Emergency Response
Inspired by Emergency Procedures for Yearn Finance
Questions remain to be answered:
In MMA's current design, all protocol changes must go through the Uniswap DAO process. Uniswap governance's timeline, requires several weeks before a proposal can be voted on and executed on-chain. In addition, fixes to the protocol will also have to publicly disclose vulnerabilities and afford a would-be attacker ample time to exploit the vulnerability. These factors make emergency response procedures difficult.
An open question to the community as MMA is proposed and discussed will be whether new kinds of proposals for security-related issues be implemented in Uniswap's governance proposal. If so, what should this look like and what are its potential implications?
Introduction
This document details the procedures and guidelines that should take place in the event of an emergency situation. Its purpose is to minimize the risk of loss of funds for Uniswap's users, Treasury, and Smart Contracts.
Definitions and Examples of Emergencies
For this document, an emergency situation is defined to be:
Any situation that could result in or has caused a loss of control over non-Ethereum Uniswap deployments.
This is a non-exhaustive list of possible emergency scenarios:
Bug/Exploit in the core MMA contracts.
Bug/Exploit in currently active adapter contracts for message passing.
Potential exploit discovered by a team or bounty program researcher
Active exploit/hack in progress discovered by an unknown party
Roles
In the event of an emergency situation, the following roles should be assigned to MMA contributors working to resolve the situation:
Facilitator
Bridge core devs
Ops
Legal
A contributor may be assigned up to two of these roles concurrently.
Facilitator
Facilitates the emergency handling and ensures the process described in this document is followed, engaging with the correct stakeholders and teams for the necessary decisions to be made quickly. A suitable Facilitator is any person familiar with the process and is confident that they can drive the team to follow through. It's expected that the person assigned to this role has relevant experience either from having worked real scenarios or through drill training.
Bridge core devs
In charge of coordinating and implementing quick changes to adapter contracts
Locate possible vulnerabilities in the adapter contracts.
Implement fixes to vulnerable contracts.
Ops
In charge of coordinating comms and operations assistance as required:
Clear with War Room what information and communication can be published during and after the incident
Coordinate Communications
Take note of timelines and events for disclosure
Legal
In charge of providing legal guidance during the process:
Communicate with the War Room on potential legal and tax considerations for the bug.
Provide clarity on the legal ground on potential fixes.
Emergency Steps
This acts as a guideline to follow when an incident is reported requiring immediate attention.
The primary objective is to minimize the loss of funds, in particular for Uniswap treasury. All decisions made should be driven by this goal.
Open a private chat room (War Room) with a voice channel and invite only the team members that are online that can cover the roles described above. The War Room is limited to members that act in the capacities of the designated roles, as well as additional persons that can provide critical insight into the circumstances of the issue and how it can best be resolved.
All the information that is gathered during the War Room should be considered private to the chat and not to be shared with third parties. Relevant data should be pinned and updated by the Facilitator for the team to have handy.
The team's first milestone is to assess the situation as quickly as possible: Confirming the reported information and determining how critical the incident is. A few questions to guide this process:
Is there confirmation from several team members/sources that the issue is valid? Are there example transactions that show the incident occurring? (Pin these in the War Room)
Are funds presently at risk? Is immediate action required?
Is the issue isolated or does it affect several chains? Which chains are impacted (Pin these in the War Room)
If there is no immediate risk of loss of funds, does the team still need to take preventive action or some other mitigation?
Is there agreement in the team that the situation is under control and that the War Room can be closed?
Once the issue has been confirmed as valid, the next step is to take immediate corrective action to prevent further loss of funds. If the root cause requires further research, the team must err on the side of caution and take emergency preventive actions while the situation continues to be assessed. A few questions to guide the decisions of the team:
Can bridge
The immediate corrective actions should be scripted or taken from the repository emergency-toolbox and executed ASAP. Multi-sig Herder and Strategist Lead should coordinate this execution within the corresponding roles. NOTE: This step is meant to give the War Room time to assess and research a more long-term solution.
