Web3 Incident Response Plan: What to Do in the First 24 Hours After an Exploit
When an exploit hits your protocol, every minute counts. This hour-by-hour incident response playbook covers detection, containment, communication, fund recovery, and post-incident rebuilding based on real case studies from 2024-2026.
Web3 Incident Response Plan: What to Do in the First 24 Hours After an Exploit
When an exploit hits your protocol, every minute counts. This hour-by-hour incident response playbook covers detection, containment, communication, fund recovery, and post-incident rebuilding based on real case studies from 2024-2026.
Web3 Incident Response Plan: What to Do in the First 24 Hours After an Exploit
On March 13, 2025, Euler Finance lost $197 million in a flash loan attack. Within 47 minutes of detection, their war room was active. Within 4 hours, they had coordinated with Chainalysis, contacted the attacker on-chain, and published their first community update. Three weeks later, the attacker returned $175 million — one of the largest fund recoveries in DeFi history. The difference between Euler and protocols that never recovered was not luck. It was preparation.
In 2024-2025 alone, over $3.8 billion was stolen from Web3 protocols according to Chainalysis and Immunefi data. Yet fewer than 15% of affected projects had a documented incident response plan before the attack. This playbook provides the hour-by-hour framework every Web3 team needs — before the alarm sounds.
Why Web3 Incident Response Is Different
Traditional cybersecurity incident response (NIST SP 800-61) assumes you can isolate systems, revoke access, and restore from backups. Blockchain exploits break all three assumptions:
•Immutability: You cannot roll back transactions on a public blockchain (except in extraordinary circumstances like the DAO hack of 2016)
•Transparency: Every transaction is public — the attacker, white hats, MEV bots, and your community all watch in real time
•Composability: Your protocol is interconnected with dozens of others; an exploit in your contract can cascade across DeFi
These constraints demand a specialized response framework built for the unique dynamics of blockchain.
Phase 1: Detection and Containment (0-1 Hour)
The first 60 minutes determine whether you lose millions or tens of millions. Speed is everything.
Minute 0-15: Detect and Confirm
Automated monitoring is non-negotiable. The protocols that survive exploits are those that detect them before Twitter does. Essential monitoring infrastructure includes:
Your detection checklist:
•Confirm the anomaly is an actual exploit, not a legitimate large transaction or oracle update
•Identify the attack vector — is it a smart contract vulnerability, oracle manipulation, governance attack, or private key compromise?
•Determine if the attack is ongoing or completed
•Estimate initial loss from on-chain data
Minute 15-30: Activate the War Room
Do not wait for confirmation to assemble the team. False alarms cost hours of lost sleep; missed exploits cost millions.
War room composition (7 roles minimum):
•
Communication channels:
•Primary: Signal group (encrypted, no message history for attackers to exploit)
•Document: Shared Google Doc or Notion page as the single source of truth for the timeline
Minute 30-60: Contain the Damage
Emergency pause contracts immediately. If your protocol has pausable contracts (and it should), trigger the pause the moment an exploit is confirmed. Every minute of delay means more funds drained.
Containment actions by attack vector:
Smart Contract Exploit:
•Pause all affected contracts via multisig or guardian role
•If using upgradeable proxies: prepare emergency upgrade to patch the vulnerability
•Contact bridge operators (Wormhole, LayerZero, Axelar) to freeze cross-chain transfers
•Alert DEX aggregators (1inch, Paraswap) to delist affected tokens temporarily
Oracle Manipulation:
•Switch to backup oracle feeds
•Pause lending/borrowing if price feeds are compromised
•Contact Chainlink/Pyth for emergency oracle investigation
Private Key Compromise:
•Rotate ALL keys and access credentials immediately
•Revoke compromised signer from multisig
•Transfer remaining treasury funds to a new secure wallet
•Audit all recent transactions from the compromised key
Governance Attack:
•Activate timelock guardian to veto malicious proposals
•If timelock has passed: coordinate emergency governance vote
•Contact delegates and major token holders directly
Phase 2: Assessment and Communication (1-4 Hours)
With containment underway, shift focus to understanding the full scope and communicating transparently.
Hour 1-2: Full Damage Assessment
Quantify losses precisely. The community and media will amplify any number you publish — make sure it is accurate.
•Map all affected addresses: Trace every transaction related to the exploit
•Calculate total value extracted: In both native tokens and USD at time of exploit
•Identify affected users: How many wallets lost funds? What was the distribution?
