SentinelBridge

Cross-chain bridges are the backbone of blockchain interoperability yet they remain DeFi's most exploited infrastructure, with over $2.8 billion lost to attacks including Ronin ($625M), Wormhole ($326M), and Nomad ($190M). The core problem? Existing security systems are reactive. They detect exploits only after funds have already left the contract, when recovery is nearly impossible.
SentinelBridge addresses this gap by serving as a proactive, always-on liquidity watchdog. It continuously monitors bridge reserve balances, transaction velocity, and behavioral anomalies in real-time. When suspicious activity is detected, it doesn't just send an alert it automatically pauses the bridge to prevent further fund drainage, acting as an automated circuit breaker.
The system follows a three-stage pipeline  Listen, Evaluate, Act  built entirely on the Chainlink Runtime Environment (CRE):
In the Listen phase, CRE's CronCapability triggers a monitoring cycle every 60 seconds. During each cycle, the EVMClient reads five on-chain state variables from the bridge contract: source chain reserves, destination chain reserves, locked token amount, current risk ratio, and pause status.
In the Evaluate phase, a custom heuristic risk engine scores bridge health across three weighted dimensions Liquidity Velocity (35%), Statistical Anomaly Detection (45%), and Oracle Price Drift (20%). This raw telemetry is then forwarded to Groq's LLaMA 3.1 AI model via CRE's HTTPClient for deeper threat classification. The AI returns a structured analysis including the identified attack pattern, a confidence score, and an actionable recommendation.
In the Act phase, if the AI classifies the threat as CRITICAL with confidence above 0.8, the workflow autonomously calls the bridge's pause() function on-chain via EVMClient engaging the circuit breaker before any additional funds can be drained.
SentinelBridge is designed to detect six distinct attack vectors: flash loan exploits, stealth (slow-drip) drains, governance key compromises, forged proof submissions, oracle lag arbitrage, and coordinated mass withdrawals. A companion Next.js dashboard provides real-time visualization of bridge health, an emergency manual kill switch, and an interactive demo controller that lets users simulate each attack scenario against a live local blockchain.

SentinelBridge is built around the Chainlink Runtime Environment (CRE) as its foundational layer, enabling secure, decentralized, and consensus-driven execution across Chainlink nodes. The entire monitoring and response logic lives in a single, tamper-resistant workflow developed with the @chainlink/cre-sdk (TypeScript). This workflow combines scheduled automation, on-chain interaction, external intelligence, and automated action all running in a serverless, decentralized manner.
The process begins with CronCapability, which triggers the workflow reliably every 60 seconds. On each run, EVMClient securely reads five essential state variables directly from the bridge contract:

• Source reserves
• Destination reserves
• Locked amount
• Risk ratio
• Pause status
  These values are fetched via consensus-verified callContract() calls. The raw byte responses are decoded (typically converting hex to BigInt for precise calculations) before being passed to the evaluation stage.
  The risk engine — a focused 315-line custom module then computes a multi-dimensional health score using three weighted dimensions:
• Liquidity Velocity (35%) — tracks the speed and direction of fund movements to detect abnormal outflows.
• Standard Deviation Anomaly (45%) — identifies statistical outliers in reserve changes that deviate from historical norms.
• Oracle Drift (20%) — measures discrepancies or delays in price feeds that could indicate manipulation.
  Immediate CRITICAL flags are raised for severe red flags such as governance changes or invalid proofs, ensuring high-severity events bypass normal scoring.
  To bring intelligent pattern recognition into the loop, the aggregated telemetry is sent via HTTPClient to Groq's LLaMA-3.1-8B-instant model. The model returns a structured JSON response that includes:
• Suspected attack pattern (e.g., flash loan, stealth drain, governance hijack)
• Confidence score (0.0–1.0)
• Recommended action
  For added robustness in API routes (e.g., dashboard backend), a custom HTTPS client enforces TLS 1.2, disables keep-alive connections, and applies exponential backoff retries (up to three attempts).
  If the AI confidence is ≥ 0.8 and the risk classification is CRITICAL, the workflow automatically encodes and submits a pause() transaction using EVMClient, instantly activating the circuit breaker on the bridge contract. The complete workflow is compiled to WASM via a custom tsconfig.workflow.json and deployed through cre.yaml to run on the Chainlink CVM runtime.
  On the user-facing side, a modern frontend provides full visibility and control:
• Built with Next.js 15 (App Router) + React 19
• Styled with Tailwind CSS in a clean glass-morphism aesthetic
• Features live bridge metrics, real-time risk scores, AI classification logs, an emergency manual kill switch, and an interactive demo controller
  For demonstration and testing, we developed seven reusable Hardhat scripts that simulate the six targeted attack vectors (plus one combined scenario). Each script includes a complete reset routine unpausing the bridge, clearing attack flags, and restoring reserves so the demo remains reliable across repeated executions.
  Underpinning everything is SourceBridge.sol (Solidity 0.8.20), a representative smart contract that includes:
• Reserve tracking logic
• Built-in circuit breaker (pause() / unpause())
• Helper functions to inject realistic attack behaviors for simulation
  This combination of Chainlink's decentralized automation, Groq's high-speed AI inference, a tuned heuristic risk engine, and a clean modern interface creates a practical, production-grade prototype that moves bridge security from after-the-fact recovery to proactive, real-time prevention—one of the most vulnerable attack surfaces in DeFi.