DeFi Protocol Consultancy and Decentralized Finance Consulting: Designing Governance Modules for Emergency Shutdowns

Why you need an emergency shutdown that’s more than a big red button

The events from 2023 to 2025 really drove home an important lesson: “pause” isn’t a one-size-fits-all thing. The protocols that managed to ride through with little disruption for users mixed and matched different strategies, including per-asset freezes, pool-level pauses, and even full protocol halts. Plus, they had straightforward governance setups that included guardian multisigs, security councils, emergency DAOs, and some nifty automated tools like circuit breakers and monitoring systems.

Check out MakerDAO’s Emergency Shutdown Module (ESM), Aave’s Guardian, Compound’s Pause Guardian, Curve’s Emergency DAO, and Balancer’s emergency subDAO. Each of these has its own vibe and can be customized to fit what you’re looking for. They all provide different guarantees, delays, and scopes. If you want to dive deeper, you can find more info in the official docs here.

---

Outcomes to design for

When you find yourself needing to activate emergency controls, make sure to remember these important properties:

• Quick containment with minimal collateral damage (it’s smarter to “freeze this asset/market” than to “pause all”). Aave’s v2/v3 setup now allows its Guardian to freeze specific assets and even introduce a “liquidations grace” period. This helps avoid those nightmare cascading liquidations during recovery. You can see more about it here.
• Users can still get to their funds, so redeeming and repaying is totally possible even if minting or borrowing is on hold. The Pause Guardian in Compound is set up to only disable minting, borrowing, transferring, and seizing, but it never stops you from redeeming or repaying. In v2, unpausing needed a thumbs-up from governance, but v3 now lets the guardian just go ahead and unpause directly. Want to dive deeper? Check out the details here.
• Ensure control is both verifiable and time-sensitive, incorporating timelocks for non-urgent actions--similar to how Compound implements a 2-day minimum timelock for any admin changes. You can check out more details here.
• If things go sideways with governance or any unexpected issues pop up, there’s a reliable way to unwind globally--just look at Maker’s ESM “End.cage()” settlement path. Quick note: the minimum MKR stake needed to kick off ESM was raised to 300,000 MKR on July 25, 2024, so be sure to plan accordingly! You can check out the details here.

---

Governance building blocks: choosing the right “emergency actor”

You've got three solid patterns, and several protocols mix them all up nicely.

1) Guardian Multisig (Emergency Admin)

• What it is: Imagine a community-elected multisig that has a few emergency powers in its back pocket. It can pause or freeze certain activities and step in to block any malicious actions that might pop up.
• Where it works: Aave has introduced two Guardians: the Protocol Emergency Guardian (EMERGENCY_ADMIN), which functions on a 5-of-9 voting system, and the Governance Emergency Guardian, who has the power to veto decisions. The signers involved are transparently listed and include experts from risk management, security, development, and various delegates. This arrangement ensures that no single individual holds too much influence and clarifies how to raise concerns. If you want to dive deeper, check it out at (aave.com).
• Practical knobs:
  • Threshold and signer diversity: We’re looking at mixing service providers and delegates to strike a good balance.
  • Asset-level vs pool-level actions: Have you ever considered a “FreezingSteward”? It could let emergency responders freeze things quickly without having to go through a whole governance proposal every single time. Check out more info here: (governance-v2.aave.com).

2) Security Council (L2s and rollups)

• What it is: Picture it like a standing council that's ready to leap into action during emergencies, gathering a large quorum on the fly. But when it comes to regular updates, things take a more leisurely pace through the governance process.
• Where it works: Arbitrum has a Security Council made up of 12 members, and to kick off any immediate Emergency Actions, they need at least 9 of those members to agree. After they take such actions, they also have to share a transparency report. For the less urgent stuff, they still need 9 out of 12 votes, but they give folks a bit of time to exit if they want to. Over on Optimism, they've introduced some nifty features like LivenessGuard/Module to keep their quorum intact and prevent things from stalling. Plus, they've got a Deputy Guardian/Pause module that helps them make quick decisions when necessary. (docs.arbitrum.foundation)
• Practical tips:
  • If your council is using Safe, think about adding liveness modules. They allow you to swap out inactive signers without messing with the thresholds.
  • Create a routine for releasing “transparency reports” after any incidents. This helps keep everything transparent. (docs.arbitrum.foundation)