Hour 2-3: First Public Communication
Silence is the worst possible strategy. Every minute without an official statement, speculation fills the void. Your first communication should go out within 2-3 hours maximum.
Communication template (adapt to your situation):
Publish simultaneously across all channels: Twitter/X, Discord, Telegram, your blog, and directly to major crypto media outlets.
Hour 3-4: Engage External Resources
•Security firms: Engage Chainalysis Incident Response, TRM Labs, or Halborn for professional forensics
•Law enforcement: File reports with FBI IC3 (US), Europol EC3 (EU), or relevant national cybercrime units
•Exchanges: Contact compliance teams at Binance, Coinbase, Kraken, OKX with addresses to freeze — centralized exchanges have frozen over $200 million in stolen crypto since 2023
Phase 3: Recovery and Remediation (4-24 Hours)
Fund Recovery Strategies
The data is encouraging: approximately 20-25% of stolen DeFi funds are eventually recovered, according to Immunefi's 2025 annual report. But recovery requires immediate, parallel action on multiple fronts.
Strategy 1: White Hat Negotiation (Highest Success Rate)
On-chain messages to the attacker have become a standard playbook. The typical offer structure:
•10% bounty (of stolen funds) for full return within 48-72 hours
•No legal action guarantee (controversial but effective)
•Public recognition as a white hat security researcher
Successful case studies:
•Euler Finance (2023): $197M stolen, $175M returned after on-chain negotiation. Attacker kept ~$22M as bounty
•Poly Network (2021): $611M stolen, 100% returned. Attacker cited "doing it for fun" and was offered Chief Security Advisor role
•Transit Finance (2022): $21M stolen, $18.9M returned within 24 hours after combined pressure from SlowMist, PeckShield, and exchange freezes
Strategy 2: Exchange Freezes and Chain Analysis
Modern chain analysis tools can trace funds through mixers, bridges, and complex transaction chains with increasing effectiveness:
•Tag all attacker addresses in Chainalysis, TRM Labs, and Arkham
•Contact every centralized exchange where funds may land
•Monitor bridge contracts for cross-chain transfers
•Track mixer deposits — Tornado Cash and similar protocols leave on-chain patterns that forensics firms can analyze
Strategy 3: Law Enforcement and Legal Action
While slow, law enforcement action has resulted in significant recoveries:
•Mango Markets (2022): Avraham Eisenberg arrested and charged with market manipulation after exploiting $116M. Most funds recovered
•Platypus Finance (2023): French police arrested the attacker within days using IP traces from contract deployment transactions
Insurance Claims
If your protocol or users held DeFi insurance coverage, initiate claims immediately:
•Nexus Mutual: Covers smart contract exploits for covered protocols. Claims require proof of loss and are voted on by assessors
•InsurAce: Multi-chain coverage with faster claims processing
•Neptune Mutual: Parametric insurance that pays out based on on-chain incident confirmation, avoiding lengthy claims processes
Key consideration: Most DeFi insurance policies require claims within 14-30 days of the incident. Do not delay.
Technical Remediation (Hour 8-24)
•Root cause analysis: Produce a detailed technical write-up of the vulnerability
•
Post-Incident Rebuilding (24 Hours+)
The Post-Mortem Report
Publish a comprehensive post-mortem within 7-14 days. The best post-mortems in Web3 history (Wormhole, Euler, Ronin) share common elements:
•Exact timeline with block numbers and transaction hashes
•Technical root cause explained for both technical and non-technical audiences
User Compensation Frameworks
Several models have been used successfully:
Rebuilding Trust
The protocols that successfully recovered from exploits share a pattern:
•Radical transparency: Euler published daily updates during their recovery period
•Over-investment in security: Post-exploit, increase your security budget by 3-5x. Multiple concurrent audits, a permanent security team, and expanded bug bounties signal commitment
•Community-first compensation: Prioritize making users whole before team recovery
•
Building Your Incident Response Plan Today
Do not wait for the exploit to start planning. Every Web3 protocol should have these elements in place:
1. Pre-configured war room: Contact lists, encrypted communication channels, role assignments — all documented and tested quarterly
2. Emergency playbooks: Step-by-step runbooks for each attack vector (smart contract, oracle, key compromise, governance)
3. Monitoring infrastructure: At minimum Forta + Tenderly alerts on all deployed contracts, with PagerDuty integration for after-hours notification
4. Pausable contracts: Every non-trivial contract should have a guardian-controlled pause mechanism with a well-defined authorization chain
5. Pre-negotiated retainers: Have incident response firms (Chainalysis, Halborn, Seal 911) on retainer before you need them — onboarding takes days you will not have during a crisis
6. Tabletop exercises: Run simulated exploit scenarios quarterly. Time your team's response. Identify bottlenecks before they cost millions
Key Takeaways
•The first 60 minutes determine recovery outcomes — automated monitoring and pre-configured war rooms cut response time by 80% compared to ad-hoc coordination
How quickly should a Web3 protocol respond to an exploit?
