Disable deposits and/or withdrawals as needed in web UI
Enable frontend IP or Address blacklisting
Create frontend for any user actions necessary (approval revoking, fund migrating, ...)

Communications

Identify social platforms that communications on the incident must be sent to
Prepare messages for incident communication internally and externally
Gather security contacts for any potentially affected downstream protocols (bridges, lending protocols)
Notify block explorers (like Etherscan) for attacker address labeling
Continuously monitor social media for users providing additional information that aids whitehat efforts
Monitor War Room efforts and maintain Event Timeline

After all of the above is complete, consider Post Incident Actions

Information Gathering

Information will primarily be shared and acted upon in the War Room. As time allows, we recommend consolidating intel in the below section to achieve the following:

Accurately scope the incident impact
Inform new war room members and third parties efficiently
Aid external communication

This is the chief duty of the Scribe.

Issue Description

Events Timeline

Record events to construct an overall timeline of the incident. Events worth recording:

First notice of incident
War room creation
External communications
Attack transactions
Transactions performed by team

Record times in UTC. UTC Time Converter

Date-Time (UTC)	Event Description	Notes
	Attack Tx #1
	First notice of incident
	War room creation
	Protocol tweet of incident

Transactions Involved

Record all transactions related to the incident.

Transaction Link	Notes

Affected Addresses

Record affected addresses related to the incident. Protocol contracts, bridges, users, etc.

Address Link	Status	Notes
	At Risk
	Impacted
	Paused
	Saved
	Needs Review
	Uncertain

Funds Movement

Record funds movement to gather impact of the incident + organize recovery efforts.

Original address that held the funds
Transaction that moved the funds
Assets + amounts the funds are comprised of
Destination the funds moved to. (Contract, CEX, Bridge, Mixer)
Recovery Status of the funds

We recommend using Phalcon Tx Explorer to aid in recording funds movement.

Origin	Transaction	Amount / Asset	Destination	Recovery Status	Notes
				Needs Review
				In Progress
				Recovered
				Uncertain

Attacker Information

Gather attacker information to aid legal efforts and fund recovery.

Address Link	Funded By	Notes

Post Incident Actions

Confirm incident has been resolved
Create monitoring alerts for situations requiring future actions

Prepare scripts to perform any actions related to monitoring events in the future

Consider creating additional defensive scripts (pause/upgrade) to use for future situations
Schedule a Post Mortem writeup
Post the writeup to relevant social medias

Appendix

Advice to Keep in Mind

Limit the war room occupancy. Be careful not to invite too many people during the early stages. Sensitive information is being shared, be wary.
Make it clear to war room members to not publicize information without the protocol’s consent.
Do not speak to the press / news / publications.

Key Roles

Operations - Initiates War Room, assigns roles, distributes tasks, herds multisig participants

<Person Responsible>

Scribe - Consolidates gathered information for efficiency in knowledge-share.

<Person Responsible>

Strategy Lead - Prioritize actions, consider trade-offs of decisions

<Person Responsible>

Protocol Lead - Responsible for smart-contract actions (pausing, upgrading, etc)

<Person Responsible>

Web/Infrastructure Lead - Responsible for updating frontend, managing servers

<Person Responsible>

External Communicator - Social media, user communications

<Person Responsible>

Suggested Tools and Platforms

Name	Type	Notes
Discord	Platform	A familiar platform for web3 collaboration. Spin up a server quickly using our recommended template: https://discord.new/CkADqy5aWsAH Tips for use: New users must be granted the `approved` role before they can view chats. Upon creation, grant yourself the `approved` role, and share an invite link with trusted members.
Telegram	Platform	A familiar platform for web3 collaboration. Tips for use: Upon New Group creation, enable chat history as visible to new members. To do this, Info -> Edit -> Chat History For New Members -> Visible
Google Hangouts	Platform
Phalcon Tx Explorer	Tx Analysis
Openchain Trace Explorer	Tx Analysis
Tenderly Tx Explorer	Tx Analysis Debugging	Some features require login
Tenderly Alerts	Monitoring	Monitor addresses, on chain actions, etc. Requires login
MetaSleuth	Monitoring	Monitor fund movement. 50 address limit. Requires login, premium feature
Github / Gist	Code Sharing	Create a private repo or secret gists and share the link to war room participants only.
CodeShare	Code Sharing	Sessions expire after 24 hrs
HackMD	Code Sharing	Private notes become published after ~48 hrs. Be very careful with sensitive information!

SEAL Message Template

Fill out with relevant information and send to SEAL 911 Bot

Protocol: [Protocol Name]

Attack Tx(s): [Transaction Hash(es)]

Funds at Risk: [Estimated Amount in USD or Token]

[Brief Description of the incident]



Jump back to checklist

Duplicating This Document

In this document:

File -> Make a Copy

Change name as desired
Uncheck “Share it with the same people”
Uncheck “Copy comments and suggestions”

In the newly copied document:

File -> Share -> Share with others -> General Access

Change “Restricted” to “Anyone with the link”
Change “Viewer” to “Editor”

Copy link and send to trusted members.

Jump back to checklist

Actions Checklist

Perform Immediately

Perform in Parallel by Role

Analysis

Scope the impact of the attack (click arrow to expand)

Investigate issue and update Issue Description

Propose workable solutions

Protocol actions

Take immediate corrective/preventative actions to prevent (further) loss of funds (click arrow to expand)

Prioritize proposed solutions

Validate and execute solution

Prepare monitoring alerts for situations that require future actions

Web actions