Incident Response

Incidents are a matter of when, not if, for teams running live protocols. Exploits move at block speed; your response plan must be decided before panic sets in. Users judge teams as much on communication and containment as on whether a bug existed in the first place.

Preparation means knowing who can pause contracts, who speaks publicly, and where logs live. Run tabletop exercises with realistic scenarios — bridge anomaly, oracle spike, admin key compromise — so roles are clear when minutes matter.

Pausing is not admitting defeat; it is triage. If your protocol has emergency stops, use them early while you assess scope. Delay often widens losses and erodes confidence.

Post-mortems should be public and technical. Share the timeline, the root cause, and what will change — new monitors, multisig requirements, expanded audit scope. Transparency does not undo losses, but it rebuilds the trust required to operate again.