# Quick Start: Durable Nonce Monitoring This guide walks through configuring WatchTower to monitor for durable nonce attacks targeting your Squads v4 multisig. You will set up three bots that provide near real-time alerts on nonce staging activity and multisig configuration changes. For background on the attack pattern and what each bot detects, see [Detecting Durable Nonce Attacks](https://doc.sec3.dev/sec3-watchtower/multisig-security/..#detecting-durable-nonce-attacks). The entire process takes under five minutes. *** ## Prerequisites Before you begin, collect the following values. You will need them when configuring each bot. **Signer public key(s)** — the Solana public key of each multisig member you want to monitor. These are individual signer keys, not the multisig address itself. ``` Signer 1: _______________________________________________ Signer 2: _______________________________________________ ``` **Multisig PDA** — the on-chain address of your Squads v4 multisig. You can find it in the Squads UI under your multisig settings. ``` Multisig PDA: _______________________________________________ ``` *** ## Step 1 - Sign up and log in 1. Go to [https://pro.sec3.dev](https://pro.sec3.dev/). 2. Click **Sign up** if you do not have an account, or **Log in** if you already have one. 3. You can sign up using your email or an existing GitHub / Google account. *** ## Step 2 - Navigate to WatchTower Once logged in, click **WatchTower** in the left sidebar to open the WatchTower dashboard. ![WatchTower sidebar](https://2586477326-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FMej1XIjZMe7uRcLdQG7n%2Fuploads%2Fi5YYR1MyrgUL3XJBbcsB%2Fgitbook_sidebar-watchtower.png?alt=media\&token=96a825e1-bc2a-4d06-b84d-4ba91561d23e) *** ## Step 3 - Create a project A project is a container for your monitored addresses and bots. 1. Click **+ New Project** in the top-right corner. ![New Project dialog](https://2586477326-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FMej1XIjZMe7uRcLdQG7n%2Fuploads%2FU2oSky2biRu11X69Drx2%2Fimage.png?alt=media\&token=65917eca-a062-4b87-82c8-17c8a97e19d1) 2. Enter a project name (e.g., `Multisig Security`) and click **Create Project**. *** ## Step 4 - Add monitored addresses Add your signer public keys and Multisig PDA so the bots know which accounts to watch. 1. In the left **Addresses** panel, click **+ New**. 2. Paste one of your signer public keys and give it a label (e.g., `Signer 1`). 3. Click **Add** to save the address. 4. Repeat for each additional signer key. 5. Add the **Multisig PDA** as a separate address (e.g., label it `Multisig PDA`). *** ## Step 5 - Create Bot 1: `solana_nonce_creation` This bot alerts when a new durable nonce account is created with one of your signer keys as the authority. It provides the earliest on-chain signal of a nonce staging attack. 1. Click **+ New Bot** in the top-right corner. ![Bot selection panel](https://2586477326-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FMej1XIjZMe7uRcLdQG7n%2Fuploads%2FrTboUpwkKChTNai9gqlf%2Fgitbook_new-bot-selection.png?alt=media\&token=7411ccfd-92e8-4924-aacc-4e03f875c07c) 2. Select **`solana_nonce_creation`** from the list, then click **Choose Bot**. The bot configuration form will appear: ![Bot configuration form](https://2586477326-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FMej1XIjZMe7uRcLdQG7n%2Fuploads%2FYez6ieVh7u3RQlDMsJyv%2Fgitbook_bot-config-nonce-creation.png?alt=media\&token=3684e6c0-a4ed-400b-9bab-774f8344372d) 3. **Bot name**: Give it a descriptive name (e.g., `nonce-creation-monitor`). 4. **Network**: Select **Mainnet-beta**. 5. **Target Addresses**: Select each **signer public key** from the dropdown. Do not add the Multisig PDA here — this bot monitors individual signer keys. 6. **Severity**: Leave as **Medium** or adjust to your preference. 