Pipeline › Security & Transparency

Emergency response

Pipeline follows an Ethena-style emergency model. GUARDIAN (2/5 Safe) takes instant, granular defensive actions; restoring service requires the 48h ADMIN timelock.

No single-call "revoke everything" switch exists. Every action names what it is doing to what — a reviewable record with a bounded blast radius.
Incident response — GUARDIAN contains instantly by pausing contracts and revoking named operational-role holders one at a time; ADMIN restores under the 48-hour timelock.
Incident response — GUARDIAN contains instantly by pausing contracts and revoking named operational-role holders one at a time; ADMIN restores under the 48-hour timelock.

Walkthrough

  1. Watchdog detects an anomaly — unexpected whitelist grants, cumulative-counter drift, or a rate-limit breach.
  2. GUARDIAN instantly pauses PLUSD, DepositManager, and WithdrawalQueue as defence in depth.
  3. GUARDIAN calls AccessManager.cancel(actionId) on any pending ADMIN scheduled actions.
  4. GUARDIAN submits revokeRole(YIELD_MINTER, bridgeAddr) — Bridge can no longer mint yield even with both signatures.
  5. GUARDIAN submits revokeRole(FUNDER, bridgeAddr) — Bridge can no longer fund withdrawal-queue entries.
  6. GUARDIAN submits revokeRole(WHITELIST_ADMIN, bridgeAddr) — Bridge can no longer modify the whitelist.
  7. ADMIN investigates and, if needed, rotates the yield-attestor key via proposeYieldAttestors (48h delay, GUARDIAN can cancel).
  8. ADMIN re-grants operational roles one by one — each under the 48h timelock, GUARDIAN-cancelable.
  9. ADMIN calls unpause() on each paused contract (48h delay each).

GUARDIAN’s toolkit

Action Target Timelock
pause() Any pausable contract Instant
AccessManager.cancel(actionId) Pending scheduled actions Instant
AccessManager.revokeRole(role, holder) YIELD_MINTER, FUNDER, WHITELIST_ADMIN, TRUSTEE Instant

What GUARDIAN cannot do

A compromised GUARDIAN can grief (pause, cancel, revoke operational-role holders) but cannot escalate, unpause, or move funds. Restoration of service is strictly ADMIN’s job, gated by the 48h timelock and itself GUARDIAN-cancelable.

Playbooks

Bridge operational-key compromise

Watchdog flags anomalous setAccess calls or drift in the cumulative mint counters. GUARDIAN pauses PLUSD, DepositManager, and WithdrawalQueue, then submits three separate revokeRole transactions — YIELD_MINTER, FUNDER, and WHITELIST_ADMIN — within minutes. Even a fully compromised Bridge mints zero yield afterwards, funds no withdrawals, and cannot touch the whitelist. Deposits remain atomic and unaffected by Bridge compromise because DepositManager has no Bridge dependency. ADMIN then rotates keys under the 48h timelock.

Trustee key compromise

GUARDIAN revokes TRUSTEE on LoanRegistry instantly. The compromised key can no longer write to LoanRegistry. Capital flows are unaffected because LoanRegistry has no capital touchpoints and is not a NAV source. The Trustee is also a Capital Wallet cosigner, but a single-key Trustee compromise cannot move USDC alone — Bridge cosign is required. Trustee rotation follows the standard 48h ADMIN path.

Custodian yield-attestor compromise

The custodian revokes its own key internally. The compromised key alone cannot mint — Bridge signature and YIELD_MINTER caller role are independent requirements. ADMIN calls proposeYieldAttestors(sameBridge, newCustodian) under the 48h timelock. During the window, yield mints can continue safely: the old attestor alone cannot mint, and the compromise is bounded by the Bridge signature and caller-role requirements that still apply.