Emergency And Pause Flow¶
flowchart TD
A[Alert] --> B{Classify incident}
B -->|queued malicious upgrade| C[cancelUpgrade]
B -->|role/key compromise| D[revokeRole or cancel pending grant]
B -->|vault/validator risk| E[pause executors, update risk, request exit]
B -->|claim safety issue| F[setClaimExecutorsPaused or clear reserve readiness]
B -->|beacon end-state emergency| G[finalFreeze registered beacons]
C --> H[Verify state and archive evidence]
D --> H
E --> H
F --> H
G --> H
Emergency Levers¶
| Lever | Authority | Use |
|---|---|---|
cancelUpgrade | CANCELLER_ROLE | Stop a proposed/queued operation before execution. |
revokeRole | roleAdmin | Remove compromised role holder immediately and clear pending grants. |
cancelRoleGrant | roleAdmin | Cancel staged grants during the delay window. |
setClaimExecutorsPaused | Controller owner through gatekeeper | Disable executor-assisted claims while keeping direct beneficiary paths subject to controller logic. |
setTriggerArmed(false) | Controller owner | Disable running claims for a vault and cancel pending claim if any. |
clearReserveCoverage | Controller owner | Remove reserve readiness when proof or custody is invalid. |
requestValidatorExit* | Public caller through controller checks | Initiate validator exit under controller policy. |
proposeSettlementWithGuard | Controller owner | Move a vault toward settlement, emergency or ordinary. |
finalFreeze | FREEZER_ROLE | Irreversibly freeze registered vault beacons. |
Fail-Closed Conditions¶
Claims and deposits should fail closed when observations are stale, risk is quarantined, reserve proof is stale, exit is in progress, policy assertions fail, router bootstrap is open, beacon authority drifts, or a governance role signal is unexplained.
Incident Evidence¶
Archive alert source, on-chain event ids, decoded calldata, signer set, cancellation or mitigation transaction, post-action reads, affected vaults, user communications, and the follow-up remediation issue.
Layered Response Rule¶
Emergency response should use the narrowest lever that matches the failing layer. Upgrade governance incidents use cancellation, role revocation, registration review, or final-freeze only for beacon end-state emergencies. Deposit permissioning incidents use intent removal or allowlist-admin rotation. Custody/readiness incidents use factory, controller, vault, router, reserve, or exit-route evidence before reopening deposits. Economic/claim safety incidents use claim pause, trigger changes, reserve coverage clearing, risk updates, exit requests, or settlement procedures. Crossing layers without documenting why creates avoidable authority risk.