VULTBASEIntelligence Platform
All Articles

Best Practices

Emergency Response: What to Do When Your Protocol Gets Hacked

Kennedy OwiroOctober 12, 20259 min read

Your protocol has been exploited. Funds are being drained. The clock is ticking. What you do in the first 30 minutes determines whether you lose $1M or $100M. This is the incident response playbook that every DeFi team should have ready before they need it.

Phase 1: Detection (0-5 Minutes)

  • Automated alerts: Forta bots, OZ Defender Sentinels, or custom monitoring should trigger on unusual transactions
  • Community reports: Twitter/Discord users may notice before your monitoring does
  • On-chain dashboards: Unusual TVL changes, large withdrawals, unexpected contract interactions

First action: Confirm the exploit is real. Don't panic over a false alarm, but don't dismiss a real one. Check the attacking transaction on Etherscan/block explorer.

Phase 2: Containment (5-30 Minutes)

  1. Pause the protocol — Execute emergency pause function (you DO have one, right?)
  2. Revoke compromised keys — If admin keys were leaked, rotate immediately
  3. Alert bridges/exchanges — Request they freeze the attacker's address
  4. Contact security partners — Immunefi, Seal 911, Chainalysis can help track funds
// You should have this deployed and tested BEFORE an incident
function emergencyPause() external onlyGuardian {
    _pause();
    emit EmergencyPaused(msg.sender, block.timestamp);
}

// Guardian should be a fast-response multisig (2-of-3)
// NOT the same as the protocol admin multisig

Phase 3: Communication (30-60 Minutes)

  • Public announcement on Twitter: "We are aware of an incident and are investigating"
  • Discord announcement: Same message + pin
  • DO NOT speculate on losses until confirmed
  • DO NOT blame or name anyone
  • Provide updates every 30-60 minutes minimum

Phase 4: Analysis (1-24 Hours)

  • Root cause analysis: How did they get in?
  • Scope assessment: How much was taken? What's still at risk?
  • Fund tracing: Where are the stolen funds going?
  • Consider offering a bug bounty: "Return 90%, keep 10%, no legal action"

Phase 5: Recovery (1-7 Days)

  • Deploy fix for the vulnerability (audit the fix!)
  • Plan for user reimbursement (if applicable)
  • Publish detailed post-mortem
  • Engage law enforcement if appropriate
  • Review and improve monitoring/response procedures

Pre-Incident Checklist

  • ✅ Emergency pause function deployed and tested
  • ✅ Fast-response guardian multisig (2-of-3, available 24/7)
  • ✅ Real-time monitoring with automated alerts
  • ✅ Incident response runbook documented and accessible
  • ✅ Security contact published (security.txt)
  • ✅ Relationships with Immunefi, Seal 911, Chainalysis established
  • ✅ Team communication channel (encrypted, always-on)

The best emergency response is prevention. Audit your contracts so you never need this playbook — but have it ready in case you do.

incident responseemergencyhack responseDeFiprotocol recoverypost-mortem
Share

Written by

Kennedy Owiro

Founder & CTO, Vultbase

14+ years building security and QA systems at scale. Background in fintech security and Web3 smart contract testing. Built Vultbase's Intelligence Engine with 1,200+ exploit patterns from $40B+ in historical DeFi losses.

Related Articles

Smart Contract Security

Reentrancy Attacks Explained: How DeFi Lost Billions and How to Prevent It

12 min read

DeFi Security

Oracle Manipulation: How Price Feed Exploits Drain DeFi Protocols

11 min read

DeFi Security

MEV and Frontrunning: The Invisible Tax on Every DeFi Transaction

10 min read

Protect your protocol before launch.

Submit your smart contracts for automated security analysis powered by 1,200+ real exploit patterns.

Start Your Audit →