebar_position: 20
---

import DocCardList from "@theme/DocCardList";

Learn how to monitor your important positions and protocols on Stellar.

<DocCardList />
100 changes: 100 additions & 0 deletions docs/build/security-docs/monitoring/monitoring-template-builders.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
---
title: On-Chain Monitoring Plan Template (Builders)
description: For Builders - turn your threat model into a monitoring plan
sidebar_position: 10
---
Comment thread
ElliotFriend marked this conversation as resolved.

This template turns a completed [threat model](../threat-modeling/README.mdx) into an operational monitoring plan for a protocol or set of smart contracts on Stellar. Where the threat model asks _what could go wrong and how will we design against it_, this plan asks _how will we watch for it in production_. Each threat identified in the threat model becomes one or more observable on-chain effects, and each effect becomes a rule that the monitoring solution watches while the contracts are live.

**Directions**: Fill out each section below to the best of your ability. Carry the threat identifiers over from the STRIDE threat model so the two documents stay linked. Work through the sections in order; every threat should leave the exercise with at least one monitor and a defined response.

**Keep completed plans internal.** A filled-in monitoring plan is a map of what is (and isn’t) monitored. Treat a populated version as sensitive.

## What are we monitoring?

**Directions**: Describe the system in scope, then inventory the components and on-chain addresses this plan covers.

_Input text: high-level description of the protocol, the value it holds, and the parts of it this plan covers._

| Component | On-chain address (`C...` contract / `G...` account) | Notes |
| --- | --- | --- |
| _e.g. Lending pool core_ | _C..._ | _Holds pooled collateral and debt_ |
| | | |

:::note

Keep this inventory current. Addresses can change with new versions, and an out-of-date address list is the most common reason a monitor silently stops working. If it's discovered later that scope has changed, update this section with the latest information.

:::

## What could go wrong?

**Directions**: List the threats this plan monitors, carried over from the threat model. Reuse the identifiers from the STRIDE model (for example, `Elevation.1`) so each monitor traces back to a known threat. Assign each threat a severity using the reminders below.

### Severity reminders

| Severity | Meaning |
| --- | --- |
| **Critical** | Direct, large-scale loss of funds or control; requires immediate response. |
| **High** | Serious impact to funds, users, or availability; requires prompt response. |
| **Medium** | Limited or containable impact; response can be scheduled. |
| **Low** | Minor or informational; monitored for awareness. |

### Threat register

| Threat ID | Threat (from threat model) | Affected component | Severity |
| --- | --- | --- | --- |
| _e.g. Elevation.1_ | _Unauthorized change of contract admin/owner_ | _Lending pool core, access control_ | _Critical_ |
| | | | |

## What does exploitation look like on-chain?

**Directions**: For each threat, describe how exploitation might unfold and the observable on-chain effect(s) it would leave behind. There can be several scenarios, and several effects, per threat.

| Threat ID | Exploitation scenario | Observable on-chain effect(s) |
| --- | --- | --- |
| _e.g. Elevation.1_ | _A leaked admin key reassigns ownership, then raises borrow caps and drains reserves._ | _`set_admin` / ownership-transfer event; privileged parameter change from a non-allowlisted caller_ |
| | | |

:::note

If a threat has no observable on-chain effect (for example, a compromised frontend or an oracle's upstream data source), record it here and plan to monitor it off-chain. Don't drop it just because it isn't visible on-chain.

:::

## What will we monitor for?

**Directions**: Map each observable effect to a monitoring rule, stating the trigger condition and the baseline that makes it meaningful. Uniquely identify each monitor as `<ThreatID>.M.<n>` so it traces back to its threat, the same way remediations in the threat model are identified as `<ThreatID>.R.<n>`.

| Monitor ID | Observable on-chain effect | Trigger condition & baseline | Monitoring rule (plain-language intent) |
| --- | --- | --- | --- |
| _e.g. Elevation.1.M.1_ | _Owner/admin address changes_ | _Any `set_admin` event. Baseline: zero; never expected in normal operation._ | _Alert immediately on any admin change on the core contract._ |
| _e.g. Elevation.1.M.2_ | _Privileged call from an unexpected address_ | _Caller not in the known-admin allowlist. Baseline: only the multisig calls these._ | _Alert on privileged calls from non-allowlisted addresses._ |
| | | | |

Each monitor can be stated in a single line:

- We address **[Threat ID]** in **[affected component]** by monitoring for **[on-chain effect]** on **[address]**.
- _For example: **Elevation.1.M.1** - We address **Elevation.1** in **the lending pool factory** by monitoring for **deploy invocations from users not on an approved list** at address **CABC123...**._

## What happens when an alert fires?

**Directions**: For each monitor, define what happens when it triggers: who is notified, through which channel, any automated action, and who owns the rule. This is where the monitoring vendor's automated-response capability (for example, pausing a contract) is recorded.

| Monitor ID | Severity | Response / action (who, channel, automated action) | Owner | Status | Last reviewed |
| --- | --- | --- | --- | --- | --- |
| _e.g. Elevation.1.M.1_ | _Critical_ | _Page on-call security (PagerDuty + Slack); trigger guardian pause; open incident bridge._ | _Protocol Security_ | _Active_ | _YYYY-MM-DD_ |
| | | | | | |

**Status values**: _Active_ (live and alerting), _Tuning_ (live but thresholds being refined), _Planned_ (agreed but not yet implemented).