Detection should occur within minutes through automated monitoring tools like Forta Network or Tenderly Alerts. Contract pausing should happen within 15-30 minutes of confirmed exploit. The first public communication should be published within 2-3 hours. Protocols with pre-configured war rooms and documented playbooks consistently outperform those responding ad-hoc by recovering more funds and retaining more user trust.
What percentage of stolen DeFi funds are typically recovered?
According to Immunefi and Chainalysis data, approximately 20-25% of stolen DeFi funds are eventually recovered through a combination of white hat negotiation, exchange freezes, and law enforcement action. The recovery rate improves significantly when protocols respond within the first hour — attacker wallets that interact with centralized exchanges within the first 24 hours have a much higher chance of being frozen. Notable full or near-full recoveries include Euler Finance ($175M of $197M) and Poly Network ($611M of $611M).
Should protocols offer bounties to exploit attackers?
The 10% bounty model — offering the attacker 10% of stolen funds for returning the remaining 90% within a deadline — has proven effective in multiple cases. While legally and ethically complex (some argue it rewards criminal behavior), the pragmatic reality is that it produces better outcomes for affected users than prolonged legal battles. Protocols should have legal counsel pre-approve a bounty framework as part of their incident response plan, and any offer should be structured carefully to avoid creating legal liability.
What DeFi insurance options are available for exploit coverage?
Major DeFi insurance protocols include Nexus Mutual (discretionary mutual coverage voted by assessors), InsurAce (multi-chain parametric and discretionary), and Neptune Mutual (parametric, pays on confirmed incident). Coverage is typically 1-3% annually on the insured amount. Limitations include coverage caps, exclusion of certain attack types (e.g., governance attacks or rug pulls), and claims processing times of 14-60 days. Protocols should also explore traditional cyber insurance policies that increasingly cover blockchain-specific risks.
Web3 Incident Response Plan: What to Do in the First 24 Hours After an Exploit
On March 13, 2025, Euler Finance lost $197 million in a flash loan attack. Within 47 minutes of detection, their war room was active. Within 4 hours, they had coordinated with Chainalysis, contacted the attacker on-chain, and published their first community update. Three weeks later, the attacker returned $175 million — one of the largest fund recoveries in DeFi history. The difference between Euler and protocols that never recovered was not luck. It was preparation.
In 2024-2025 alone, over $3.8 billion was stolen from Web3 protocols according to Chainalysis and Immunefi data. Yet fewer than 15% of affected projects had a documented incident response plan before the attack. This playbook provides the hour-by-hour framework every Web3 team needs — before the alarm sounds.
Why Web3 Incident Response Is Different
Traditional cybersecurity incident response (NIST SP 800-61) assumes you can isolate systems, revoke access, and restore from backups. Blockchain exploits break all three assumptions:
•Immutability: You cannot roll back transactions on a public blockchain (except in extraordinary circumstances like the DAO hack of 2016)
•Transparency: Every transaction is public — the attacker, white hats, MEV bots, and your community all watch in real time
•Composability: Your protocol is interconnected with dozens of others; an exploit in your contract can cascade across DeFi
These constraints demand a specialized response framework built for the unique dynamics of blockchain.
Phase 1: Detection and Containment (0-1 Hour)
The first 60 minutes determine whether you lose millions or tens of millions. Speed is everything.
Minute 0-15: Detect and Confirm
Automated monitoring is non-negotiable. The protocols that survive exploits are those that detect them before Twitter does. Essential monitoring infrastructure includes:
Your detection checklist:
•Confirm the anomaly is an actual exploit, not a legitimate large transaction or oracle update
•Identify the attack vector — is it a smart contract vulnerability, oracle manipulation, governance attack, or private key compromise?