3) Emergency DAO / subDAO

• What it is: Picture this as a smaller team with the authority to quickly shut down or put the brakes on pools and gauges whenever it’s needed.
• Where it works: Take Curve, for example--its Emergency DAO stepped up to pause CRV rewards for pools that had been exploited back in August 2023. On the flip side, Balancer’s emergency subDAO (which needs 4 out of 7 votes) can also hit pause or initiate a recovery mode for a certain period, but no need to stress--funds will still be accessible for withdrawal. Plus, some of Balancer's setups come with a built-in three-month “emergency pause window,” after which the system can’t be stopped. (cointelegraph.com)
• Practical knobs:
  • You can establish time-limited pause windows to eventually move toward an operation that can’t be stopped.
  • As you grow, consider automating pauses across different chains using Safe modules. (forum.balancer.fi)

---

Technical levers: freeze, pause, shutdown--know the differences

• Soft freeze (per‑asset): This is where you hit pause on new borrows, mints, or market listings for a particular asset. Don't worry though--you can still repay or redeem. Aave has this cool feature called freezing, and thanks to the Liquidations Grace Sentinel, there are these "grace periods" where they hold off on processing any liquidations. This makes it way easier to get things going again. Take a look at the details here.
• Pool-level pause: This is when they hit pause on swaps and adding liquidity in specific pools, but you can still pull your funds out. Balancer has put in place an emergency pause and a “recovery mode” that focuses on keeping things non-custodial and easy for users looking to exit. You can dive deeper into it here.
• Protocol-wide halt with settlement: The Maker’s Emergency Shutdown Mechanism (ESM) ties everything together and starts a global settlement to ensure that Dai holders and vault users receive their rightful share. It's really about fine-tuning those thresholds. As of July 25, 2024, the minimum requirement for ESM is 300k MKR. If you want to dive deeper into the specifics, check it out here.

Best Practice: Keep Your Blast Radius Small

When it comes to safety, you really want to kick things off with the smallest blast radius you can handle. Save the full-scale global shutdown for those serious situations, like governance capture or when you're up against invariants that just can’t be recovered.

---

Circuit breakers that actually work (beyond “pause()”)

• The ERC/EIP‑7265, often called the circuit breaker standard, is designed to help you keep a handle on token outflows, especially when things start to get a little chaotic. It recommends setting some limits on the rate of outflows or even hitting pause if specific metrics go haywire. This can be a real game-changer in managing problems as they arise. The discussion is still buzzing in the community, but you can dive right in and start using this strategy in your flows today! Check it out here: (ethereum-magicians.org).
• Synthetix has been pretty awesome in setting the standard for both decentralized and centralized circuit breakers. For instance, there's SIP‑65, which puts a hold on a synth if the price swings too much too fast. Then you've got SIP‑231 that outlines how to use an off-chain triggered breaker, complete with specific delta thresholds and downtime stats--pretty handy for tweaking things to your liking. Just a quick note: during those wild market moments, you might end up with several short pauses in a single day, so make sure your user experience and alerts are prepped for that! Check it out here: (sips.synthetix.io).
• If your system isn't ready for complete reverts, consider checking out time-bucket outflow limiters, like those suggested in EIP‑5075. These tools can really help minimize losses during hacks while maintaining stability in your architecture. For more info, take a look here: (ethereum-magicians.org).

Calibration tip: Start with some “soft breaker” thresholds to keep your growth in check, but still allow you to deleverage. If things start to go south, crank it up to a “hard breaker” when the oracle or invariant checks don’t hold up.

---

L2‑specific risk: sequencer downtime and fairness protections

When we're talking about rollups, a sequencer halt can create some imbalances in the playing field. It's a smart move to base your critical actions on the Chainlink L2 Sequencer Uptime Feed. Also, think about waiting a bit after the “sequencer up” signal before diving back into liquidations or borrows. Chainlink has some great documentation that offers reference implementations and ensures event ordering, so you can be sure your guard flips before any dependent transactions go through. You can check out their docs right here: (docs.chain.link)

Practical pattern we use for our clients:

• First things first, take a look at the Uptime Feed’s “answer” and “startedAt” timestamps.
• If you find that the service is down, it’s super important to block any sensitive actions immediately. Once everything’s back up and running, consider giving it a grace period--maybe 30 to 60 minutes--before diving back into your usual operations. And don’t forget to make a note of this in your incident runbook, so the risk teams know when it’s cool to unfreeze things. (7blocklabs.com)

Security reviews usually point out that missing sequencer checks can be a medium-to-high risk, so automating some tests for this is definitely a smart move. You can see more about it on GitHub.