Once corrective measures are in place and there is confirmation by multiple sources that funds are no longer at risk, the next objective is to identify the root cause. A few questions/actions during this step that can help the team make decisions:
What communications should be made public at this point?
Can research among members of the War Room be divided? This step can be open for team members to do live debug sessions sharing screens to help identify the problem using the sample transactions.
Once the cause is identified, the team can brainstorm to come up with the most suitable remediation plan and its code implementation (if required). A few questions that can help during this time:
In case there are many possible solutions can the team prioritize by weighing each option by time to implement and minimization of losses?
Can the possible solutions be tested and compared to confirm the end state fixes the issue?
Is there agreement in the War Room about the best solution? If not, can the objections be identified and a path for how to reach consensus on the approach be worked out, prioritizing the minimization of losses?
If a solution will take longer than a few hours, are there any further communications and preventive actions needed while the fix is developed?
Does the solution require a longer-term plan? Are there identified owners for the tasks/steps for the plan's execution?
Once a solution has been implemented, the team will confirm the solution resolves the issue and minimizes the loss of funds. Possible actions needed during this step:
Run in ganache fork simulations of end state to confirm the proposed solution(s)
Coordinate signatures from multi-sig signers and execution
Enable UI changes to normalize operations as needed
Assign a lead to prepare a disclosure (should it be required), preparing a timeline of the events that took place.
The team agrees when the War Room can be dismantled. The Facilitator breaks down the War Room and sets reminders if it takes longer than a few hours for members to reconvene.
Emergency Checklist
This checklist should be complemented with the steps
Tools
List of tools and alternatives in case primary tools are not available during an incident.
Code Sharing
Github
Communications*
Telegram
Discord
Transaction Details
Debugging
Foundry
Transaction Builder
Backup if gnosis safe Api is not working?
Screen Sharing*
Google Hangouts
Facilitator is responsible to ensure no unauthorized persons enter the War Room or join these tools via invite links that leak.
Incident Post Mortem
A Post Mortem should be conducted after an incident to gather data and feedback from War Room participants in order to produce actionable improvements for MMA processes such as this one.
Following the dissolution of a War Room, the Facilitator should ideally conduct an immediate informal debrief to gather initial notes before they are forgotten by participants.
This can then be complemented by a more extensive Post Mortem as outlined below.
The Post Mortem should be conducted at most a week following the incident to ensure a fresh recollection by the participants.
It is key that most of the participants of the War Room are involved during this session for an accurate assessment of the events that took place. Discussion is encouraged. The objective is to collect constructive feedback on how the process can be improved, and not to assign blame to any War Room participants.
Participants are encouraged to provide input on each of the steps. If a participant is not giving input, the Facilitator is expected to try to obtain more feedback by asking questions.
Post Mortem Outputs
List of what went well
List of what be improved
List of questions that came up in the Post Mortem
List of insights from the process
Root Cause Analysis along with concrete measures required to prevent the incident from ever happening again.
List of action items assigned to owners with estimates for completion.
Post Mortem Steps
Facilitator runs the session in a voice channel and shares a screen for participants to follow notes.
Facilitator runs through an agenda to obtain the necessary outputs.
For the Root Cause Analysis part, the Facilitator conducts an exercise to write the problem statement first and then confirm with the participants that the statement is correct and understood.
Root Cause Analysis can be identified with the following tools:
Brainstorming session with participants
Once Root Causes have been identified, action items can be written and assigned to willing participants that can own the tasks. It is recommended that an estimated time for completion is given. A later process can track completion of given assignments. Note: The action items need to be clear, actionable and measurable for completion
The Facilitator tracks completion of action items. The end result of the process should be an actionable improvement in the process. Some possible improvements:
Changes in the process and documentation
Changes in code and tests to validate
Changes in tools implemented and incorporated into the process
Last updated