As the world’s economy transitions to public blockchains and Web3, Forta’s mission is to make crypto a safe place. Forta does this by enabling a global community of developers to monitor the smart contracts powering the ecosystem. The vehicles for monitoring smart contracts on Forta are called detection bots – virtual security cameras that broadcast a public feed. Any developer can write and publish a detection bot on the Forta network, and anyone can subscribe to a bot and receive its alerts. The more detection bots running on Forta, the safer Web3 becomes.
In July, Forta launched in private beta. OpenZeppelin was running the network’s single node and a handful of developers were onboarded to start deploying simple detection bots.
In the last four months, the community has grown a lot…
-Over 100 developers have published bots on Forta, monitoring a variety of risks and threats to the largest DeFi protocols
-Leading Web3 and DeFi projects are working with developers in the community to write Forta bots that monitor for security, financial, operational and governance risks
-9,600 people are engaging about smart contract security in the Forta Discord
Today, a suite of new features is available, significantly improving Forta’s bots developer and user experiences, including:
-Forta Connect, a self-service platform for developers to publish and manage their detection bots. By making the bot development process easier, Connect should increase the number of developers building on Forta, as well as the number and quality of detection bots running on the network.
-Explorer, an application allowing users to browse and subscribe to detection bots. Users have the option to receive alerts via Slack or email, with more integrations coming soon. By making it easier to consume alerts, Explorer will help onboard new users, and make Forta alerts more valuable and actionable.
-Private Detection bots, allowing developers to obfuscate their bot code and encrypt alert output. There are certain detection bots, such as those monitoring for threats and exploits, where discretion is important. Giving developers the ability to create private detection bots means Forta can monitor for a broader set of risks and support more users.
Read on for more details about these feature updates…
If you published a detection bot on Forta in the last three months, you did it through the CLI. This wasn’t an ideal experience, but it served its purpose early on. That said, developers deserve better.
Forta Connect is a new self-service platform that helps developers publish and manage their detection bots. Like other Web3 applications, developers must connect to the platform using a Metamask wallet and sign a transaction. The wallet address serves as your identity going forward.
Connect also features a developer profile. The public profile is the basis for a developer’s reputation on Forta, and contains information on the bots published. The public can also view detection bots / alert documentation along with developer info and find links to detection bots source code (if published).
Another benefit of publishing detection bots through the Connect platform is subsidized transaction fees. Publishing a detection bot requires recording the bot on a smart contract based-registry. Forta recently migrated its smart contracts and all detection bots to Polygon. Publishing a new detection bot on Polygon requires MATIC, but Forta will subsidize 100% of the publishing fees through Forta Connect. Developers are still able to publish and manage detection bots through the CLI, but they are responsible for fees.
Until now, there hasn’t been an easy way to receive Forta alerts. An early version of Explorer displayed all alerts on the network, but it was difficult to filter for specifics and would have been difficult for a team, for example, to get actionable insights from. Most teams prefer to receive alerts through their default communication tool like Slack, email or Telegram.
Explorer offers enhanced capabilities for users. One of the top priorities was making it easy for users to find and subscribe to . Explorer allows any user to subscribe to an alert, and integrate via webhook with Slack or email. Additional support for Telegram and other communication tools will be added soon.
Like Forta Connect, users need to connect their Metamask wallet and sign a transaction.
The Explorer will continue to offer a real-time alert feed, as well as other network-level statistics like total numbers of detection bots and alerts.
Dozens of protocol teams shared input over the last three months, and one piece of common feedback was a desire for private detection bots and alerts.
Forta is public infrastructure and detection bot code and alert data is also public by default (viewable through the Explorer). However, there are circumstances that may be more sensitive than others, such as detecting a vulnerability or exploit, that a team may want to keep private and react to first before notifying their community or a hacker.
To address this need, the Forta developer docs include explicit examples for obfuscating detection bot code prior to publishing. Additionally, bot developers will have the ability to encrypt the alert output from their detection bots. The combination of detection bot code obfuscation and encrypted alerts will deliver partial privacy for more sensitive alerts.
In the future, Forta may also add SDKs for compiled languages like Golang and Rust. Community contributions are welcome here! You can always offer input in the Forta Discord.
Transition to Polygon
During the network’s private beta period, Forta smart contracts and the published detection bot registry ran on Ethereum’s Goerli testnet. This approach optimized for cost effectiveness early on, but the goal has always been to run these components of Forta on a Layer 2 blockchain for maximum transparency and decentralization.
To cope with the increase of detection bots and users on the network, Forta recently migrated all smart contracts and detection bots to Polygon. This migration gives Forta the infrastructure it needs to horizontally scale nodes, and a new assigner for detection bot registry listing. Now, when a developer publishes a bot, it will be registered in a Polygon smart contract. Detection bot code will continue to live in a docker container on IPFS.
Integration with OpenZeppelin Defender (coming November 15th)
Defender is the leading smart contract operations platform, powering the operations of Aave, Yearn, theGraph, PoolTogether, Status, Mirror, Foundation, Opyn and many other leading projects, as well as thousands of individual users. Through an integration with Forta, Defender becomes even more powerful, enabling teams to automate smart contract operations in critical security conditions. OpenZeppelin may introduce additional Forta support and features in the future.
Projects can subscribe to and receive Forta alerts directly through their Defender dashboard and have the ability to use Forta alerts as triggers for auto-tasks. This means that teams can program automated actions conditionally on a specific detection bot/alert firing. For example, Defender can be configured to auto-execute the pause (timelock) function in your contract based on an alert about a potential exploit.
Defender will be one of the initial third-party user interfaces teams can use to interact with Forta alerts, and Forta is committed to integrating other smart contract operations platforms as they come to market. If you would like to integrate Forta alerts in other platforms, please reach out.
Forta will be releasing further updates, additional information and documentation over the coming days and all feedback and involvement from the community is encouraged.
If you are a team interested in using Forta for your threat/risk detection needs, please reach out in the community Discord.