# Security Agent: Sonar **What Sonar Monitors** Sonar operates five independent detection layers that run on every scan cycle: **1. TVL Monitoring.** Sonar monitors Total Value Locked per vault as a rapid liquidity-flight indicator. A vault is flagged if its TVL falls below $500,000, or if TVL drops by 20% or more within a two-hour window. **2. Stablecoin Depeg Detection.** Sonar checks all supported stablecoins using multiple sources: Chainlink on-chain oracles, CoinGecko price feeds, Uniswap v3 pool imbalance ratios, TWAP divergence, and cross-chain correlation. Each signal contributes to a numeric severity score (0 to 100). A score above 60, or any cross-chain depeg signal, triggers an immediate token-level kill switch. **3. Lending Market Health.** Sonar evaluates supply utilization, per-user exit feasibility, and borrow rate pressure for every active vault. If a user cannot withdraw more than half their allocated balance, or if utilization exceeds 90%, the vault is flagged. **4. Whale Exit Monitoring.** Large single-transaction withdrawals (exceeding 10% of vault TVL) trigger a vault-level kill switch. Smaller but notable withdrawals (exceeding 5%) are logged as warnings. **5. Protocol Repository Anomaly Detection.** Sonar monitors GitHub repositories for emergency-related commits, fast PR merges, off-hours releases, and direct pushes to main branches. Any signal flags all vaults belonging to the associated protocol. *** **How Sonar Protects You** When any detection layer identifies a threat, Sonar adds the affected vault or token to a live blacklist. The Sail Engine never sees flagged positions. It does not evaluate them, score them, or allocate into them. This separation ensures that risk mitigation is fully decoupled from yield optimization. *** **Performance and Balance Tiers** Sonar performs even better for higher balance tiers. Larger balances unlock higher execution frequency, meaning that when Sonar detects a risk event, the agent can exit faster and reduce exposure sooner. Sonar has successfully detected and mitigated risks in live market conditions, including depegs, resulting in no user losses to date. *** **Planned Extensions** Upcoming capabilities include statistical baselines with z-score gating for each monitored metric, and a sentiment and social signal layer that integrates public exploit documentation feeds as confirmatory signals (always requiring on-chain corroboration before modifying blacklists). For the full technical specification, see the [Security Agent: Sonar](https://docs.sail.money/learn/how-sail-works/security-agent-sonar) page. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sail.money/security/infra-safeguards/markdown.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.