## Did we do a good job?

- Does every threat in the threat model have at least one monitor, or a documented reason it can't be monitored on-chain?
- Is every trigger threshold grounded in an actual baseline rather than a guess?
- Does every monitor have a defined response, an owner, and a status?
- Have any monitors fired? Were they true positives? Did the response work as written?
- Are all on-chain addresses still current after the latest deploy or upgrade?
- Were any threats found that only surface off-chain, needing a different kind of monitoring?

Treat this plan as a living document: revisit it whenever the contracts, addresses, or threat model change.
74 changes: 74 additions & 0 deletions docs/build/security-docs/monitoring/monitoring-template-users.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
---
title: Position Monitoring Plan Template (Users)
description: For Users - Monitor your important positions on Stellar
sidebar_position: 20
---
Comment thread
ElliotFriend marked this conversation as resolved.

This template helps you, as someone holding positions on Stellar, set up monitoring for what you own, without needing a formal threat model. Fill in one row per position or wallet you care about: what could go wrong, when you want to be alerted, and what you'll do about it.

**Directions**: Fill out each section below to the best of your ability. Keep the same position in the same row across every table so the plan reads straight across.

## What am I protecting?

**Directions**: List the positions and wallets you hold and care about.

_Input text: a short description of each position and where it lives._

| Position | Wallet / position address (`G...` account / `C...` contract) | Value at risk (optional) |
| --- | --- | --- |
| _e.g. XLM collateral in a lending position_ | _G..._ | _Dollar amount or percentage_ |
| | | |

## What would going wrong look like?

**Directions**: In plain language, note what "something going wrong" would look like for each position, and the level of concern using the reminders below.

### How concerned am I?

| Level | Meaning |
| ------------------- | ------------------------------------------- |
| **Drop everything** | I need to act right now to avoid loss. |
| **Important** | I want to know quickly and will act soon. |
| **Keep an eye** | Useful to know; I'll check when convenient. |
| **Low** | Informational only. |

| Position | What "going wrong" looks like | How concerned am I |
| --- | --- | --- |
| _e.g. XLM collateral..._ | _My position drifts toward liquidation; the protocol's admin changes unexpectedly; the pool drains suddenly._ | _Important_ |
| | | |

## What will alert me?

**Directions**: Turn each concern into a specific condition you can be alerted on, and choose how you want to be notified.

| Position | Alert me when... | Notify me by |
| --- | --- | --- |
| _e.g. XLM collateral..._ | _Health factor drops below 1.5; any admin change on the market; pool liquidity falls more than 30% in an hour._ | _Push + Telegram_ |
| | | |

:::note

Don't assume the protocol is watching your specific position. Its monitoring is tuned to the health of the whole system; yours should be tuned to your concerns.

:::

## What will I do?

**Directions**: Decide your action before an alert fires — it's much harder to think clearly once one does.

| Position | If it fires, I will... | Status |
| --- | --- | --- |
| _e.g. XLM collateral..._ | _Add collateral or withdraw before liquidation._ | _Watching_ |
| | | |

**Status values**: _Watching_ (alerts active) or _Paused_ (temporarily off).

## Did I set this up well?

- Does every position I care about have at least one alert?
- Are my "alert me when" conditions specific enough that I could act on them?
- Do I know what I'll do before an alert fires?
- Is my list of addresses still current?
- Am I relying on a protocol to watch something that only I can see for my own position?

Revisit this whenever you open, close, or change a position.
3 changes: 3 additions & 0 deletions routes.txt
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,9 @@
/docs/build/guides/transactions/submit-transaction-wait-js
/docs/build/guides/transactions/upload-wasm-bytecode
/docs/build/security-docs
/docs/build/security-docs/monitoring
/docs/build/security-docs/monitoring/monitoring-template-builders
/docs/build/security-docs/monitoring/monitoring-template-users
/docs/build/security-docs/securing-web-based-projects
/docs/build/security-docs/threat-modeling
/docs/build/security-docs/threat-modeling/STRIDE-template
Expand Down
Loading