Operational security and incident response

The standard for upgrade, parameter change, and fund withdrawal authority is 4 or more diverse signers with quorum 7+. A single EOA signature is effectively a single point of failure.

If admin actions execute immediately, key compromise = immediate loss. A timelock guarantees a withdrawal window for users and is the simplest safety net during incidents.

Separate OPERATOR, GUARDIAN, and OWNER roles at the contract level, each with a different signer pool. GUARDIAN should be limited to pause only.

Document a regular signer rotation and offboarding procedure. Departed members must not retain signing authority.

Add a GUARDIAN-callable pause to fund-flow functions like deposit, swap, and borrow. This is the first action when an attack is detected.

Set deposit limits, per-user limits, and asset limits right after deployment, then relax them over time. Even if an attack happens, loss has a hard ceiling.

Provide a bypass for users to recover their own assets even if the protocol is paused. It must run on simple validation that is independent of the main logic bug.

Proxy upgrades are an attack surface. Keep core asset-accounting contracts immutable and isolate only peripheral modules as upgradeable.

Layer alerts for TVL swings, unusually large transactions, governance action attempts, abnormal mints, and unauthorized function calls.

Multisig queueing and timelock transactions belong on a separate alert channel. Unauthorized queueing must be detected within five minutes.

Run 24/7 on-call via PagerDuty or equivalent. Alerts must not stop at one person's Slack DM.

For each scenario (contract exploit, admin key compromise, oracle manipulation, Discord hack), document the step-by-step flow and decision tree.

Designate Incident Commander, Communications Lead, Tech Lead, and Legal/Comms support roles. During an incident, who decides what must be immediately clear.

Run table-top scenarios quarterly and participate in events like SEAL Wargames once or twice a year to validate the playbook against real simulations.

Pre-create a private Telegram, Signal, or Discord category dedicated to security incidents. Key personnel must already be members.

Pre-collect 24/7 contacts for major CEX compliance teams, whitehat groups, partner protocols, lawyers, and foundation security teams.

Pre-write templates for each phase (initial notice: aware and investigating; first update: scope; final postmortem). Saves writing time mid-incident.

Sort out SEAL 911 bot contact and Whitehat Safe Harbor adoption ahead of time so you can use them immediately during an incident.

Publishing a bounty of $1M+ per Critical creates an incentive for whitehats to report findings before blackhats exploit them.

Use legal disclosure or a governance resolution to make whitehat fund recovery indemnified. Also helps prevent exchanges from freezing funds during recovery.

Hold funds in a separate multisig that can be deployed immediately for user or whitehat compensation. Plan for scenarios where there is no time to wait for governance.

Provide users with an insurable cover option, or have the protocol enroll the pool itself.