---

Automation: connect monitoring to narrow‑scoped authority

Manual multisigs can feel a bit slow during atomic attacks. To handle this, it's smart to combine high-precision monitoring with clearly defined emergency rights:

• The Forta Attack Detector feed is pretty awesome because it gathers alerts from all four stages of an attack--funding, prep, exploit, and laundering. This way, you get a clearer picture and can reduce those pesky false positives. There are some interesting case studies showing that detections can happen just minutes before an exploit takes place, like what happened with Euler. This tool lets you automatically pause a specific market or function when you’re feeling pretty sure there’s a threat. Take a look at it here: (docs.forta.network).
• Wire connects responders right through Ops tools. OpenZeppelin’s Monitor is the fresh face in town, stepping in to replace Defender’s older workflows, and it's packed with great features for alerts and automating your responses. Plus, Forta fills you in on its one-click subscriptions and handy Threat Detection Kits that cater to DeFi, Stablecoin, Bridge, and Governance. You can get these set up in just a few hours! Want to learn more? Check it out here: (docs.openzeppelin.com).
• To keep things safe, always ensure that any automation is routed through a limited role called “EmergencyPauser.” This role has the power to toggle specific breakers or freeze certain assets, but it won’t be able to move any funds around.

---

Incident‑driven examples: what worked, what changed

• MakerDAO: In 2024, governance really stepped it up by tightening the ESM, bumping the MKR threshold from 150k to a whopping 300k. They also decided to slice the GSM pause delay down to just 16 hours for certain actions. If you're relying on global settlement as your safety net, it might be a smart move to take another look at your adversary cost and detection windows. (vote.makerdao.com)
• Aave: When a technical hiccup came up, the Guardian decided to hit pause on GHO. Then, governance took it a step further by freezing things up. To make future emergency restarts easier, Aave introduced the FreezingSteward and Liquidations Grace Sentinel. This method shows a preference for a more gentle approach during crises, prioritizing exits rather than just slamming on the brakes. (governance-v2.aave.com)
• Curve/Balancer: In 2023, Curve’s Emergency DAO didn't waste any time. They quickly halted rewards for compromised pools to stop any new liquidity from being drawn in. Meanwhile, Balancer took a proactive approach by creating an emergency subDAO that could put a pause on new deployments for three months. They also teamed up with Hypernative to launch an automated pause module starting in 2025, allowing them to respond across multiple chains. (cointelegraph.com)
• Rollups: Arbitrum’s council set up a pretty solid emergency system with a 9-of-12 threshold. They’re also all about being transparent after any actions are taken. On the other hand, Optimism rolled out some Safe extensions, like LivenessGuard/Module and DeputyGuardian, to keep emergency governance on point while still prioritizing safety. If you’re working on L2s, it might be a good idea to think about incorporating some of these strategies into your app-level governance. (docs.arbitrum.foundation)

---

Blueprint: an emergency governance module you can ship this quarter

1) Access Control and Wiring

• When you're running regular operations, it's a good idea to put the upgrade and parameter authority behind either a TimelockController or a Governor paired with a Timelock. You should also create a dedicated Safe role for the “EmergencyPauser/Freezer” that won't have any upgrade powers. By using role modifiers, you can make sure that only the designated emergency folks can access the pause or freeze functions. If needed, they can also set a liquidation grace period. For more information, check it out here: docs.openzeppelin.com.

2) Roles and Thresholds

• Emergency Guardian: We're looking for either 5 out of 9 signers or 4 out of 7, making sure there's a good mix of backgrounds (think risk, security, development, and delegates). It's crucial that we share the names and affiliations of these signers with users. Plus, we should set up some guidelines for rotation and recusal to keep things fair.
• Security Council (if applicable): If we choose to take this path, let’s consider adopting something like LivenessGuard or similar modules and target a 75% quorum when emergencies hit. It’d also be smart to set up some processes for deputies to manage any single-purpose pauses. You can find more details here.

