A systematic methodology for applying the US federal government's security controls framework to EVM-compatible smart contract security assessment.
This whitepaper describes the methodology used by DeFi Sentinel Watch to apply NIST Special Publication 800-53 Revision 5 — the United States federal government's security controls framework — to decentralized finance (DeFi) liquidity pools on the Flare Network.
We present a systematic adaptation of 14 NIST 800-53 security controls to the unique technical architecture of automated market maker (AMM) liquidity pools, including the specific on-chain data queries, evaluation criteria, and rating methodology used in our weekly automated audit program.
To our knowledge, this framework represents one of the first systematic applications of NIST 800-53 to DeFi liquidity pool security intelligence at scale. We are not aware of any published methodology applying this framework to on-chain smart contract security assessment at this time.
Decentralized finance protocols collectively hold billions of dollars in user assets. Unlike traditional financial institutions, these protocols operate without central governance, regulatory oversight, or mandatory security disclosure requirements. Liquidity providers bear direct security risk with limited tools to assess it.
Traditional security audit firms provide point-in-time assessments costing $10,000–$50,000 per engagement. These audits are valuable but insufficient for continuous security monitoring of live protocols.
We selected NIST 800-53 for three reasons:
| Family | Control | Name |
|---|---|---|
| Access Control | AC-2 | Account Management |
| Access Control | AC-3 | Access Enforcement |
| Access Control | AC-6 | Least Privilege |
| Audit & Accountability | AU-2 | Audit Events |
| Audit & Accountability | AU-6 | Audit Review |
| System & Comm. Protection | SC-5 | DoS Protection |
| System & Comm. Protection | SC-8 | Transmission Integrity |
| System & Info. Integrity | SI-2 | Flaw Remediation |
| System & Info. Integrity | SI-7 | Software Integrity |
| Incident Response | IR-4 | Incident Handling |
| Configuration Management | CM-6 | Configuration Management |
| Risk Assessment | RA-3 | Oracle Integrity |
| Contingency Planning | CP-9 | State Recovery |
| System & Services Acquisition | SA-11 | Security Testing |
Each control is rated PASS, PARTIAL, or FAIL. A composite risk score is calculated using weighted scoring: PASS = 1 point, PARTIAL = 5 points, FAIL = 8 points. Scores of 1.0–3.0 indicate Low Risk; 3.1–5.0 Moderate Risk; 5.1–8.0 High Risk.
Each of the 14 selected controls required adaptation from its traditional IT context to the DeFi smart contract domain. Key adaptations include:
Full technical implementation details including RPC function selectors and code implementations are available upon request for institutional subscribers.
DeFi Sentinel Watch monitors the top 10 liquidity pools by Total Value Locked (TVL) from both SparkDex V3 and V4 — 20 pools in total. Pool rankings are reviewed quarterly and the monitored list is updated if TVL rankings have materially changed, ensuring we are always auditing the highest-value pools in the SparkDex ecosystem.
Each week we audit 6 pools — 3 from SparkDex V4 and 3 from SparkDex V3 — selected in order of TVL ranking. The pools rotate each week so that after 3 to 4 weeks the full set of 20 pools has been audited and the cycle starts over from the beginning. No pool goes more than 30 days without a fresh audit. PDF reports are generated every Sunday at midnight UTC and delivered to the subscriber portal.
Subscribers can access their full report archive at any time, enabling side-by-side comparison of audit results across cycles to identify security trends, configuration changes, or emerging risk patterns over time.
Our AI agent polls all actively monitored pools every 15 minutes checking bytecode hashes (SI-7), fee tiers (CM-6), and tick spacing (CM-6) against established baselines. Any detected change triggers an immediate full 14-control audit and subscriber notification — regardless of where the pool sits in the weekly rotation.
Every quarter we conduct a full review of the top 10 liquidity pools by TVL for both SparkDex V3 and V4. If pool rankings have changed materially, the monitored pool list is updated and new baselines are established for any newly added pools. This ensures our audit program remains focused on the highest-value pools in the ecosystem.
Security baselines are established on initial audit and refreshed immediately following a verified announced protocol upgrade or quarterly pool list review.
The following summarizes our systematic review of all 20 NIST SP 800-53 Rev. 5 control families and approximately 310 primary controls.
| Family | Controls | Included | Reason for Exclusions |
|---|---|---|---|
| AC — Access Control | 17 | 3 included | Session, device, and wireless controls have no smart contract equivalent |
| AT — Awareness & Training | 5 | 0 included | Organizational human behavior — no on-chain equivalent |
| AU — Audit & Accountability | 16 | 2 included | Blockchain immutability handles retention; session audit N/A |
| CA — Assessment & Monitoring | 9 | 0 formal | CA-7 incorporated into AU-6/SI-7; no formal ATO equivalent |
| CM — Configuration Mgmt | 14 | 1 included | Procurement and development lifecycle controls N/A for deployed contracts |
| CP — Contingency Planning | 13 | 1 included | Organizational plans and physical site controls N/A; blockchain is distributed |
| IA — Identification & Auth | 12 | 0 included | No sessions, logins, or device auth in smart contracts; wallet addresses assessed in AC-2 |
| IR — Incident Response | 10 | 1 included | Organizational training and planning N/A; monitoring assessed in IR-4 |
| MA — Maintenance | 6 | 0 included | Physical maintenance N/A; upgrade maintenance in SI-2 |
| MP — Media Protection | 8 | 0 included | Physical media N/A; blockchain data is public and immutable |
| PE — Physical & Environmental | 20 | 0 included | No physical location; blockchain is globally distributed |
| PL — Planning | 12 | 0 included | Organizational planning documents — no on-chain equivalent |
| PM — Program Management | 32 | 0 included | Organizational governance — outside scope of on-chain assessment |
| PS — Personnel Security | 9 | 0 included | Permissionless DeFi — no formal personnel structure; teams often pseudonymous |
| PT — PII Processing | 8 | 0 included | DeFi protocols do not collect PII by design |
| RA — Risk Assessment | 10 | 1 included | Oracle integrity directly assessable; formal risk categorization is organizational |
| SA — System & Services Acq. | 23 | 1 included | Procurement and development lifecycle N/A for deployed contracts |
| SC — System & Comm. Protection | 51 | 2 included | Network architecture controls (firewalls, VPNs, wireless) N/A to permissionless blockchain |
| SI — System & Info. Integrity | 23 | 2 included | Malware, spam, session controls N/A; core integrity controls implemented |
| SR — Supply Chain Risk Mgmt | 12 | 0 formal | Partially incorporated into SI-7; full supply chain analysis is future capability |
The following controls are identified for future implementation as tooling matures:
Free weekly audit reports applying these 14 controls to 6 SparkDex pools — no credit card required.
Subscribe free →