Incident Response Priorities¶

Priority Order¶

1. contain governance abuse risk (cancel queued operations, revoke suspect roles)
2. preserve principal and claim safety (pause executor pathways, cancel risky pending claims)
3. preserve evidence (event logs, signer metadata, calldata, decoded operations)
4. communicate controlled status updates
5. execute validated remediation plan

Minimum Incident Record¶

• UTC timeline
• operation ids and tx hashes
• roles/signers involved
• actions taken and rationale
• residual risk and reopen criteria

First Hour¶

Classify the incident as governance, deposit/custody, oracle/receipt, claim/funds movement, validator risk, or infrastructure. Assign one owner for chain actions and one owner for communications. Freeze normal change windows until the incident lead reopens them.

On-Chain Containment¶

Use cancelUpgrade for unsafe queued operations, revokeRole for compromised role holders, claim executor pause for executor risk, reserve/trigger changes for unsafe claims, and deposit-window closure for custody/readiness failures. Do not use final freeze unless the incident explicitly justifies irreversible beacon freezing.

Evidence¶

Every containment transaction must include the triggering evidence, decoded calldata, signer approval, tx hash, post-state read, and residual risk note.