v0.3 · 5 detectors · MIT
MONITORING 2 accounts·Last heartbeat: 2s ago

Watch the chain
before it drains your treasury

Custos Nox is an open-source real-time attack monitor for Solana multisigs and DAOs. It detects every on-chain step of the $285M Drift drain on April 1, 2026 — plus an adjacent signer-rotation vector — before the stolen funds leave the chain.

Solana Foundation's STRIDE program monitors protocols with $10M+ TVL — roughly 50 protocols. The other 10,000+ multisigs and DAOs have nothing — Custos Nox is for them
See live mainnet monitorView on GitHubInstall in 5 min
5
Detectors live
215
Tests passing
$285M
Drift loss tracked
< 1s
Alert latency

What it catches

Every detector maps directly to a step in the Drift April 2026 attack chain. Any single one firing would have bought hours of response time.

Drift step 1 / 4

Timelock Removal

Squads v4 + SPL Governance

CRITICAL
attack step · Realm timelock 6 days → 0

Fires when a governance timelock is removed or dropped below half. Matches the Drift step where the attacker collapsed the response window before draining funds.

if undetected · DAO loses its window to pause withdrawals or cancel the attack.

Drift step 2 / 4

Multisig Weakening

Squads v4

HIGH
attack step · Squads threshold 5-of-9 → 1-of-9

Fires when a Squads multisig signer threshold is reduced. Catches the moment a treasury becomes single-signer controlled — the irreversible pivot in most exploits.

if undetected · Attacker needs only themselves to approve any treasury transaction.

Drift step 3 / 4

Privileged Nonce

System Program

CRITICAL
attack step · Durable nonce under attacker key

Fires on initialization or authority rotation of a watched durable-nonce account. Flags the precondition for pre-signed, replay-at-will withdrawal transactions.

if undetected · A pre-signed drain transaction is now armed and can execute at any time.

Drift step 4 / 4

Stale Nonce Execution

System Program

HIGH
attack step · Pre-signed tx executed from stale nonce

Fires when a durable nonce is advanced (a pre-signed transaction executes) more than 1 hour after the nonce was first initialized. Catches the final step in the Drift attack chain — the moment the attacker's pre-signed drain transaction lands.

if undetected · This is the drain. Funds are already moving to the attacker's wallet.

Adjacent vector

Signer Set Change

Squads v4

HIGH
attack step · Members rotated — honest signers evicted

Fires when a Squads multisig's members vector is mutated. Removal of a legitimate signer or rotation fires high; pure additions fire medium. Catches the takeover vector where an attacker swaps honest co-signers for their own keys.

if undetected · Quorum is compromised even if the threshold looks unchanged on paper.

Live mainnet — 12 Solana DAOs under continuous watch

Custos Nox is running on mainnet right now, subscribed to the governance accounts of 12 ecosystem DAOs (Mango, Marinade, Pyth, Solend, Jupiter, Raydium, Orca, Bonk, Helius, Squads, Superteam, MonkeDAO). The feed below polls the daemon every 5 seconds. When configs are calm the dots stay green; if any of the five detectors fires, the alert lands here within a second.

Watching 12 Solana DAOs in real time
Mango DAOMNGO
MarinadeMNDE
Pyth NetworkPYTH
Solend DAOSLND
JupiterJUP
RaydiumRAY
OrcaORCA
BonkDAOBONK
HeliusHELI
SquadsSQDS
SuperteamSUPE
MonkeDAOMONK
Severity breakdown
2
Critical
3
High
0
Medium
0
Low

5 live events

Alert feed · mainnetLive mainnet · 5 events
  • CRITICAL1m ago
    squads-timelock-removal
    Timelock removed on multisig AjULUVaCpzdGvCXgUkHLitkBR6nmn1M7AsHJ8sGgMZNy
    reason
    timelock_reduced
    previousTimelockSeconds
    86400
    currentTimelockSeconds
    0
    account
    AjUL…MZNy
  • HIGH3m ago
    squads-multisig-weakening
    Threshold weakened 3 → 1 on multisig AjULUVaCpzdGvCXgUkHLitkBR6nmn1M7AsHJ8sGgMZNy
    reason
    threshold_reduced
    previousThreshold
    3
    currentThreshold
    1
    account
    AjUL…MZNy
  • HIGH4m ago
    squads-signer-set-change
    Multisig AjULUVaCpzdGvCXgUkHLitkBR6nmn1M7AsHJ8sGgMZNy: 1 signer(s) removed, 1 added
    reason
    signer_set_changed
    account
    AjUL…MZNy
    removed
    8wNT…KuaB
    added
    Gpoj…x5Yh
    previousCount
    5
    currentCount
    5
  • CRITICAL5m ago
    privileged-nonce
    Nonce account 9rK8Ke7ZazGS7Knaj1i6oh9HBa2ocJCNhF9eDQegnfAS initialized with authority E9Q5UGyezdKVCZ8GDiAFRQfDarRb3REpTrYN3ytgEMzs
    reason
    nonce_initialized
    account
    9rK8…nfAS
    authority
    E9Q5…EMzs
  • HIGH8m ago
    stale-nonce-execution
    Stale nonce 9rK8Ke7ZazGS7Knaj1i6oh9HBa2ocJCNhF9eDQegnfAS advanced 73 min after creation (authority: E9Q5UGyezdKVCZ8GDiAFRQfDarRb3REpTrYN3ytgEMzs)
    reason
    stale_nonce_advanced
    account
    9rK8…nfAS
    authority
    E9Q5…EMzs
    staleMs
    4380000
    staleMins
    73
    thresholdMs
    3600000
    firstSeenAt
    2026…000Z

