Auto-Add Factory Clones to Defender Admin and Sentinels

slw.eth · June 21, 2022, 10:23pm

This guide shows how you can set up Defender to automatically add a contract to the Admin dashboard whenever a factory creates it.

This automation is achieved through the following relationship between Defender components:

A Sentinel watches for every successful Event emitted by the contract that creates a clone. If detected, it triggers an Autotask to run and passes along information about the transaction
The Autotask makes use of the Admin API to add the address of the newly created contract to Admin dashboard

In this case, the contract ABI can be pre-supplied since clone contracts will have identical ABIs. Alternatively, you may be able to dynamically retrieve the ABI from a verified contract at a given address using Etherscan’s API.

Generate API Key

To programmatically add a contract to the Admin dashboard, the defender-admin-client API requires credentials in the form of an API key and secret.

You can use an existing API key or create one to be used solely for this purpose.

To create a new key, open the hamburger menu at the top right and select Team API Keys. Generate a new key and secret with at least the ability to create Admin proposals. Copy and save these in a secure location.

You can use Defender’s handy Secrets vault to securely store the Admin API key and secret created in the previous step.

Select Autotask from the left and then Secrets. Give the API key and secret a name and paste in the respective string.

Create the Autotask

From the Autotask dashboard at the right select Create Autotask.

Name the Autotask and select Webhook.

Paste in the Autotask code and hit Create.

Now the Autotask is ready to be triggered by a Sentinel.

Note that manually triggering this Autotask will be flagged as an error, since the Autotask relies on data supplied by the actual firing of the Sentinel (such as the address of the newly deployed clone contract address).

Set Up the Sentinel

This Sentinel will watch for an event emitted by the contract signaling that a new clone has been created.

Select Sentinel from the left, then Create Sentinel.

Leave the Sentinel Type as Contract.

Give it a name, such as "New Clone Event Detected"

Select the appropriate network.

If the factory contract is already loaded into the Admin dashboard, select the name of the contract from the Addresses dropdown. Otherwise, paste the contract address and ABI.

Leave the confirmation blocks at 1 for rapid detection or specify a higher block number for additional thoroughness.

Select Next.

Now comes the time to select the conditions that will trigger the Sentinel. Either function calls or event emissions can be monitored.

Select the event name for clone creation and leave the field blank to catch all emitted clone creation events. Select Next.

Under Execute an Autotask, Select the Autotask name created in the previous step.

As with any account action, the triggering of this Sentinel will be recorded in the Defender Logging. If you'd like, you can select a way of receiving notification when this Sentinel gets triggered. Simply select your choice from the Create New Notification.

Select Create.

Do A Test Run

To test from the UI, select the factory contract from the Admin dashboard, navigate to New Proposal -> Admin action, and select the contract creation function along with an execution strategy that will work based on the contract's permissions.

Then on the next screen, verify the information and select Approve and Execute and pay the gas.

Head over to Logging to verify the status of the Admin proposal, the firing of the Sentinel, the execution of the Autotask, and finally the contract being added to the Admin dashboard.

Navigate to Admin to see the new contract along with the others in the dashboard.

Resources

slw.eth · June 27, 2022, 3:03pm

Part Two: Automated Security Monitoring for Multiple Contracts

The previous code works for making use of defender-admin-client to automatically add contracts created by a factory to the admin dashboard so they can be monitored. But what about automating the Sentinel monitoring itself?

A Sentinel is able to monitor multiple contracts. With a small change to the autotask code, you can use defender-sentinel-client to add each new contract to the array of contracts monitored by a Sentinel.

This guide continues where the previous tutorial left off to bring in security monitoring for each clone contract.

Create Sentinel to Monitor A Clone Contract

To get started, you'll need the address of a clone contract. Navigate to the Admin dashboard and copy its address.

From the panel on the left, select Sentinel → Create Sentinel.

Name the Sentinel, select the appropriate network, and paste the contract address of the clone.

The ABI of verified contracts will be automatically imported. Otherwise, paste in the contract’s ABI and leave the block verification at 1 unless additional thoroughness is required.

Click Next, then select the parameters you would like to monitor for. For the Box example, we will monitor for a change in stored value.

An Autotask can be used here if fine-grained filtering is needed.

Select Next and then select the desired notification method.

Finally, select Create Sentinel.

This sets the Sentinel to monitor a given clone contract for changes in value.

However, Contract Sentinels can monitor multiple addresses, provided they adhere to the same ABI.

In the next step, you will add an additional step to the Autotask that makes use of the Sentinel API to push additional contract addresses to the array of contracts being monitored by this Sentinel.

Add Sentinel Code to Autotask

Add the following code to the Autotask that was created previously:

const { SentinelClient } = require('defender-sentinel-client')

The same API key used by defender-admin-client can be used, provided the key has the necessary permissions for editing Sentinels.

Note that the subscriberId variable refers to the ID of the Sentinel. You can find this value by:

querying the list of created Sentinels with await client.list();
reviewing the Logging (if the Sentinel has been fired)
grabbing the last part of the Sentinel's URL

Inside the handler, add the code listed below.

const sentinelClient = new SentinelClient(credentials)
const subscriberId = '1cf990de-ebb3-4255-8c12-67eec8fbbfa7'
const sentinel = await sentinelClient.get(subscriberId)
const subscribedAddresses = sentinel.addressRules[0].addresses
subscribedAddresses.push(newCloneAddress)
await sentinelClient.update(subscriberId, { addresses: subscribedAddresses })

Hit Save Changes.

Now when the Autotask runs, not only will it add the contract to the Admin dashboard, it will also add the newly created clone contract to the array of addresses being monitored by the Contract Sentinel.

To verify, create an additional Box clone contract from the factory. In Logging you will see the series of steps have been successfully triggered.

Topic		Replies	Views
Automatic import of smartcontract via API into admin pannel of open zeppelin defender? Defender	2	772	June 22, 2022
Possible to add newly deployed contracts to Defender via (deploy-)script=? Defender	12	1054	August 25, 2021
Sentinel management (3 feature requests) Defender defender , etherscan-verify	7	788	September 24, 2021
How to automatically create an AutoTask? Defender	5	647	February 1, 2022
Issue: Sentinel does not pull contract ABI Defender	8	488	November 12, 2021