How protocol treasuries, DAO operators, and institutional treasury operations teams detect governance attacks, vesting contract risk, and operational wallet anomalies before funds move.
Monitoring multisig wallets and treasuries across a DeFi portfolio requires three distinct capabilities running simultaneously: governance proposal surveillance to catch malicious votes before they execute, vesting contract monitoring to detect compromised developer wallets before admin privileges are abused, and operational balance alerting to flag unusual transactions across every wallet in a treasury stack. Olympus DAO, Wave Digital Assets, and Wintermute each use Hypernative's Onchain Monitoring & Automated Response to cover all three, with each team configuring the platform around the specific structure of their treasury and the protocols they are exposed to.
Governance attacks work because they operate through legitimate protocol mechanisms. An attacker doesn't need to break a smart contract when a malicious proposal can be submitted during a low-participation window, a deprecated pool can be targeted because nobody is watching it, or voting power can be accumulated quietly over weeks before any execution. When an attacker submitted a malicious governance proposal targeting a dormant Reserve pool in early 2026, the premise was simple: a deprecated asset draws minimal attention, and a proposal can pass before anyone organizes a response. Hypernative flagged the proposal the moment it appeared, alerting the community in time to mobilize token holders and defeat the vote.
Read more: How Reserve Secures a DTF Ecosystem Built on Decentralized Control
Wave Digital Assets monitors governance risk continuously across more than 20 protocol treasuries it manages. A watchlist Wave configured for liquidity pools on Unichain alerted the team when Hypernative's Onchain Monitoring & Automated Response detected a DAO proposal to transfer 3,600 COMP worth approximately $147,900, an amount that would have exceeded 100% of the protocol treasury's available COMP. The alert came from a standing watchlist, not a manual review triggered by a forum post. Rajiv Sawhney, Head of International Portfolio Management at Wave, said the monitoring infrastructure is what makes treasury management at scale viable: "Hypernative has been essential for growing the foundation treasury management business."
Read more: How Wave Manages DeFi Risk for 20+ Treasuries With Hypernative
Vesting contracts hold large balances behind a small number of permissioned addresses, and those addresses do not always receive the same scrutiny as core protocol contracts. A compromised developer wallet or a grant to an address that later turns malicious gives an attacker a window to prepare before the first privileged call executes. The monitoring problem is that the warning signs appear before any funds move: an unexpected admin role change, a minter modification, a governance execution initiated from an address that has been dormant for months. That window is short, and it closes when the transaction confirms.
Wintermute addresses this at the dependency layer. The firm's research team uses Hypernative to deploy custom agents monitoring admin role changes, minter role modifications, governance proposal executions, and vault allocation changes across every protocol in its farming portfolio. Igor Igamberdiev, Head of Research at Wintermute, said static due diligence doesn't hold up over time: "Two or three months after we deployed funds, something could change. A new strategy could be added, something else could be done. We just don't want to spend our time redoing due diligence every two to three months." Custom agents replace repeated manual audits: any change to a privileged role or contract parameter triggers an alert before that change can be exploited downstream. For teams with vesting exposure specifically, the same mechanism surfaces unexpected minter grants or admin transfers on token contracts as they happen, not when a holder checks their balance weeks later.
Read more: How Wintermute Scaled Their DeFi Farming Operations with Real-Time Risk Monitoring
Operational wallet monitoring targets a different signal than governance surveillance. Where governance monitoring watches for malicious proposals and privilege escalations, operational wallet monitoring watches for fund movement outside expected parameters: balances draining faster than normal operations explain, transactions routing to unrecognized destinations, or transfer patterns matching known attacker signatures. For a digital asset manager overseeing capital across multiple chains and counterparties, any individual wallet might look normal while the aggregate picture shows a problem developing.
On Sept. 21, 2024, Hypernative detected unusual activity on an Olympus DAO utility contract and notified the team within three minutes on a Saturday morning. An exploit vector in the Cooler Consolidation Contract gave an attacker access to drain DAI and gOHM balances up to each user's approval amount. The team moved quickly enough to limit actual losses to $29,000, protecting a protocol with $180 million in treasury assets. The Olympus team has since moved to automate their pause function so a future response does not require anyone to be awake when the alert fires.
Read more: Beating the Hack: How a Timely Alert Helped Olympus Save User Funds
M1 Capital extends the response layer to the pre-transaction stage through Transaction Guard, which Hypernative operates as a policy enforcement layer on top of the firm's vault operations. No-risk transactions are automatically approved, cutting manual transaction review by 99%. Low-to-medium risk transactions go to designated reviewers; high-risk transactions escalate to senior review before funds leave the vault. Steven Wisbrun, Co-founder at M1 Capital, said the architecture changed the firm's operating posture: "Guardian has made it possible to scale our DeFi operations with precision, speed, and a level of safety that fits our standards."
Coverage scope means simultaneous monitoring across all three risk categories: governance proposals, privileged address and role changes, and operational balance movements. A platform that handles governance but not balance anomalies, or operational monitoring but not admin role changes, leaves gaps that both attackers and operational mistakes will find. The teams operating at scale run all three in parallel rather than treating them as separate tools with separate workflows.
Response architecture determines what happens after an alert fires. The Olympus incident shows the difference between a system that produces information and one that produces a response. Detection within three minutes is only useful if the alert reaches someone with authority to act. The direction Olympus moved after the incident, automating the pause function, reflects a principle that applies across treasury operations: detection should trigger action without requiring a human to be available at every hour of the day. Whether that means paging an on-call responder or automating the defensive transaction depends on the protocol, but the architecture needs to support both.
Threshold configurability matters because no two treasury structures are identical. A DAO treasury with a governance forum and a quarterly vesting schedule has different monitoring requirements than an institutional treasury operations team deploying capital across 18 protocols. Wintermute's three-layer approach, watchlist foundation, protocol-specific event monitoring, and SDK-based financial variable tracking, illustrates how a team with a growing portfolio decomposes its exposure by dependency so monitoring stays calibrated as the portfolio changes. Generic thresholds applied uniformly across all assets generate noise; thresholds configured around the operational baseline of each specific protocol produce signals worth acting on.
For a demo of Hypernative's treasury and multisig monitoring capabilities, visit hypernative.io.
Secure everything you build, run and own in Web3 with Hypernative.