7. **Notification**: Enable at least one notification receiver by toggling the switch next to it. Supported channels include Email, SMS, Slack, Telegram, Discord, and Webhook. > **Example: Setting up Telegram notifications** > > If you haven't added a Telegram destination yet, click the **Telegram** button at the bottom of the notification list, then: > > 1. Enter a label (e.g., `my-telegram`) and click **Save Label**. > 2. Copy the **magic words** shown on screen. > 3. Open Telegram, start a chat with **@sec3\_alert\_bot** (or add it to a group chat). > 4. Paste and send the magic words. The status will change to **Connected**. > 5. Toggle the switch next to your new Telegram destination to enable it for this bot. > > For other notification channels (Slack, Discord, webhooks, etc.), see [Alert Destinations](https://doc.sec3.dev/sec3-watchtower/alert-destinations). 8. Click **Create Bot**. **When this bot fires:** ``` A new durable nonce account was created with authority (created by: ). This may indicate someone staging a pre-signed transaction attack. ``` If `created by` is an address you do not recognize, treat this as a potential attack and follow the steps in [Recommended Actions](https://doc.sec3.dev/sec3-watchtower/multisig-security/broken-reference). *** ## Step 6 - Create Bot 2: `solana_nonce_authority_change` This bot alerts when a nonce account's authority is transferred to or from one of your signer keys. 1. Click **+ New Bot**. 2. Select **`solana_nonce_authority_change`**, then click **Choose Bot**. 3. **Bot name**: e.g., `nonce-authority-change-monitor`. 4. **Network**: **Mainnet-beta**. 5. **Target Addresses**: Select the same **signer public keys** as Bot 1. 6. **Severity**: Set to **Critical** (authority changes are high-signal events). 7. **Notification**: Enable at least one notification receiver. 8. Click **Create Bot**. **When this bot fires (inbound):** ``` Nonce account authority changed from to (your key). Someone is transferring nonce control to your signer — potential pre-signed transaction attack staging. ``` **When this bot fires (outbound):** ``` Nonce account authority changed from (your key) to . Your signer's nonce control is being transferred away — verify this is authorized. ``` *** ## Step 7 - Create Bot 3: `solana_multisig_config_change` This bot alerts on Squads v4 configuration changes: threshold modifications, member additions and removals, and timelock changes. > **Important:** The target for this bot is the **Multisig PDA**, not a signer key. 1. Click **+ New Bot**. 2. Select **`solana_multisig_config_change`**, then click **Choose Bot**. 3. **Bot name**: e.g., `multisig-config-change-monitor`. 4. **Network**: **Mainnet-beta**. 5. **Target Addresses**: Select the **Multisig PDA** from the dropdown. 6. **Severity**: Set to **Critical**. 7. **Notification**: Enable at least one notification receiver. 8. Click **Create Bot**. **When this bot fires:** ``` Squads v4 multisig activity on : . Verify this action is authorized. TX: ``` *** ## Step 8 - Verify Once all three bots are created, confirm they are active: 1. In your project, open the **Bots** tab. 2. All three bots should show a green status indicator (Active). ![Three bots active in Bots tab](https://2586477326-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FMej1XIjZMe7uRcLdQG7n%2Fuploads%2FgHuaUNcKKf6Y6o2T8ukQ%2Fgitbook_bots-tab-three-active.png?alt=media\&token=3e921f43-950a-43af-88dc-9600576958ca) 3. Switch to the **Alerts** tab. Alerts will appear here and will also be sent to your configured notification receivers. ![Alerts tab showing nonce alerts](https://2586477326-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FMej1XIjZMe7uRcLdQG7n%2Fuploads%2FkCvbGUfTXFYEQ182OgXj%2Fgitbook_alerts-tab-nonce.png?alt=media\&token=79828030-30be-40a1-82fd-a0d0b4728014) 4. Click on any alert to expand it and see full details, including the transaction signature and the specific addresses involved. ![Expanded alert detail](https://2586477326-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FMej1XIjZMe7uRcLdQG7n%2Fuploads%2FILLznDVLMLsWGF3xJfG9%2Fgitbook_alert-detail-expanded.png?alt=media\&token=e50763ae-8333-4bce-a7d1-c5f325d2aaf9) *** ## What's next * Read [Detecting Durable Nonce Attacks](https://doc.sec3.dev/sec3-watchtower/multisig-security/broken-reference) for background on the attack pattern and recommended response procedures. * Configure additional [Alert Destinations](https://doc.sec3.dev/sec3-watchtower/alert-destinations) (Slack, Telegram, webhooks, and more) for team-wide alerting. * Review the full [Bots](https://doc.sec3.dev/sec3-watchtower/bots) reference for other monitoring capabilities.