Who should run this

If you control a Squads multisig or an SPL Governance realm, Custos Nox watches it for you. Setup takes five minutes.

DAO treasuries

Your multisig PDA is one environment variable. Add a Discord, Slack, or Telegram webhook. Any threshold change, timelock removal, or signer rotation fires an alert to your team within a second.

Grant committees

Grant multisigs often have fewer signers and less oversight than protocol treasuries. Custos Nox gives them the same real-time coverage as a full-time security team — for free.

Security researchers

Point Custos Nox at any set of Squads or SPL Governance accounts and get real-time feed of config changes. Useful for monitoring suspicious multisigs or building public watchdog dashboards.

How it works

A WebSocket daemon, five independent detectors, parallel alert fan-out — sub-second latency from on-chain change to alert in your team's channel

Solana Chain
account state changes
WebSocket · <1s
Custos Nox Daemon
Timelock
Weakening
Priv. Nonce
Stale Nonce
Signer Set
parallel fan-out
Discord
embeds
Slack
blocks
Telegram
bot
stdout
always on

TypeScript · Solana web3.js · 228 tests · MIT · zero Rust

How the Drift attack unfolded

The April 2026 Drift exploit was not a zero-day — it was a 9-day on-chain preparation. Every step was observable. None were flagged.

First alert fires 9 days before the drain.

Any single one of these detectors firing would have given treasury managers days to respond — pause withdrawals, rotate signers, or escalate to the community.

CRITICAL9 days before drain

Mar 23, 2026

Nonce initialized

PrivilegedNonceDetector

Attacker creates a durable nonce under a privileged key. A pre-signed drain tx is now valid and waiting.

CRITICAL6 days before drain

Mar 26, 2026

Timelock removed

TimelockRemovalDetector

Governance timelock dropped from 6 days to 0, closing the community's response window.

HIGH6 days before drain

Mar 26, 2026

Multisig migrated

MultisigWeakeningDetector

Security Council multisig migrated to a new 2-of-5 threshold with zero timelock — minimum quorum, instant execution.

HIGHDRAIN

Apr 1, 2026

$285M drained

StaleNonceExecutionDetector

Week-old pre-signed admin transfer executes. Funds move to attacker wallet within 12 minutes.

Self-host in 5 minutes

One binary, zero vendor lock-in. Runs on any Node.js 20+ or Docker. Free-tier Helius RPC is enough to get started.

1
Get a free RPC key

Sign up at helius.dev — free tier, no credit card. Copy your endpoint URL into CUSTOS_RPC_URL.

2
Point it at your multisig

Set CUSTOS_WATCH to your Squads PDA or SPL Governance realm. Comma-separate multiple accounts. Optionally add a Discord, Slack, or Telegram webhook.

3
Start the daemon

Run npm run dev or the Docker one-liner below. Alerts arrive in Discord, Slack, Telegram, or stdout within a second of any config change.

npm
git clone https://github.com/cryptoyasenka/custos-nox
cd custos-nox
npm install
cp .env.example .env        # set CUSTOS_RPC_URL and CUSTOS_WATCH
npm run dev                 # daemon connects, seeds baseline, starts watching
docker
docker build -t custos .
docker run -d --name custos --restart unless-stopped --env-file .env custos
docker logs -f custos
Prereqs
Node.js 20+, an RPC endpoint (Helius free tier works), accounts to watch (Squads PDA, SPL Governance realm, or nonce account).
Alerts go to
stdout by default. Optional Discord, Slack, and Telegram webhooks fan out every alert to every configured sink.
Reliability
WebSocket reconnect with exponential backoff, baseline seeding before subscribe, 5s per-detector timeout with low-severity surfaced errors.