Lesson 32: Governance & Admin Watchdogs (Monitoring Ownership and Critical Function Calls)

Aug 13, 2025

Code may be law in Web3, but someone often holds the authority to change it. Whether it’s a protocol admin, DAO multisig, or governance controller, power centralization is always a potential security risk.

Today’s lesson teaches you how to monitor who holds power in a smart contract and what they do with it.

Why This is important in Blockchain Monitoring

Critical functions often hide behind permissions:

pause(), upgradeImplementation(), changeOwner(), mint()

If these are called unexpectedly, or by the wrong party, it could generate a disaster.

The Forta agent acts as a guardian, detecting when powerful permissions are used.

Typical Admin Threats

Strategy: Detect Admin Function Calls

1. Identify the Admin Functions

These are typically:

Access-controlled by onlyOwner or hasRole(...)
Found in contracts via ABI (or verified source)

Common ones:

pause()
upgradeTo(address)
transferOwnership(address)
mint(address,uint256)
grantRole(bytes32,address)

2. Find the Admin Address

From Etherscan or contract source:

Deployer
DAO multisig
Proxy admin contract

Also track OwnershipTransferred, RoleGranted, and similar events.

3. Write Your Agent Logic

const ADMIN_FUNCS = [
  "pause()",
  "upgradeTo(address)",
  "transferOwnership(address)",
];

async function handleTransaction(txEvent) {
  const findings = [];

  const adminCalls = txEvent.filterFunction(ADMIN_FUNCS);

  for (const call of adminCalls) {
    findings.push(
      Finding.fromObject({
        name: "Admin Function Call",
        description: `Admin function ${call.name} called by ${txEvent.from}`,
        alertId: "ADMIN-FUNC-CALL",
        severity: FindingSeverity.High,
        type: FindingType.Suspicious,
      })
    );
  }

  return findings;
}

Alert on Role Changes

Add event filters for:

OwnershipTransferred(address,address)
RoleGranted(bytes32,address,address)
Upgraded(address)

Use these events to track changes in governance or role ownership.

Real-Life Examples

Key Concepts Recap

Key protocol functions are usually controlled by owner or admin roles
Monitoring changes or calls to these functions is essential for protocol safety
Forta agents can alert on both direct calls and role transition events
You become the watchdog of governance abuse, insider action, and protocol integrity

Next lesson we will explore flash loan exploit detection, spotting high-speed financial attacks in real time.

🙏 Until next meditation,
The Blockchain Security Monk