3) Levers and Scopes

• You’ve got plenty of choices: you can freeze on a per-asset basis, hit pause at the pool level, go for a protocol-wide break, or even take a full shutdown route if that's what suits your product best.
• Think about adding a Liquidations Grace Sentinel--it lets you reopen markets smoothly without those dreaded liquidation spikes. Take a look at it here: (governance-v2.aave.com).

4) Circuit Breakers (Tiered)

• Soft Breaker: This one's like a safety net--it steps in and pauses mints or borrows if oracles start acting up or if there's a hiccup with the L2 sequencer. The cool part? It automatically resets after running through a few health checks.
• Hard Breaker: Now, this is the heavy hitter. If there's an invariant breach or we sniff out an exploit, it hits the brakes completely. Once everything's back in line, it needs the go-ahead from governance or a high-threshold guardian, following a thorough post-mortem checklist.
• Optional Outflow Limiter: Picture this as a cap similar to EIP-7265 for treasuries and bridges. Curious to learn more? Check it out here: (ethereum-magicians.org)

5) Monitoring and Automation

• Go ahead and sign up for Forta kits like DeFi and Stablecoin, along with the Attack Detector. It's important to connect these to your on-call system and create an emergency pauser autotask. Don’t forget to stash the automation’s private key in a Safe Module with limited permissions. You can find all the details here: (docs.forta.network)

6) Time-boxing and Unstoppable Ethos

• For AMM/LP systems, consider setting up a fixed "pause window"--maybe around 3 months after you launch. Once that time's up, you won't be able to pause the system anymore, but don’t worry; there will still be a recovery mode to keep users safe. It’s super important to document this so everyone is clear on what to expect. Check it out here: (balancer.gitbook.io)

7) Oracle and L2 Hygiene

• Remember to set max staleness and deviation limits for every asset. It's crucial to monitor L2 sequencer uptime, and make sure you build in a grace period before triggering any liquidations or price-sensitive actions. And hey, don’t forget to share those parameters along with the process for making changes via governance. You can find more info here: (docs.chain.link)

8) Multi-chain Playbook

• Get the guardian Safe set up on every blockchain you’re using, and make sure the signer settings and thresholds are perfectly aligned. Remember to pre-approve any pause or freeze calls for all deployments, and definitely do a few dry runs of your signing ceremonies. Take a look at Compound's cross-chain guardian procedures; they’re a great reference. (github.com)

---

Testing and drills: what to prove before mainnet

• Unit/invariant tests: Verify that the pause or freeze functions don’t mess with user withdrawals or repayments, and ensure that the settlement routines are in sync with the expected rules.
• Fork simulations: It’s go-time to test out those exploit playbooks! See just how quickly your monitoring setup can spot problems and hit pause when it’s necessary.
• Governance fire drills: Once a quarter, set up some mock incidents with your signers. It’s a fantastic opportunity to keep everything in check across all chains and make sure you’re hitting those MTTD/MTTR targets.
• Oracle and L2 tests: Let's run a simulation with some stale feeds and see how the sequencer handles downtime. Make sure to check that the soft breaker and grace period logic are doing their job properly. You can dive deeper into this here.

---

KPIs your board will understand

• Time to Contain (TTC): This is all about how long it takes us to jump into action from the moment we receive a high-confidence alert until we successfully freeze or pause everything that needs it.
• User Exit Friction: Here, we're talking about the percentage of users who can actually cash out or pay back during those critical emergency moments.
• False Pause Rate: This is the number of automated pauses we make that don’t have a follow-up governance confirmation. Our goal is to keep this number as low as possible, so utilizing precise feeds like Forta’s Attack Detector is super important. (forta.org)
• Post-Incident Transparency SLA: This measures the time from when we take emergency action to when we share a public transparency report (especially when we're collaborating with a Security Council). (docs.arbitrum.foundation)

---

Pitfalls we still see in 2025-2026 audits

• Going for a heavy-handed “pause everything” strategy can really throw off user experience and composability, especially when a more targeted per-asset freeze could do the job just as well.
• Plus, we've noticed some gaps in L2 sequencer checks, which can lead to unfair liquidations when things kick back in. You can dive into the details on this here.
• We have these emergency keys that can either upgrade the code or move funds--so it's super important to keep this emergency access tight and easily reversible.
• And on top of that, there’s no automation in the mix; alerts just go to email or Slack. If your multisig needs 4-9 human signatures at 3 a.m., you’re already losing valuable time when you need it the most.

