Satgaz

satgaz is a decentralized threat intelligence protocol built on Chainlink CRE (Compute Runtime Environment). It lets community whistleblowers submit DeFi threat reports rug pulls, treasury drains, admin key compromises, oracle manipulation, and more have them verified through an automated multi-layer pipeline, and earn bounty payouts when threats are confirmed, all transparently on-chain.
DeFi bad actors almost always leave forensic traces on-chain before executing. The problem is there is no decentralized infrastructure to validate those signals in a trustless, reproducible way, incentivize community members to report threats before damage occurs, or pay out bounties automatically without custodians or intermediaries. By the time threats become public knowledge, it is already too late.
satgaz solves this with a Chainlink CRE workflow that acts as both a confidential whistleblower platform and an auto-executing threat analysis engine.

Built with Chainlink CRE for the workflow to process the threat analysis, using 2 trigger EVM and HTTP. EVM trigger CRE listens for SubmissionPaid events. When someone pays, the event carries the full JSON payload and the workflow fires automatically with no extra HTTP round-trip needed. While HTTP Trigger A whistleblower POSTs directly to the workflow endpoint with a paymentTxHash. The workflow fetches the receipt from Base Sepolia, parses the SubmissionPaid event log, and verifies payment before continuing.

1. On-chain verification — EVM calls to the target chain to verify claimed transaction hashes and read live contract state (owner, balances, etc.) using EVMClient.
2. TVL enrichment — Public HTTP call to the DeFiLlama API to detect 30-day liquidity anomalies via HTTPClient with consensus aggregation.
3. AI-assisted analysis — OpenAI GPT-4o-mini queried via ConfidentialHTTPClient, with the API key stored in the Chainlink DON secrets vault so it is never exposed.
4. Deterministic scoring — A weighted scoring engine (0–100) combines all signals into a reproducible verdict with outcome, threat level, and confidence level.
5. On-chain publishing & payout — Verdicts that score above the minimum threshold are written to ThreatOracle via writeReport, and bounties are disbursed from BountyVault, all signed and committed by the CRE workflow execution.