Skip to content

Emergency Pause Runbook

Engineer/DeveloperSecurity SpecialistMultisig Security

Authored by:

Isaac Patka
Isaac Patka
SEAL | Shield3
Geoffrey Arone
Geoffrey Arone
Shield3
Louis Marquenet
Louis Marquenet
Opsek
Pablo Sabbatella
Pablo Sabbatella
SEAL | Opsek
Dickson Wu
Dickson Wu
SEAL

This is an example runbook. Review and customize it for your protocol before use. Add your specific contract addresses, pause functions, emergency contacts, and communication channels.

Quick Reference

FieldValue
SeverityEMERGENCY
Response Time<2 hours
Required ThresholdPer multisig config (often lower for emergencies)
OwnerSecurity Team
Last UpdatedDate

When to Use

  • Active exploit detected
  • Suspicious activity on protocol contracts
  • Key compromise affecting protocol
  • Vulnerability disclosure requiring immediate action

Immediate Actions (First 30 Minutes)

1. Alert Team

  • Send alert to emergency Signal group
  • Page signers via configured paging system
  • Notify the security contact

Alert template:

URGENT: [Brief description]
Multisig: [Name]
Action needed: [Pause/Freeze/etc.]
Respond ASAP - <2hr SLA

2. Assess Situation

  • Confirm threat is real (not false alarm)
  • Identify affected contracts or assets
  • Determine which pause function(s) to call
  • Estimate urgency

3. Prepare Transaction

Proposer (can be any signer or delegated proposer):

  1. Go to Safe or Squads UI
  2. Use Transaction Builder for contract interaction
  3. Select target contract
  4. Select pause() or appropriate emergency function
  5. Create transaction

Signing Process (Streamlined)

Emergency signing follows abbreviated verification.

Minimum Verification

[ ] Correct multisig address
[ ] Correct network
[ ] Target contract is correct (verify address)
[ ] Function is pause() or expected emergency function
[ ] No unexpected additional calls
[ ] Hash matches hardware wallet

Sign and Communicate

  • Sign immediately after verification
  • Message: "Signed - [X/Y] - [your name]"
  • Stay available until executed

Execute

  • Execute as soon as threshold is reached
  • Verify pause took effect (check contract state)
  • Communicate: "EXECUTED - pause confirmed"

Contract Reference

ContractAddressPause FunctionExpected Behavior
Example contract 10x...pause()Stops all operations
Example contract 20x...emergencyStop()Stops withdrawals
Add your contracts here

After Pause

Immediate (Within 1 hour)

  • Confirm pause is effective
  • Document incident using Incident Reporting
  • Notify stakeholders

Short-term (Within 24 hours)

  • Root cause analysis
  • Plan for resolution
  • Draft public communication if needed

Resolution

  • Fix underlying issue
  • Test fix thoroughly
  • Plan unpause procedure
  • Execute unpause with full verification (not emergency process)

If Primary UI is Down

Use backup infrastructure:

EVM:

  1. Eternal Safe
  2. Configure with backup RPC
  3. Load Safe address
  4. Create custom transaction with pause calldata

Solana:

  1. Squads Backup
  2. Configure RPC
  3. Load multisig

See Backup Signing & Infrastructure for detailed instructions.

Escalation

If threshold cannot be reached within SLA:

  1. Contact backup signers
  2. Escalate to decision makers
  3. Consider alternative mitigations
  4. Document why threshold was not met

Emergency contacts: See your configured emergency contact list.

Related Documents

Help us improve!

Spotted an error or have ideas to enhance this content?

Your contributions are valuable to us. Learn more

✏️ Contribute today!