Emergency Response Playbook
Configuring a "Break Glass" emergency role.
Emergency Response Playbook
When a hack is detected, speed is everything. But giving an Admin key "god mode" is dangerous.
Matador allows you to create a Restricted Guardian: a role that has permission to save the protocol, but not to steal from it.
The Guardian Policy
The Guardian should be able to:
Pause the protocol.
Move funds to a pre-defined "Safe Harbor" multisig.
Blacklist an attacker address.
The Guardian should NOT be able to:
- Move funds to their own wallet.
- Change protocol logic.
- Mint tokens.
permission GuardianActions -> 1.0.0 {
parameters: {
guardian: address,
daoMultisig: address,
pauseSelector: bytes4,
rescueSelector: bytes4,
blacklistSelector: bytes4
}
when: {
any {
// Pause
all {
context.caller == parameters.guardian,
calldata.selector == parameters.pauseSelector
},
// Rescue funds to the DAO multisig
all {
context.caller == parameters.guardian,
calldata.selector == parameters.rescueSelector,
calldata.recipient == parameters.daoMultisig
},
// Blacklist
all {
context.caller == parameters.guardian,
calldata.selector == parameters.blacklistSelector
}
}
}
}The Runbook
Monitoring: An off-chain bot detects an anomaly (e.g., massive withdrawal).
Trigger: The bot (or a team member) uses the Guardian Key to call pause().
Response: The protocol halts. The team investigates.
Recovery: If it was a false alarm, Governance votes to unpause. If it was real, Governance votes to upgrade the contract.
Restrict the blast radius
Guardian roles should be scoped to the minimum set of break-glass actions.
This setup enables Trustless Incident Response.