smom-dbis-138/docs/operations/CHANNEL_INCIDENT_RUNBOOK.md

Channel Manager Incident Runbook

Short runbook for PaymentChannelManager and GenericStateChannelManager: pause, unpause, and replace admin.

When to pause

• Suspected bug or exploit in open/fund or state handling.
• Upgrade or migration (pause new activity while in-flight channels settle).
• Security incident: stop new channel opens and funds; existing channels can still close.

How to pause

• Who: Current admin (or multisig that is admin).
• Call: pause() on the contract (PaymentChannelManager or GenericStateChannelManager).
• Effect: openChannel and fundChannel revert with "paused". closeChannelCooperative, submitClose, challengeClose, and finalizeClose remain callable so in-flight channels can settle.

How to unpause

• Who: Current admin.
• Call: unpause().
• Effect: New channels can be opened and funded again.

How to replace admin

• Who: Current admin.
• Call: setAdmin(newAdmin) with the new address (e.g. new multisig).
• Recommendation: Use a multisig as newAdmin; avoid EOA for production.

Contracts and addresses

• Document deployed addresses in PAYMENT_CHANNELS_DEPLOYMENT.md.
• Ensure only the intended multisig/EOA has admin before and after replacement.

Monitoring

• Monitor Paused, Unpaused, and AdminChanged events.
• Alert on unexpected pause or admin change.