•Determine if the attack is ongoing or completed
•Estimate initial loss from on-chain data
Minute 15-30: Activate the War Room
Do not wait for confirmation to assemble the team. False alarms cost hours of lost sleep; missed exploits cost millions.
War room composition (7 roles minimum):
•
Communication channels:
•Primary: Signal group (encrypted, no message history for attackers to exploit)
•Document: Shared Google Doc or Notion page as the single source of truth for the timeline
Minute 30-60: Contain the Damage
Emergency pause contracts immediately. If your protocol has pausable contracts (and it should), trigger the pause the moment an exploit is confirmed. Every minute of delay means more funds drained.
Containment actions by attack vector:
Smart Contract Exploit:
•Pause all affected contracts via multisig or guardian role
•If using upgradeable proxies: prepare emergency upgrade to patch the vulnerability
•Contact bridge operators (Wormhole, LayerZero, Axelar) to freeze cross-chain transfers
•Alert DEX aggregators (1inch, Paraswap) to delist affected tokens temporarily
Oracle Manipulation:
•Switch to backup oracle feeds
•Pause lending/borrowing if price feeds are compromised
•Contact Chainlink/Pyth for emergency oracle investigation
Private Key Compromise:
•Rotate ALL keys and access credentials immediately
•Revoke compromised signer from multisig
•Transfer remaining treasury funds to a new secure wallet
•Audit all recent transactions from the compromised key
Governance Attack:
•Activate timelock guardian to veto malicious proposals
•If timelock has passed: coordinate emergency governance vote
•Contact delegates and major token holders directly
Phase 2: Assessment and Communication (1-4 Hours)
With containment underway, shift focus to understanding the full scope and communicating transparently.
Hour 1-2: Full Damage Assessment
Quantify losses precisely. The community and media will amplify any number you publish — make sure it is accurate.
•Map all affected addresses: Trace every transaction related to the exploit
•Calculate total value extracted: In both native tokens and USD at time of exploit
•Identify affected users: How many wallets lost funds? What was the distribution?
Hour 2-3: First Public Communication
Silence is the worst possible strategy. Every minute without an official statement, speculation fills the void. Your first communication should go out within 2-3 hours maximum.
Communication template (adapt to your situation):
Publish simultaneously across all channels: Twitter/X, Discord, Telegram, your blog, and directly to major crypto media outlets.
Hour 3-4: Engage External Resources
•Security firms: Engage Chainalysis Incident Response, TRM Labs, or Halborn for professional forensics
•Law enforcement: File reports with FBI IC3 (US), Europol EC3 (EU), or relevant national cybercrime units
•Exchanges: Contact compliance teams at Binance, Coinbase, Kraken, OKX with addresses to freeze — centralized exchanges have frozen over $200 million in stolen crypto since 2023
Phase 3: Recovery and Remediation (4-24 Hours)
Fund Recovery Strategies
The data is encouraging: approximately 20-25% of stolen DeFi funds are eventually recovered, according to Immunefi's 2025 annual report. But recovery requires immediate, parallel action on multiple fronts.
Strategy 1: White Hat Negotiation (Highest Success Rate)
On-chain messages to the attacker have become a standard playbook. The typical offer structure:
•10% bounty (of stolen funds) for full return within 48-72 hours
•No legal action guarantee (controversial but effective)
•Public recognition as a white hat security researcher
Successful case studies:
•Euler Finance (2023): $197M stolen, $175M returned after on-chain negotiation. Attacker kept ~$22M as bounty
•Poly Network (2021): $611M stolen, 100% returned. Attacker cited "doing it for fun" and was offered Chief Security Advisor role
•Transit Finance (2022): $21M stolen, $18.9M returned within 24 hours after combined pressure from SlowMist, PeckShield, and exchange freezes
Strategy 2: Exchange Freezes and Chain Analysis
Modern chain analysis tools can trace funds through mixers, bridges, and complex transaction chains with increasing effectiveness:
•Tag all attacker addresses in Chainalysis, TRM Labs, and Arkham
•Contact every centralized exchange where funds may land
•Monitor bridge contracts for cross-chain transfers
•Track mixer deposits — Tornado Cash and similar protocols leave on-chain patterns that forensics firms can analyze
Strategy 3: Law Enforcement and Legal Action
While slow, law enforcement action has resulted in significant recoveries:
•Mango Markets (2022): Avraham Eisenberg arrested and charged with market manipulation after exploiting $116M. Most funds recovered
•Platypus Finance (2023): French police arrested the attacker within days using IP traces from contract deployment transactions
Insurance Claims
If your protocol or users held DeFi insurance coverage, initiate claims immediately:
•Nexus Mutual: Covers smart contract exploits for covered protocols. Claims require proof of loss and are voted on by assessors
•InsurAce: Multi-chain coverage with faster claims processing
•Neptune Mutual: Parametric insurance that pays out based on on-chain incident confirmation, avoiding lengthy claims processes
Key consideration: Most DeFi insurance policies require claims within 14-30 days of the incident. Do not delay.
