Runbook: Key Compromise
Security SpecialistOperations & StrategyDevops
This is an example runbook. Review and customize for your protocol before use. Fill in your key types, what each controls, and your specific rotation procedures.
Quick Reference
| Field | Value |
|---|---|
| Typical Severity | P1 |
| Primary Responder | Security SME |
| Last Updated | [Date] |
| Owner | [Name] |
Identification
Symptoms
- Unauthorized transactions from controlled addresses
- Unexpected multisig proposals
- Key holder reports compromise
- Suspicious signing activity
- Social engineering attempt succeeded
Key Types
| Key Type | Risk Level | Controlled Assets |
|---|---|---|
| Deployer | [High/Med] | [What it controls] |
| Admin/Owner | [High/Med] | [What it controls] |
| Multisig signer | [High/Med] | [What it controls] |
| Hot wallet | [High/Med] | [What it controls] |
Immediate Actions
Step 1: Confirm Compromise
Why: Avoid false positives, but err on side of caution
- Verify with key holder directly (not via potentially compromised channels)
- Check for unauthorized transactions
- Review recent signing activity
Step 2: Assess Blast Radius
Why: Understand what the attacker can do
- What can this key sign?
- Are there timelocks?
- What other systems use this key?
Step 3: Revoke/Rotate
Why: Remove attacker access
For multisig signers:
- Remove compromised signer
- Add replacement signer
For admin keys:
- Transfer ownership to new address
- Or revoke permissions if possible
For hot wallets:
- Move remaining funds to secure address
Step 4: Check for Damage
Why: Understand if attacker acted
- Review all transactions from compromised key
- Check pending proposals/timelocks
- Audit any systems key had access to
Investigation
Key Questions
- How was the key compromised? (phishing, malware, insider, leaked)
- When was it compromised?
- What did the attacker do (if anything)?
- Are other keys at risk?
Evidence to Collect
| Data | Source |
|---|---|
| Transaction history | Block explorer |
| Login/access logs | Infrastructure providers |
| Signing requests | Multisig interface |
| Communications | If social engineering |
Mitigation by Key Type
Multisig Signer
- Propose removal of compromised signer
- Collect required signatures
- Execute removal
- Add new signer
- Verify new threshold is appropriate
Contract Admin Key
- Prepare ownership transfer transaction
- Execute transfer to secure address
- Verify new owner
- Update documentation
Hot Wallet
- Prepare transaction to move all funds
- Move to cold storage or new hot wallet
- Update any systems using old address
- Retire compromised address
Escalation
- Decision Makers - immediately for any confirmed compromise
- Security Partners - for investigation support
- Legal - if funds were stolen
Prevention Checklist
After resolving, review:
- Key storage practices
- Phishing awareness training
- Hardware wallet usage
- Multisig thresholds
- Access logging
- Key rotation schedule