> For the complete documentation index, see [llms.txt](https://doc.sec3.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://doc.sec3.dev/sec3-watchtower/multisig-security/quick-start-durable-nonce-monitoring.md).

# Quick Start: Durable Nonce Monitoring

This guide walks through configuring WatchTower to monitor for durable nonce attacks targeting your Squads v4 multisig. You will set up three bots that provide near real-time alerts on nonce staging activity and multisig configuration changes.

For background on the attack pattern and what each bot detects, see [Detecting Durable Nonce Attacks](/sec3-watchtower/multisig-security.md#detecting-durable-nonce-attacks).

The entire process takes under five minutes.

***

## Prerequisites

Before you begin, collect the following values. You will need them when configuring each bot.

**Signer public key(s)** — the Solana public key of each multisig member you want to monitor. These are individual signer keys, not the multisig address itself.

```
Signer 1: _______________________________________________
Signer 2: _______________________________________________
```

**Multisig PDA** — the on-chain address of your Squads v4 multisig. You can find it in the Squads UI under your multisig settings.

```
Multisig PDA: _______________________________________________
```

***

## Step 1 - Sign up and log in

1. Go to [https://pro.sec3.dev](https://pro.sec3.dev/).
2. Click **Sign up** if you do not have an account, or **Log in** if you already have one.
3. You can sign up using your email or an existing GitHub / Google account.

***

## Step 2 - Navigate to WatchTower

Once logged in, click **WatchTower** in the left sidebar to open the WatchTower dashboard.

![WatchTower sidebar](/files/a166xvVtrLkTQNwJHRJc)

***

## Step 3 - Create a project

A project is a container for your monitored addresses and bots.

1. Click **+ New Project** in the top-right corner.

![New Project dialog](/files/s0e7tUkcL27ESCxd9NXG)

2. Enter a project name (e.g., `Multisig Security`) and click **Create Project**.

***

## Step 4 - Add monitored addresses

Add your signer public keys and Multisig PDA so the bots know which accounts to watch.

1. In the left **Addresses** panel, click **+ New**.
2. Paste one of your signer public keys and give it a label (e.g., `Signer 1`).
3. Click **Add** to save the address.
4. Repeat for each additional signer key.
5. Add the **Multisig PDA** as a separate address (e.g., label it `Multisig PDA`).

***

## Step 5 - Create Bot 1: `solana_nonce_creation`

This bot alerts when a new durable nonce account is created with one of your signer keys as the authority. It provides the earliest on-chain signal of a nonce staging attack.

1. Click **+ New Bot** in the top-right corner.

![Bot selection panel](/files/4OXzpwjmlK3ueMf7hf8J)

2. Select **`solana_nonce_creation`** from the list, then click **Choose Bot**.

The bot configuration form will appear:

![Bot configuration form](/files/jXV09Jy5eggfUvp7VtyM)

3. **Bot name**: Give it a descriptive name (e.g., `nonce-creation-monitor`).
4. **Network**: Select **Mainnet-beta**.
5. **Target Addresses**: Select each **signer public key** from the dropdown. Do not add the Multisig PDA here — this bot monitors individual signer keys.
6. **Severity**: Leave as **Medium** or adjust to your preference.
7. **Notification**: Enable at least one notification receiver by toggling the switch next to it. Supported channels include Email, SMS, Slack, Telegram, Discord, and Webhook.

> **Example: Setting up Telegram notifications**
>
> If you haven't added a Telegram destination yet, click the **Telegram** button at the bottom of the notification list, then:
>
> 1. Enter a label (e.g., `my-telegram`) and click **Save Label**.
> 2. Copy the **magic words** shown on screen.
> 3. Open Telegram, start a chat with **@sec3\_alert\_bot** (or add it to a group chat).
> 4. Paste and send the magic words. The status will change to **Connected**.
> 5. Toggle the switch next to your new Telegram destination to enable it for this bot.
>
> For other notification channels (Slack, Discord, webhooks, etc.), see [Alert Destinations](/sec3-watchtower/alert-destinations.md).

8. Click **Create Bot**.

**When this bot fires:**

```
A new durable nonce account <NONCE_ADDR> was created with authority
<SIGNER_PUBKEY> (created by: <CREATOR_PUBKEY>).
This may indicate someone staging a pre-signed transaction attack.
```

If `created by` is an address you do not recognize, treat this as a potential attack and follow the steps in [Recommended Actions](broken://pages/1prtkvJ2dn4VtOA4AGRn#recommended-actions-on-alert).

***

## Step 6 - Create Bot 2: `solana_nonce_authority_change`

This bot alerts when a nonce account's authority is transferred to or from one of your signer keys.

1. Click **+ New Bot**.
2. Select **`solana_nonce_authority_change`**, then click **Choose Bot**.
3. **Bot name**: e.g., `nonce-authority-change-monitor`.
4. **Network**: **Mainnet-beta**.
5. **Target Addresses**: Select the same **signer public keys** as Bot 1.
6. **Severity**: Set to **Critical** (authority changes are high-signal events).
7. **Notification**: Enable at least one notification receiver.
8. Click **Create Bot**.

**When this bot fires (inbound):**

```
Nonce account <NONCE_ADDR> authority changed from <OTHER_KEY> to
<SIGNER_PUBKEY> (your key). Someone is transferring nonce control to
your signer — potential pre-signed transaction attack staging.
```

**When this bot fires (outbound):**

```
Nonce account <NONCE_ADDR> authority changed from <SIGNER_PUBKEY>
(your key) to <OTHER_KEY>. Your signer's nonce control is being
transferred away — verify this is authorized.
```

***

## Step 7 - Create Bot 3: `solana_multisig_config_change`

This bot alerts on Squads v4 configuration changes: threshold modifications, member additions and removals, and timelock changes.

> **Important:** The target for this bot is the **Multisig PDA**, not a signer key.

1. Click **+ New Bot**.
2. Select **`solana_multisig_config_change`**, then click **Choose Bot**.
3. **Bot name**: e.g., `multisig-config-change-monitor`.
4. **Network**: **Mainnet-beta**.
5. **Target Addresses**: Select the **Multisig PDA** from the dropdown.
6. **Severity**: Set to **Critical**.
7. **Notification**: Enable at least one notification receiver.
8. Click **Create Bot**.

**When this bot fires:**

```
Squads v4 multisig activity on <MULTISIG_PDA>: <action>.
Verify this action is authorized.
TX: <signature>
```

***

## Step 8 - Verify

Once all three bots are created, confirm they are active:

1. In your project, open the **Bots** tab.
2. All three bots should show a green status indicator (Active).

![Three bots active in Bots tab](/files/76AXICZgFUPOo0PVmVV6)

3. Switch to the **Alerts** tab. Alerts will appear here and will also be sent to your configured notification receivers.

![Alerts tab showing nonce alerts](/files/ZYvhhRUCy8w3LXYp2vLy)

4. Click on any alert to expand it and see full details, including the transaction signature and the specific addresses involved.

![Expanded alert detail](/files/LU2s3204vhy5nseO8jLP)

***

## What's next

* Read [Detecting Durable Nonce Attacks](broken://pages/1prtkvJ2dn4VtOA4AGRn) for background on the attack pattern and recommended response procedures.
* Configure additional [Alert Destinations](/sec3-watchtower/alert-destinations.md) (Slack, Telegram, webhooks, and more) for team-wide alerting.
* Review the full [Bots](/sec3-watchtower/bots.md) reference for other monitoring capabilities.
