What to Do If Your Smart Contract Gets Hacked: An Emergency Guide

The specific headache you’ll face in the first 60 minutes

Your on-call notifications are lighting up: strange outflows, liquidity taking a nosedive, and users are losing it in Discord. To make things worse, your pause function doesn't cover the vault proxy, and the governance timelock is making you wait a whole day. Plus, the attacker is keeping a close eye on the public mempool. Every minute you delay just ramps up the damage, complicates the forensic work you have to do for regulators, and piles on the reconciliation tasks that will keep your finance team busy for weeks. On top of that, corporate counsel is reminding you that any sort of “negotiation” or bounty could run afoul of OFAC rules if the other party happens to be sanctioned--those civil penalties can hit hard. (docs.flashbots.net)

What makes this harder for Enterprises than DeFi‑native teams

• Your incident response playbook is all set with a SOC 2 audit, but it leans heavily towards Web2. It doesn’t touch on important aspects like “pause guardians,” private mempool operations, or cross-chain forensic checkpoints. These days, NIST SP 800-61r3 expects your incident response to sync up with CSF 2.0 across areas like Govern, Identify, Protect, Detect, Respond, and Recover. Be ready to demonstrate that alignment during post-mortems and when dealing with vendor due diligence. (csrc.nist.gov)
• If you’re managing hosted Web3 operations, the clock is ticking. OpenZeppelin has started winding down the hosted Defender service, with a full retirement planned for July 1, 2026. Now’s the time to figure out a self-hosted monitor/relayer or seek out a new provider--trust me, you don’t want to find out you’re unprepared when a crisis hits. (blog.openzeppelin.com)
• The threat landscape is looking pretty grim: in 2025, we saw around $3.35 billion lost in Web3, mainly due to supply chain breaches and wallet/key incidents. Executive teams (and their insurers) are going to expect you to have “blast-radius limits” integrated into your protocol design--not just relying on audits. (certik.com)

The risks of waiting or improvising

• Missed containment windows: When public mempool transactions get “paused,” they can easily be sandwiched or censored. An attacker might just swoop in and front-run your mitigation efforts, leaving you with drained queues or causing headaches during your upgrades. Using private order flow through Flashbots Protect is a must for any emergency admin calls. (docs.flashbots.net)
• Sanctions and payout exposure: If you're thinking about paying a “bounty” or even just talking on-chain with someone who’s been sanctioned, watch out! That could lead to reporting requirements, licensing issues, or even penalties. Your compliance team will definitely reference OFAC’s virtual currency guidance and their strict, no-nonsense approach. (ofac.treasury.gov)
• Reputational drag measured in quarters: Even when funds get mostly recovered (like with Euler) or returned (like with Munchables), the aftermath--think refund logistics, chain analysis, and governance fixes--can really slow you down. It’s like having an operational debt that eats up your roadmap, makes procurement trickier, and messes with your renewal cycles. (euler.finance)
• Auditor and insurer scrutiny: Get ready for more questions about how safe your upgrades are (especially concerning UUPS initialization risks), key separation, emergency roles, and whether you’ve got those all-important “circuit-breaker” controls in place to limit outflows. (security.snyk.io)

7Block’s technical-but-pragmatic methodology

Here’s the exact process our engineers follow. It combines on-chain controls like Solidity, governance, mempool strategy, and ZK attestations with the Enterprise IR artifacts that your CISO, GC, and procurement teams need.

0-60 minutes: Contain, preserve, communicate

1. Freeze Outflows Without Alerting the Attacker

• Use private order flow to handle urgent admin tasks (like pausing, revoking roles, or clamping parameters) through Flashbots Protect RPC--this way, you can keep your intentions hidden from the public mempool. Make sure to set it to fast mode to efficiently multiplex builders within a block. (docs.flashbots.net)
• If you’ve got a circuit-breaker (ERC-7265) in place, you should set a hard limit on net outflows and queue up settlements. This is quickly becoming a standard in DeFi, helping to "cap" potential losses and give governance some breathing room. If you haven’t implemented it yet, we can set up a minimal gateway to route outflows through a breaker contract for those critical pools or vaults. (ethereum-magicians.org)

2) Lock Control Planes and Separate Keys

• Start by flipping the AccessManager/AccessManaged gates so that only a role we’ll call the “Security Council” can access those sensitive selectors. For non-emergency roles, set some temporary execution delays to keep things safe. If you’re using Safe, make sure to add the Zodiac Roles Modifier to really narrow down what emergency operators can do. Check out the details here: (docs.openzeppelin.com)
• If you’re dealing with upgradeable proxies (like UUPS or Transparent), it’s super important to verify the initializer status on your implementation contracts. This helps prevent any sneaky hijacking that could occur through uninitialized logic. Remember to snapshot your storage layout and hold off on any upgrades until you’ve thoroughly reviewed the differences. More info can be found here: (docs.openzeppelin.com)

3) Preserve Evidence and Start Triage with Law-Enforcement-Ready Trails

• First off, make sure to snapshot the node state, logs, and traces. Set up Streams backfills (like tx, logs, receipts, and traces) to store everything safely in immutable storage for that all-important chain-of-custody. You can check out more about this here.
• Next, get going with parallel graphing in Chainalysis Reactor to track funds across various chains, DEXs, and bridges. This will help you get everything lined up for any subpoenas or notifications to exchanges if it comes to that. For more details, head over to Chainalysis.

