Skip to content

docs(#490): add emergency pause operator guide #497

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
BWM0223 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs(#490): add emergency pause operator guide #497

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 72 additions & 0 deletions docs/emergency-pause.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
# Emergency Pause — Operator Guide

The emergency pause is a critical safety mechanism. Misusing it can cause
harm to users — pausing without a recovery plan, or unpausing before a fix
is deployed, can leave funds locked or vulnerabilities active.

## When to Pause

Activate the emergency pause **only** when you have strong evidence of:

| Condition | Example |
|-----------|--------|
| Suspected active exploit | Unusual drain from treasury or holder balances |
| Critical bug in trade logic | Buy/sell producing wrong balances |
| Abnormal treasury drain | Treasury balance decreasing without expected trades |
| Compromised admin key | Evidence of unauthorized transactions |

> **Do not pause** for speculative or precautionary reasons without evidence.
> Pausing halts all trading for all users.

## Steps While Paused

1. **Assess impact** — Determine the scope of the issue. Check on-chain event logs
for anomalous transactions. Identify affected users and amounts.

2. **Communicate** — Notify the community immediately via official channels
(Discord, Telegram, Twitter/X). Be transparent about what is known and unknown.

3. **Reproduce the issue** — Confirm the root cause in a local or testnet
environment before preparing any fix.

4. **Prepare the fix** — Develop, test, and audit the remediation. Do not rush.
A second bug introduced during an emergency is worse than the original.

5. **Plan migration if needed** — If state needs to be migrated, prepare and
test the migration script before unpausing.

## When It Is Safe to Unpause

Only unpause when **all** of the following are true:

- [ ] Root cause is confirmed and understood
- [ ] Fix is deployed and verified on testnet
- [ ] Fix is deployed to mainnet (or migration is complete)
- [ ] At least one independent reviewer has confirmed the fix
- [ ] Community has been notified of the timeline

> ⚠️ **Warning:** Unpausing without a deployed fix leaves the same vulnerability
> active. An attacker who triggered the original pause may attempt to exploit
> it again immediately after unpausing.

## Recovery Checklist

```
[ ] Root cause confirmed
[ ] Fix tested on testnet
[ ] Fix deployed to mainnet
[ ] Migration complete (if required)
[ ] Independent review complete
[ ] Community notified
[ ] Unpause executed
[ ] Post-mortem published within 72 hours
```

## Post-Mortem

Publish a post-mortem within 72 hours of unpausing covering:
- What happened
- How it was detected
- Impact on users
- The fix applied
- Steps taken to prevent recurrence
Loading