# Quick Start: Durable Nonce Monitoring This guide walks through configuring WatchTower to monitor for durable nonce attacks targeting your Squads v4 multisig. You will set up three bots that provide near real-time alerts on nonce staging activity and multisig configuration changes. For background on the attack pattern and what each bot detects, see [Detecting Durable Nonce Attacks](/sec3-watchtower/multisig-security.md#detecting-durable-nonce-attacks). The entire process takes under five minutes. *** ## Prerequisites Before you begin, collect the following values. You will need them when configuring each bot. **Signer public key(s)** — the Solana public key of each multisig member you want to monitor. These are individual signer keys, not the multisig address itself. ``` Signer 1: _______________________________________________ Signer 2: _______________________________________________ ``` **Multisig PDA** — the on-chain address of your Squads v4 multisig. You can find it in the Squads UI under your multisig settings. ``` Multisig PDA: _______________________________________________ ``` *** ## Step 1 - Sign up and log in 1. Go to [https://pro.sec3.dev](https://pro.sec3.dev/). 2. Click **Sign up** if you do not have an account, or **Log in** if you already have one. 3. You can sign up using your email or an existing GitHub / Google account. *** ## Step 2 - Navigate to WatchTower Once logged in, click **WatchTower** in the left sidebar to open the WatchTower dashboard. ![WatchTower sidebar](/files/a166xvVtrLkTQNwJHRJc) *** ## Step 3 - Create a project A project is a container for your monitored addresses and bots. 1. Click **+ New Project** in the top-right corner. ![New Project dialog](/files/s0e7tUkcL27ESCxd9NXG) 2. Enter a project name (e.g., `Multisig Security`) and click **Create Project**. *** ## Step 4 - Add monitored addresses Add your signer public keys and Multisig PDA so the bots know which accounts to watch. 1. In the left **Addresses** panel, click **+ New**. 2. Paste one of your signer public keys and give it a label (e.g., `Signer 1`). 3. Click **Add** to save the address. 4. Repeat for each additional signer key. 5. Add the **Multisig PDA** as a separate address (e.g., label it `Multisig PDA`). *** ## Step 5 - Create Bot 1: `solana_nonce_creation` This bot alerts when a new durable nonce account is created with one of your signer keys as the authority. It provides the earliest on-chain signal of a nonce staging attack. 1. Click **+ New Bot** in the top-right corner. ![Bot selection panel](/files/4OXzpwjmlK3ueMf7hf8J) 2. Select **`solana_nonce_creation`** from the list, then click **Choose Bot**. The bot configuration form will appear: ![Bot configuration form](/files/jXV09Jy5eggfUvp7VtyM) 3. **Bot name**: Give it a descriptive name (e.g., `nonce-creation-monitor`). 4. **Network**: Select **Mainnet-beta**. 5. **Target Addresses**: Select each **signer public key** from the dropdown. Do not add the Multisig PDA here — this bot monitors individual signer keys. 6. **Severity**: Leave as **Medium** or adjust to your preference. 7. **Notification**: Enable at least one notification receiver by toggling the switch next to it. Supported channels include Email, SMS, Slack, Telegram, Discord, and Webhook. > **Example: Setting up Telegram notifications** > > If you haven't added a Telegram destination yet, click the **Telegram** button at the bottom of the notification list, then: > > 1. Enter a label (e.g., `my-telegram`) and click **Save Label**. > 2. Copy the **magic words** shown on screen. > 3. Open Telegram, start a chat with **@sec3\_alert\_bot** (or add it to a group chat). > 4. Paste and send the magic words. The status will change to **Connected**. > 5. Toggle the switch next to your new Telegram destination to enable it for this bot. > > For other notification channels (Slack, Discord, webhooks, etc.), see [Alert Destinations](/sec3-watchtower/alert-destinations.md). 8. Click **Create Bot**. **When this bot fires:** ``` A new durable nonce account was created with authority (created by: ). This may indicate someone staging a pre-signed transaction attack. ``` If `created by` is an address you do not recognize, treat this as a potential attack and follow the steps in [Recommended Actions](broken://pages/1prtkvJ2dn4VtOA4AGRn#recommended-actions-on-alert). *** ## Step 6 - Create Bot 2: `solana_nonce_authority_change` This bot alerts when a nonce account's authority is transferred to or from one of your signer keys. 1. Click **+ New Bot**. 2. Select **`solana_nonce_authority_change`**, then click **Choose Bot**. 3. **Bot name**: e.g., `nonce-authority-change-monitor`. 4. **Network**: **Mainnet-beta**. 5. **Target Addresses**: Select the same **signer public keys** as Bot 1. 6. **Severity**: Set to **Critical** (authority changes are high-signal events). 7. **Notification**: Enable at least one notification receiver. 8. Click **Create Bot**. **When this bot fires (inbound):** ``` Nonce account authority changed from to (your key). Someone is transferring nonce control to your signer — potential pre-signed transaction attack staging. ``` **When this bot fires (outbound):** ``` Nonce account authority changed from (your key) to . Your signer's nonce control is being transferred away — verify this is authorized. ``` *** ## Step 7 - Create Bot 3: `solana_multisig_config_change` This bot alerts on Squads v4 configuration changes: threshold modifications, member additions and removals, and timelock changes. > **Important:** The target for this bot is the **Multisig PDA**, not a signer key. 1. Click **+ New Bot**. 2. Select **`solana_multisig_config_change`**, then click **Choose Bot**. 3. **Bot name**: e.g., `multisig-config-change-monitor`. 4. **Network**: **Mainnet-beta**. 5. **Target Addresses**: Select the **Multisig PDA** from the dropdown. 6. **Severity**: Set to **Critical**. 7. **Notification**: Enable at least one notification receiver. 8. Click **Create Bot**. **When this bot fires:** ``` Squads v4 multisig activity on : . Verify this action is authorized. TX: ``` *** ## Step 8 - Verify Once all three bots are created, confirm they are active: 1. In your project, open the **Bots** tab. 2. All three bots should show a green status indicator (Active). ![Three bots active in Bots tab](/files/76AXICZgFUPOo0PVmVV6) 3. Switch to the **Alerts** tab. Alerts will appear here and will also be sent to your configured notification receivers. ![Alerts tab showing nonce alerts](/files/ZYvhhRUCy8w3LXYp2vLy) 4. Click on any alert to expand it and see full details, including the transaction signature and the specific addresses involved. ![Expanded alert detail](/files/LU2s3204vhy5nseO8jLP) *** ## What's next * Read [Detecting Durable Nonce Attacks](broken://pages/1prtkvJ2dn4VtOA4AGRn) for background on the attack pattern and recommended response procedures. * Configure additional [Alert Destinations](/sec3-watchtower/alert-destinations.md) (Slack, Telegram, webhooks, and more) for team-wide alerting. * Review the full [Bots](/sec3-watchtower/bots.md) reference for other monitoring capabilities. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://doc.sec3.dev/sec3-watchtower/multisig-security/quick-start-durable-nonce-monitoring.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.