SentinelDAO

What is SentinelDAO?
SentinelDAO is an autonomous defense system for DeFi protocols that detects and neutralizes threats before they drain vaults. By combining Chainlink's decentralized infrastructure with AI-powered risk analysis, it monitors multi-chain vault activity in real-time and executes emergency pauses across all chains simultaneously. No human intervention required.
Think of it as a 24/7 security guard that never sleeps, can't be bribed, and reacts in milliseconds instead of minutes.
How It Works
Step 1: Decentralized Monitoring
Chainlink CRE workflows continuously watch our ProtectedVault contracts deployed across Ethereum Sepolia, Arbitrum Sepolia, and Base Sepolia. Using EVM Log Triggers, the Chainlink DON (Decentralized Oracle Network) detects every deposit, withdrawal, and emergency pause event with multi-node consensus eliminating single points of failure that plague centralized monitoring systems.

Step 2: AI Threat Analysis
When suspicious activity is detected, the CRE workflow doesn't just flag, it understands. Using Chainlink's HTTP capability, the workflow calls Google Gemini LLM directly to analyze transaction patterns. The AI identifies:

• Flash loan attacks (deposit + withdrawal in the same block)
• TVL drains (large percentage of vault balance withdrawn)
• Rapid transaction bursts (potential bot activity)
• Whale movements (unusually large transfers)
  Each threat gets a risk score (0-100), confidence level, and natural language explanation of what's happening.

Step 3: Automated Defense
For high-severity threats, SentinelDAO doesn't wait for approval. It acts immediately:

• Single-chain threats → Emergency pause on the affected vault
• Critical/correlated threats → Cross-chain pause via Chainlink CCIP, broadcasting pause commands to all chains in parallel
  The entire process from detection to on-chain execution happens in under 15 seconds. By the time a human could read the alert, the vaults are already protected.

Step 4: Real-Time Transparency
Every action is logged and broadcast to the dashboard via WebSockets. Security teams see threats as they happen, watch AI analysis in real-time, and track CCIP messages as they propagate across chains. The attack simulator lets teams test the system with realistic scenarios (flash loans, rapid withdrawals) to verify defense mechanisms work as expected.
The Problem We're Solving
DeFi protocols are under constant attack, and current security solutions have critical gaps:

• ❌ Centralized monitoring = single point of failure
  • If your monitoring server goes down, you're blind. If it gets compromised, attackers control your defenses.
• ❌ Manual response is too slow
  • The Poly Network hack drained $600M in minutes. By the time humans notice and react, it's already too late.
• ❌ No cross-chain coordination
  • Protocols deploy on multiple chains but defend each one separately. Attackers exploit this by coordinating attacks across chains.
• ❌ Rule-based detection = false positive hell
  • Simple threshold rules flag legitimate whale deposits as threats, causing alert fatigue and missed real attacks.
    Our Solution
• ✅ Decentralized detection via Chainlink DON
  • Multi-node consensus means no single point of failure. The network keeps watching even if individual nodes go offline.
• ✅ Sub-10-second automated response
  • From threat detection to on-chain pause execution, the entire defense cycle completes before attackers can drain funds.
• ✅ Cross-chain defense via CCIP
  • One threat detection triggers pauses across all chains simultaneously. Attackers can't chain-hop to escape.
• ✅ AI-enhanced accuracy
  • LLM-based analysis understands context, not just thresholds. Legitimate large deposits don't trigger false alarms, but flash loan patterns get caught instantly.
• ✅ Trustless execution
  • No admin keys, no multisig delays. The Chainlink network and smart contracts enforce security policies autonomously.

We started with the core problem: How do you protect DeFi vaults across multiple chains when threats happen in milliseconds? Traditional monitoring solutions are too slow, and manual intervention isn't realistic when millions are at stake.
The Smart Contract Foundation
Our vault architecture is built on Solidity using Foundry for development and testing. The ProtectedVault contract implements a pausable pattern with role-based access control—only designated "sentinel" addresses can trigger emergency pauses. We deployed identical contracts across Ethereum Sepolia, Arbitrum Sepolia, and Base Sepolia to simulate a real multi-chain DeFi protocol.
The interesting challenge was cross-chain coordination. When a threat is detected on one chain, we need to pause vaults on all chains simultaneously. That's where CCIP came in. We built SentinelCCIPSender and SentinelCCIPReceiver contracts that communicate across chains—the sender on Sepolia broadcasts pause commands, and receivers on Arbitrum and Base execute them. Each receiver is registered as a sentinel on its respective vault, creating a decentralized emergency brake system.
Chainlink as the Detection Layer
Instead of running our own indexer nodes, we leveraged Chainlink CRE (Chainlink Runtime Environment) as the primary detection engine. Here's why this was a game-changer:

• EVM Log Triggers monitor deposit, withdrawal, and pause events with DON consensus—no single point of failure
• HTTP capabilities let the CRE workflow call our backend API and Google's Gemini AI directly from the workflow
• Multi-chain reads in a single workflow mean we can correlate activity across chains
  The CRE workflow runs continuously, analyzing every transaction. When it detects suspicious patterns (large transfers, rapid transactions, flash loan signatures), it sends a webhook to our backend with severity ratings and threat classifications.
  Backend Intelligence Engine
  The backend is where the real threat analysis happens. We built it on Bun (for speed) with Hono.js as the web framework and PostgreSQL for multi-tenant data isolation. The threat engine implements several detection algorithms:
• Flash loan pattern detection - identifies deposit+withdrawal in the same block
• TVL drain detection - flags withdrawals exceeding 30% of vault balance
• Threat correlation - escalates severity when multiple threats occur within 5 minutes
• AI risk scoring - Google Gemini analyzes transaction patterns and provides risk assessments with confidence scores
  When a critical threat is detected, the defense executor service automatically triggers on-chain pauses using viem and the deployer's private key. For correlated attacks, it executes cross-chain pauses via CCIP, sending pause messages to all chains in parallel.
  Frontend Experience
  The dashboard is built with Next.js 14 (App Router) and RainbowKit + wagmi for wallet connectivity. We focused on real-time visibility:
• WebSocket connections stream threat alerts, vault status changes, and CCIP defense actions as they happen
• Attack simulator lets users trigger realistic attack scenarios (flash loans, rapid transactions) to see the defense system in action
• Onboarding wizard guides new users through vault deployment and CCIP setup
• Multi-tenant architecture means each organization has isolated vaults, alert rules, and CCIP configurations