The firms deploying capital across multiple protocols and chains don't rely on audits to keep it safe. They've built layered monitoring systems that detect threats and exit positions before damage lands.
Crypto asset managers running active DeFi strategies have converged on a common monitoring architecture: broad protocol watchlists for generalized threat coverage, custom event agents for position-specific risks, and automated response workflows that execute exits without waiting for a human to intervene. Wintermute, Clearstar Labs, and Wave Digital Assets have each built this infrastructure on Hypernative's platform. The approach works because each layer catches what the others miss, and because response is pre-staged before a threat materializes, not assembled after one is detected.
The starting point is decomposition. A single DeFi farming position isn't exposure to one protocol. It's exposure to the protocol's smart contracts, the oracles it depends on, the bridges it uses, the admin keys that can change its parameters, and any third-party protocols it integrates with. Each of those dependencies is a potential attack surface.
Wintermute, one of crypto's largest market makers and OTC desks, uses Hypernative to structure its farming monitoring in three explicit layers for every position it holds.
With any position, we go in a layered way where we decompose it by dependencies. For example, with the Lombard vaults, there are a ton of projects we are exposed to directly.
Bohdan Pavlov, Researcher @ Wintermute
All three layers run through Hypernative's platform, which provides the watchlist coverage, custom agent deployment, and SDK-based financial monitoring Wintermute uses as its risk infrastructure.
The point of the decomposition is precision. A watchlist catches the category of threat. Custom agents catch the protocol-specific signals that matter for that position. SDK-based financial monitoring catches the quantitative signals that determine when to rotate or exit. Each layer serves a different detection function and generates alerts routed to different response workflows.
Read the full case study: How Wintermute Scaled Their DeFi Farming Operations with Real-Time Risk Monitoring
Detection without response is a notification system. The value of real-time monitoring for DeFi risk management depends almost entirely on what happens in the minutes after an alert fires.
For teams with just a handful of researchers manual response is not a reliable exit strategy. The math doesn't work: an exploit moves faster than a person can review an alert, assess the situation, and execute a multi-step unwind.
The Wintermute team's target response time is under five minutes. In practice, it's often under one minute. The system detects the signal; a researcher does a quick sanity check; the transaction button gets hit. The preparation work (exit transactions staged, integrations connected, counterparties mapped) happens before the alert fires, not after.
Clearstar Labs, a Switzerland-based quantitative DeFi manager, took this further by using the Hypernative platform to remove the human from the response loop entirely. Using a combination of real-time monitoring and pre-recorded transactions connected to their institutional wallet infrastructure, Clearstar configured an automated exit workflow on a DeFi protocol where they were providing liquidity. When the protocol was exploited, the workflow triggered before the team was even aware of the hack. They received a Telegram notification that the exit had completed successfully. The review confirmed the protocol had been compromised. Their funds were safe.
Since smart contract risk is inherent to any onchain exposure, it is vital to be able to monitor and respond to onchain threats in seconds. We wouldn't be comfortable securing our assets onchain if it weren't for the services provided by both Fordefi and Hypernative.
Jashiel Alamo, Head of DeFi Research @ Clearstar
The pre-recorded transaction model works because the exit conditions are known in advance. The only thing the monitoring layer needs to provide is the trigger. When the alert fires, the response executes at machine speed.
Read the full case study: Beating the Hack: How Clearstar Saved Thousands Using Onchain Automation
For firms managing assets across multiple client accounts or treasuries, the complexity compounds. Each account may have different protocols, different chains, different risk tolerances, and different reporting requirements. A monitoring setup designed for a single fund doesn't scale to 20 accounts across eight chains without significant infrastructure.
Wave Digital Assets, an SEC-registered investment adviser managing more than 20 corporate treasuries across DeFi, built its monitoring setup around four distinct coverage types deployed simultaneously across all its client accounts.
Cross-chain price divergence monitoring tracks liquid staking tokens and vault assets for potential depegs and arbitrage signals across Base, Berachain, Ethereum, Polygon, and Unichain. Liquidity and balance monitoring watches for TVL shifts and capital inflows and outflows across key protocols. Custom watchlists run default risk detections across dozens of protocol-specific smart contracts. Protocol and vault-specific coverage adds targeted monitoring for the full range of strategies Wave runs: staking vaults, lending and borrowing protocols, automated market makers.
Before Hypernative, we had to build out our own onchain risk monitoring tools and agents, which was expensive and time-consuming. The shift to an external monitoring infrastructure let the team concentrate on strategy execution rather than monitoring maintenance.
Rajiv Sawhney, Head of International Portfolio Management @ Wave
The practical impact shows up in the types of alerts Wave has caught in production: a phishing approval on a Polygon-bridged USDT position, a Polygon PoS Bridge mint event without a corresponding deposit on Ethereum, a DAO governance proposal to transfer funds well beyond the protocol treasury's available balance. Each of these is a different risk category (phishing, bridge integrity, governance) across different chains. Catching all of them requires breadth the team could not build and maintain in-house at the speed the market moves.
Read the full case study: How Wave Manages DeFi Risk for 20+ Treasuries With Hypernative
The firms running this infrastructure well have made some consistent architectural decisions worth noting for any manager evaluating a similar setup.
Coverage breadth matters more than depth on any single chain. DeFi strategies are inherently multi-chain. A monitoring solution that covers one or two networks well but lacks support for the protocols a manager actually uses is a gap, not a partial solution.
Custom agents are not optional for active DeFi strategies. Generic risk templates catch generic threats. The protocol-specific events that actually change a position's risk profile (allocation changes, cap raises, oracle updates) require purpose-built detection logic that a team can deploy quickly when entering a new protocol.
Automated response requires pre-staged infrastructure. The benefit of detecting a threat in seconds disappears if the response takes minutes. Exit transactions, custodial integrations, and response policies all need to be in place before an event happens.
And false positive rates determine whether alerts get acted on. A monitoring system that fires noise will train the team to ignore it. The value of real-time detection depends entirely on the team trusting that when an alert fires at 2 a.m., it warrants waking up.
Over 300 Web3 projects already rely on Hypernative's real-time enterprise-grade platform that covers 300+ risk signals, monitors over $100B worth of digital assets across more than 70 chains. The list includes Circle, Chainlink, Ethena, Galaxy, and Morpho.
Reach out for a demo of Hypernative's solutions, tune into Hypernative's blog and our social channels to keep up with the latest on cybersecurity in Web3.
Secure everything you build, run and own in Web3 with Hypernative.
Website | X (Twitter) | LinkedIn