1. Communicate with clarity

• Put out a focused incident notice; share confirmed addresses instead of guesses. If you're thinking about a public bounty, make sure to do OFAC checks and get some legal advice first. Don’t forget to direct users to the approval-revocation guidance (Permit2 or ERC-20 allowances). (ofac.treasury.gov)

1. Call in the right rescuers

• Reach out to SEAL 911 for some solid white-hat coordination. If you can, leverage Flashbots Whitehat to group those "rescue" transactions, getting ahead of any sweeper bots. These resources have a proven track record of recovering funds and offer a standardized way to escalate your situation. Check them out here: (securityalliance.org)

Where 7Block Comes In

We set up the war room, take care of private order flow, refresh access policies on-chain, and work closely with Chainalysis/TRM and our legal team. This all helps ensure your incident response stance stays SOC 2-defensible.

Day 1-3: Stabilize and verify

• Forensic Baselining
  • Start by running invariant checks on the contracts that are affected. Use traces to pinpoint any unusual internal call paths or delegatecall patterns that event-only monitors might miss. The good news is that QuickNode Streams now supports debug_trace backfills for this, making your job a lot easier! Check it out here: (quicknode.com)
  • Next up, you’ll want to compare the deployed bytecode with your repository releases. This helps ensure there are no sneaky shadow upgrades, slot collisions, or unexpected storage layout drift (these are pretty common hiccups with UUPS). For more info, dive into the docs: (docs.openzeppelin.com)
• Hardening the Control Plane
  • Set up AccessManager rules that have execution delays for non-emergency admin calls. Don’t forget to label your guardians and migrate those Ownable endpoints through the manager so we can stick to our policies across the board. (docs.openzeppelin.com)
  • Over on Safe, let’s add Zodiac Roles to limit which function selectors and parameters emergency operators can access. This way, we can avoid having those “all-powerful” keys during those high-stress situations. (github.com)
• Runtime monitoring with actionability
  • Set up Tenderly Alerts to kick off Web3 Actions that can do things like clamp down on parameters or trigger a pause when certain thresholds are crossed. It goes beyond just notifying people--this makes sure you’re ready to act! Check it out here: (docs.tenderly.co)
• Communications and compliance
  • Keep everything in one place. Legal updates should include OFAC FAQ 646, which gives guidance on reporting blocked property, especially if there are any frozen funds involved with SDN exposure. Check it out here: (ofac.treasury.gov)

Day 4-30: Recovery, refunds, rebuild

• User Refunds Without Custody Creep
  • If you’ve managed to recover funds or get balances back on track, go ahead and handle claim distributions using Merkle proofs. When it comes to jurisdiction or investor status, make sure to gate claims using zk‑KYC attestations--this way, you're keeping things private while still meeting compliance needs. No need to collect personal info directly! Check out more details here.
  • For wallets that might be in trouble due to lingering approvals, offer revoke/approve paths that are aware of Permit2. It’s also a good idea to educate users about time‑bounded signatures and batch revocations to keep everything safe. You can read more about it here.
• Let’s retro-fit the protocols to “limit blast radius” next time
  • Test out those ERC‑7265 circuit breakers on vault/AMM outflows, using some conservative bands for each asset. Research shows that daily net outflows over 25-40% can be pretty unusual for a lot of pools. Make sure to tune, simulate, and get everything lined up with governance. (dailycoin.com)
  • Shift over to OpenZeppelin Contracts v5.x and AccessManager; swap out the old ad-hoc onlyOwner setup for something more role-based, and consider using delayed execution where it makes sense. Don’t forget to validate your upgrades with the OZ Upgrades Plugins and get all UUPS implementations initialized. (openzeppelin.com)
  • Ditch those plain “alerts” and switch to auto-actions (Tenderly Web3 Actions). Plus, self-host your monitoring/relaying to align with the Defender sunset timeline, making sure your SOC 2 controls don’t run into any vendor-EOL issues. (openzeppelin.com)
• Legal, insurance, and GTM cleanup
  • Make sure your post-incident review lines up with the NIST SP 800-61r3 lifecycle. Don't forget to update your vendor questionnaires, RPO/RTO, and tabletop exercise logs to capture those on-chain controls and private order flow procedures. Check it out here: (csrc.nist.gov)
• Private pause transaction (ops outline)
  • First up, you'll need to create the calldata for pause(), setGuard(), and setTargetClosed().
  • Next, route it through the Flashbots Protect fast endpoint, making sure to set no-revert inclusion. Don’t forget to simulate it in an isolated fork first. The end result? Your admin intent stays under wraps, keeping it out of the public mempool and minimizing the chances of any griefing. Check out the details here.
• “Breaker gateway” without a complete overhaul
  • Implement vault transfers via a simple circuit‑breaker pass‑through contract for assets A/B; establish thresholds, queue mode, and a 24-hour cool‑down. Deploy this on a per-pool basis instead of across the whole system to minimize integration risks. (ethereum-magicians.org)
• Access hardening in one sprint
  • Introduce the AccessManager, restrict access on sensitive selectors, and assign a Security Council role using a 7‑of‑11 multisig setup via Safe + Zodiac Roles. This will cover important functions like pause(), setFee(), setGuardian(), and upgradeTo(). Plus, let's add in some execution delays of 2-6 hours for any changes initiated by governance. (docs.openzeppelin.com)
• Refunds with compliance stoppers
  • Share a Merkle root of the balances that qualify, and ask for zk‑KYC proof to make a claim when your legal folks need to set jurisdiction filters (like only letting Reg D participants in). No raw PII goes through your contracts; an on-chain verifier just checks a proof bit. (zk.me)
• Forensics that can stand up to scrutiny
  • Get QuickNode Streams up and running for backfilling blocks, logs, receipts, and traces into S3 with those handy object locks. Plus, use Chainalysis Reactor across 27+ chains to give exchanges a heads-up and shorten those cash-out windows. (quicknode.com)

