Emergency Pause Runbook
Engineer/DeveloperSecurity SpecialistMultisig Security
This is an example runbook. Review and customize it for your protocol before use. Add your specific contract addresses, pause functions, emergency contacts, and communication channels.
Quick Reference
| Field | Value |
|---|---|
| Severity | EMERGENCY |
| Response Time | <2 hours |
| Required Threshold | Per multisig config (often lower for emergencies) |
| Owner | Security Team |
| Last Updated | Date |
When to Use
- Active exploit detected
- Suspicious activity on protocol contracts
- Key compromise affecting protocol
- Vulnerability disclosure requiring immediate action
Immediate Actions (First 30 Minutes)
1. Alert Team
- Send alert to emergency Signal group
- Page signers via configured paging system
- Notify the security contact
Alert template:
URGENT: [Brief description]
Multisig: [Name]
Action needed: [Pause/Freeze/etc.]
Respond ASAP - <2hr SLA2. Assess Situation
- Confirm threat is real (not false alarm)
- Identify affected contracts or assets
- Determine which pause function(s) to call
- Estimate urgency
3. Prepare Transaction
Proposer (can be any signer or delegated proposer):
- Go to Safe or Squads UI
- Use Transaction Builder for contract interaction
- Select target contract
- Select
pause()or appropriate emergency function - Create transaction
Signing Process (Streamlined)
Emergency signing follows abbreviated verification.
Minimum Verification
[ ] Correct multisig address
[ ] Correct network
[ ] Target contract is correct (verify address)
[ ] Function is pause() or expected emergency function
[ ] No unexpected additional calls
[ ] Hash matches hardware walletSign and Communicate
- Sign immediately after verification
- Message: "Signed - [X/Y] - [your name]"
- Stay available until executed
Execute
- Execute as soon as threshold is reached
- Verify pause took effect (check contract state)
- Communicate: "EXECUTED - pause confirmed"
Contract Reference
| Contract | Address | Pause Function | Expected Behavior |
|---|---|---|---|
| Example contract 1 | 0x... | pause() | Stops all operations |
| Example contract 2 | 0x... | emergencyStop() | Stops withdrawals |
| Add your contracts here |
After Pause
Immediate (Within 1 hour)
- Confirm pause is effective
- Document incident using Incident Reporting
- Notify stakeholders
Short-term (Within 24 hours)
- Root cause analysis
- Plan for resolution
- Draft public communication if needed
Resolution
- Fix underlying issue
- Test fix thoroughly
- Plan unpause procedure
- Execute unpause with full verification (not emergency process)
If Primary UI is Down
Use backup infrastructure:
EVM:
- Eternal Safe
- Configure with backup RPC
- Load Safe address
- Create custom transaction with pause calldata
Solana:
- Squads Backup
- Configure RPC
- Load multisig
See Backup Signing & Infrastructure for detailed instructions.
Key Compromise Variant
If a signer key is compromised:
- Do not use compromised key for any operations
- Alert team via backup channel (assume primary may be compromised)
- Assess if attacker has threshold
- Prepare signer rotation transaction
- Execute removal of compromised signer
- Rotate compromised signer to new address
Communication Channel Compromise
If a communication channel is compromised:
- Switch to backup channel immediately
- Verify identity of all participants via secondary method
- Do not trust any pending requests from compromised channel
- Assume attacker may attempt social engineering
Drill Checklist
For emergency drills (run bi-annually):
- Page all signers
- Measure time to reach threshold
- Practice emergency signing flow on testnet
- Test backup communication channels
- Test backup UIs
- Document results and improve procedures