38 lines
1.4 KiB
Markdown
38 lines
1.4 KiB
Markdown
# Channel Manager Incident Runbook
|
|
|
|
Short runbook for PaymentChannelManager and GenericStateChannelManager: pause, unpause, and replace admin.
|
|
|
|
## When to pause
|
|
|
|
- Suspected bug or exploit in open/fund or state handling.
|
|
- Upgrade or migration (pause new activity while in-flight channels settle).
|
|
- Security incident: stop new channel opens and funds; existing channels can still close.
|
|
|
|
## How to pause
|
|
|
|
- **Who**: Current `admin` (or multisig that is admin).
|
|
- **Call**: `pause()` on the contract (PaymentChannelManager or GenericStateChannelManager).
|
|
- **Effect**: `openChannel` and `fundChannel` revert with "paused". `closeChannelCooperative`, `submitClose`, `challengeClose`, and `finalizeClose` remain callable so in-flight channels can settle.
|
|
|
|
## How to unpause
|
|
|
|
- **Who**: Current `admin`.
|
|
- **Call**: `unpause()`.
|
|
- **Effect**: New channels can be opened and funded again.
|
|
|
|
## How to replace admin
|
|
|
|
- **Who**: Current `admin`.
|
|
- **Call**: `setAdmin(newAdmin)` with the new address (e.g. new multisig).
|
|
- **Recommendation**: Use a multisig as `newAdmin`; avoid EOA for production.
|
|
|
|
## Contracts and addresses
|
|
|
|
- Document deployed addresses in [PAYMENT_CHANNELS_DEPLOYMENT.md](../deployment/PAYMENT_CHANNELS_DEPLOYMENT.md).
|
|
- Ensure only the intended multisig/EOA has admin before and after replacement.
|
|
|
|
## Monitoring
|
|
|
|
- Monitor `Paused`, `Unpaused`, and `AdminChanged` events.
|
|
- Alert on unexpected pause or admin change.
|