Prove -- What “good” looks like in the market and the KPIs we drive

• Measurable containment: Teams that are using private orderflow for admin calls have managed to cut down on failed or frontrun mitigation attempts to almost nothing when things get tough. Flashbots Protect was built to keep transactions out of sight from frontrunners, and it only includes non-reverting calls. Check out the details here.
• Funds actually come back when the war room is competent:
  • Euler’s ~$200M exploit: A big chunk of it was returned thanks to some smart negotiations and well-coordinated on-chain operations; they re-opened redemptions a few weeks later. Get the full scoop here.
  • Munchables: They snagged back around ~$62M once they secured the keys and swept the funds into a multisig; it really highlights the importance of key hygiene and quick teamwork. More info can be found here.
  • White-hat rescues: There are documented stories of recoveries using MEV bundles and counter-exploits that show why having pre-approved responders and playbooks is crucial. You can read more about it here.
• Governance and ops maturity: These days, NIST 800-61r3 alignment, melding with CSF 2.0, is what CISOs, boards, and auditors want for incident response. We’re translating on-chain controls to fit that framework. Dive in here.
• Ecosystem-standard tooling:
  • Circuit-breaker (ERC-7265): More teams are adopting this as a way to keep outflows in check during anomalies--it's a sensible defensive move, but it’s not a magic solution. Learn more here.
  • Defender sunset: We’re moving our monitors and relayers to self-hosted OSS before July 1, 2026, to steer clear of any operational cliffs that auditors and insurers might flag. Details are available here.

What 7Block Labs delivers, end‑to‑end

• 24/7 Incident Response and Remediation War Room: This is all about keeping things moving smoothly with private orderflow ops, breaker gating, access reconfiguration, forensic backfill, and coordination with Chainalysis.
• Post-Incident Hardening and Audits: After we've tackled an incident, we focus on strengthening our defenses. This includes threat modeling, ensuring safe upgrades, designing governance, defining emergency roles, and piloting ERC-7265.
• Procurement-Ready Documentation: We make sure everything is ready to go with SOC 2-aligned runbooks, thoughtful vendor risk responses, tabletop exercises, RPO/RTO mapping, and post-mortem artifacts that your stakeholders will be happy to sign off on.

Let’s dive into how we handle and check these controls across different areas:

Smart Contract Upgrades, Governance, and Runbooks

We focus on solid smart contract development and offer top-notch security audit services to ensure everything runs smoothly.

Incident-Ready Protocol Engineering and Integrations

Our team specializes in custom blockchain development services and seamless blockchain integration to keep things on track, especially when unexpected issues arise.

Cross-Chain Risk Controls and Bridge Design

We create reliable cross‑chain solutions and design effective blockchain bridges to manage risks and enhance connectivity across different networks.

End-User Claims and dApp UX for Refunds/Recalls

We’re all about improving user experiences, and that’s why we offer comprehensive dApp development and solid asset management platform development to handle claims and refunds efficiently.

---

Actionable Checklist for Your Runbook

• Use private order flow for any emergency transaction. Check out the details here.
• Cap outflows by design. Consider implementing the ERC‑7265 pilot on high‑TVL components. More info can be found here.
• Centralize access with delays. Use AccessManager and set up scoped emergency roles with Zodiac Roles. Learn more here.
• Backfill traces and receipts right away. Make sure to store them immutably for audits. You can get the scoop here.
• Coordinate with Chainalysis/SEAL 911 early. It's crucial to log every step for SOC 2 evidence. Check it out here.

Book a 90-Day Pilot Strategy Call

Ready to kick things off? Let's set up a 90-Day Pilot Strategy Call! It's a great opportunity to dive deep into your goals and map out a plan that gets you moving in the right direction.

Just click the link below to schedule your call:

Schedule My Call

Looking forward to chatting soon!