---

Brief, in‑depth case walkthrough: Balancer’s evolving emergency stack

• 2023: A “critical vulnerability” popped up, which led us to kick off an emergency subDAO. We provided users with guidance on how to safely exit the impacted pools, ensuring that the non-custodial pause feature was enabled for easy exits. (blockworks.co)
• Pattern Hardening: We've rolled out some new safeguards, such as emergency subDAO authorization, enabling recovery mode, and a time-limited pause window. These updates are all detailed in our documentation and factories. Check it out here: (docs.balancer.fi)
• 2025: We’re excited to start rolling out the Automated Safe modules (Hypernative) across different chains. These cool modules are designed to automatically pause specific v6 pools when they pick up on any strange activity. In contrast, older pools that don’t have these active pause windows are still at risk. This really highlights just how crucial automation and time-limited permissions are. (forum.balancer.fi)

Takeaway: Get on board with ship automation and ensure that any new deployments are backed by solid safeguards. Also, don't forget that some of the older deployments may need a migration plan or even a gradual phase-out approach.

---

What to ship next if you’re starting today

• Define emergency actor(s): Create a Guardian multisig with a 5-of-9 configuration and ensure you’ve got all the signers documented. If you’re dealing with an L2 or something crucial, it’s a good idea to bring a Security Council into the mix. (aave.com)
• Set up a freeze and liquidation grace period for individual assets: While it’s essential to have a protocol-wide pause available for emergencies, let's prioritize freezing assets one at a time first. Check out the details here: (governance-v2.aave.com)
• Add tiered circuit breakers: Consider implementing both soft and hard circuit breakers, and look into using ERC-7265 style outflow limits for your treasuries and bridges. Check out more about it here.
• Wire monitoring to action: Link up the Forta Attack Detector and OpenZeppelin Monitor to a secured EmergencyPauser module. Don’t forget to run some tests on a fork to hit your SLA targets. (docs.forta.network)
• If you're using L2s: Don't forget to enforce the Sequencer Uptime Feed checks and allow for a grace period. It's super important to lay out the policy clearly in your documentation and user interface. You can find more info on this here: (docs.chain.link)
• Share your public incident response policy: Be upfront about when you might hit the pause button on operations, how you'll keep everyone in the loop about it, and what steps you’ll take to get back on track. And hey, make sure you’re on board with doing post-mortems afterward!

---

How 7Block Labs can help

We build and implement emergency governance tailored to match your protocol’s risk profile. This covers everything from Guardian configurations and Safe modules to circuit-breaker libraries, Forta/monitoring pipelines, and incident runbooks--all supported by fork-based red-teaming. If your board wants some solid assurance of resilience without those "rug-pull" admin vibes, we’ve got you covered. We’ll help you put in place clear, effective controls that your users can absolutely trust.

---

References for Deeper Dives:

• MakerDAO ESM: Take a look at the docs and CLI, along with the exec from July 25, 2024, which raised the ESM threshold to 300k MKR. You can find all the details here.
• Compound Timelock & Pause Guardian: Check out the latest on Compound's governance updates! There's some key info about how v2 and v3 handle the unpausing feature. For the full breakdown, head over to Medium.
• Aave Guardians: Check out the freezing steward and the Liquidations Grace Sentinel on Aave's governance page. Discover more here.
• Curve Emergency DAO: Check out the steps that were taken in 2023 concerning Curve's emergency DAO and the decision to stop rewards for pools that were tied to hacks. You can read the full story on CoinTelegraph.
• Balancer Emergency Measures: Dive into how Balancer is gearing up with their emergency pause feature and subDAO. Plus, don’t miss out on the upcoming Hypernative module set to launch in 2025. Check out all the details in their GitBook.
• ERC/EIP-7265 Circuit Breaker: Jump into the conversation about the circuit breaker standard and take a look at Synthetix's circuit breaker SIPs (65 and 231). You can find more details on Ethereum Magicians.
• Chainlink L2 Sequencer Uptime Feed: Check out the best practices for the Chainlink L2 Sequencer Uptime Feed here.
• Security-Council Safe Extensions: Want to know more about Safe extensions and how they work for Optimism? Plus, get the scoop on the Arbitrum Security Council's constitution. Dive in here.

If you need a tailored emergency governance design review, 7Block Labs has got your back! We'll dive deep into your contracts, markets, and threat model, and then collaborate with your team to make sure everything feels like second nature through practice.