Monitorism is a tooling suite that supports monitoring and active remediation actions for the OP Stack chain.
The suite is composed of two main components: op-monitorism and op-defender, that can be used together or separately and see below for more details.
The monitors are passive security service allowing to provide automated monitoring for the OP Stack.
There are components that are designed to make monitoring of the OP stack and alerting on specific events, that could be a sign of a security incident.
The list of all the monitors currently built into op-monitorism is below.
The Global Events Monitor is made for to taking YAML rules as configuration and monitoring the events that are emitted on the chain.
op-monitorism/global_events |
README |
|---|
The Liveness Expiration Monitor is made for monitoring the liveness expiration on Safes.
op-monitorism/liveness_expiration |
README |
|---|
The withdrawals monitor checks for new withdrawals that have been proven to the OptimismPortal contract.
Each withdrawal is checked against the L2ToL1MessagePasser contract.
op-monitorism/withdrawals |
README |
|---|
The balances monitor simply emits a metric reporting the balances for the configured accounts.
op-monitorism/balances |
README |
|---|
The fault monitor checks for changes in output roots posted to the L2OutputOracle contract.
On change, reconstructing the output root from a trusted L2 source and looking for a match.
op-monitorism/fault |
README |
|---|
The multisig monitor reports the paused status of the OptimismPortal contract.
If set, the latest nonce of the configued Safe address. And also if set, the latest presigned nonce stored in One Password.
The latest presigned nonce is identifyed by looking for items in the configued vault that follow a ready-<nonce>.json name.
The highest nonce of this item name format is reported.
op-monitorism/multisig |
README |
|---|
The drippie monitor tracks the execution and executability of drips within a Drippie contract.
op-monitorism/drippie |
README |
|---|
The secrets monitor takes a Drippie contract as a parameter and monitors for any drips within that contract that use the CheckSecrets dripcheck contract. CheckSecrets is a dripcheck that allows a drip to begin once a specific secret has been revealed (after a delay period) and cancels the drip if a second secret is revealed. It's important to monitor for these secrets being revealed as this could be a sign that the secret storage platform has been compromised and someone is attempting to exflitrate the ETH controlled by that drip.
op-monitorism/secrets |
README |
|---|
The defenders are active security service allowing to provide automated defense for the OP Stack. There are components that are designed to make immediate actions onchain/offchain to protect the assets.
The list of all the defender currently built into op-defender is below.
The PSP Executor Service is made for executing PSP onchain faster to increase our readiness and speed in case of incident response.
op-defender/psp_executor |
README |
|---|
After cloning, please run ./bootstrap.sh to set up the development environment correctly.
The cli has the ability to spin up a monitor for varying activities, each emmitting metrics used to setup alerts.
COMMANDS:
multisig Monitors OptimismPortal pause status, Safe nonce, and Pre-Signed nonce stored in 1Password
fault Monitors output roots posted on L1 against L2
withdrawals Monitors proven withdrawals on L1 against L2
balances Monitors account balances
secrets Monitors secrets revealed in the CheckSecrets dripcheck
Each monitor has some common configuration, configurable both via cli or env with defaults.
OPTIONS:
--log.level value [$MONITORISM_LOG_LEVEL] The lowest log level that will be output (default: INFO)
--log.format value [$MONITORISM_LOG_FORMAT] Format the log output. Supported formats: 'text', 'terminal', 'logfmt', 'json', 'json-pretty', (default: text)
--log.color [$MONITORISM_LOG_COLOR] Color the log output if in terminal mode (default: false)
--metrics.enabled [$MONITORISM_METRICS_ENABLED] Enable the metrics server (default: false)
--metrics.addr value [$MONITORISM_METRICS_ADDR] Metrics listening address (default: "0.0.0.0")
--metrics.port value [$MONITORISM_METRICS_PORT] Metrics listening port (default: 7300)
--loop.interval.msec value [$MONITORISM_LOOP_INTERVAL_MSEC] Loop interval of the monitor in milliseconds (default: 60000)