DeFi Immune System

DeFi protocols lost over $4 billion to exploits in 2024-2025. Current security relies on centralized multisigs or slow governance votes — by the time anyone responds, the damage is done. The DeFi Immune System solves this with a five-step autonomous pipeline built on Chainlink CRE: (1) DETECT suspicious onchain events via log triggers, (2) GATHER vault health data via EVM Read, (3) INVESTIGATE external market signals via Confidential HTTP — keeping intelligence sources private inside a TEE, (4) DIAGNOSE threats using Google Gemini AI with structured severity scoring and Google Search grounding, and (5) RESPOND autonomously onchain via EVM Write — pausing vaults, adjusting parameters, or logging reports based on AI-determined severity. Every step runs across Chainlink's decentralized oracle network with BFT consensus. The system isn't a centralized bot making unilateral decisions — it's a consensus-verified immune response. We demonstrate this monitoring three vaults simultaneously with different risk profiles, showing how the system detects a rapid drain attack, diagnoses it in seconds, and autonomously pauses the affected vault while leaving healthy vaults operational.

Smart contracts are built in Solidity 0.8.24 using Foundry, with an ImmuneProtected abstract base contract that any vault can inherit for instant immune system integration. The DeFiVault reference implementation is deployed on Sepolia and receives verified CRE reports via Chainlink's KeystoneForwarder and ReceiverTemplate pattern. The CRE workflow is written in TypeScript using @chainlink/cre-sdk, compiled to WASM, and executed across the DON. It uses six CRE capabilities: Log Trigger for real-time event detection, HTTP Trigger for manual investigations, EVM Read for onchain state queries, EVM Write with two-step report signing for verified responses, Confidential HTTP for private external data fetching inside a TEE, and standard HTTP for Gemini AI diagnosis with consensus caching. The demo dashboard is built in React and visualizes the full threat detection pipeline in real-time. AI diagnosis uses Gemini 2.5 Flash with Google Search grounding for real-time market context.