Technical Remediation (Hour 8-24)
•Root cause analysis: Produce a detailed technical write-up of the vulnerability
•
Post-Incident Rebuilding (24 Hours+)
The Post-Mortem Report
Publish a comprehensive post-mortem within 7-14 days. The best post-mortems in Web3 history (Wormhole, Euler, Ronin) share common elements:
•Exact timeline with block numbers and transaction hashes
•Technical root cause explained for both technical and non-technical audiences
User Compensation Frameworks
Several models have been used successfully:
Rebuilding Trust
The protocols that successfully recovered from exploits share a pattern:
•Radical transparency: Euler published daily updates during their recovery period
•Over-investment in security: Post-exploit, increase your security budget by 3-5x. Multiple concurrent audits, a permanent security team, and expanded bug bounties signal commitment
•Community-first compensation: Prioritize making users whole before team recovery
•
Building Your Incident Response Plan Today
Do not wait for the exploit to start planning. Every Web3 protocol should have these elements in place:
1. Pre-configured war room: Contact lists, encrypted communication channels, role assignments — all documented and tested quarterly
2. Emergency playbooks: Step-by-step runbooks for each attack vector (smart contract, oracle, key compromise, governance)
3. Monitoring infrastructure: At minimum Forta + Tenderly alerts on all deployed contracts, with PagerDuty integration for after-hours notification
4. Pausable contracts: Every non-trivial contract should have a guardian-controlled pause mechanism with a well-defined authorization chain
5. Pre-negotiated retainers: Have incident response firms (Chainalysis, Halborn, Seal 911) on retainer before you need them — onboarding takes days you will not have during a crisis
6. Tabletop exercises: Run simulated exploit scenarios quarterly. Time your team's response. Identify bottlenecks before they cost millions
Key Takeaways
•The first 60 minutes determine recovery outcomes — automated monitoring and pre-configured war rooms cut response time by 80% compared to ad-hoc coordination
How quickly should a Web3 protocol respond to an exploit?
Detection should occur within minutes through automated monitoring tools like Forta Network or Tenderly Alerts. Contract pausing should happen within 15-30 minutes of confirmed exploit. The first public communication should be published within 2-3 hours. Protocols with pre-configured war rooms and documented playbooks consistently outperform those responding ad-hoc by recovering more funds and retaining more user trust.
What percentage of stolen DeFi funds are typically recovered?
According to Immunefi and Chainalysis data, approximately 20-25% of stolen DeFi funds are eventually recovered through a combination of white hat negotiation, exchange freezes, and law enforcement action. The recovery rate improves significantly when protocols respond within the first hour — attacker wallets that interact with centralized exchanges within the first 24 hours have a much higher chance of being frozen. Notable full or near-full recoveries include Euler Finance ($175M of $197M) and Poly Network ($611M of $611M).
Should protocols offer bounties to exploit attackers?
The 10% bounty model — offering the attacker 10% of stolen funds for returning the remaining 90% within a deadline — has proven effective in multiple cases. While legally and ethically complex (some argue it rewards criminal behavior), the pragmatic reality is that it produces better outcomes for affected users than prolonged legal battles. Protocols should have legal counsel pre-approve a bounty framework as part of their incident response plan, and any offer should be structured carefully to avoid creating legal liability.
What DeFi insurance options are available for exploit coverage?
Major DeFi insurance protocols include Nexus Mutual (discretionary mutual coverage voted by assessors), InsurAce (multi-chain parametric and discretionary), and Neptune Mutual (parametric, pays on confirmed incident). Coverage is typically 1-3% annually on the insured amount. Limitations include coverage caps, exclusion of certain attack types (e.g., governance attacks or rug pulls), and claims processing times of 14-60 days. Protocols should also explore traditional cyber insurance policies that increasingly cover blockchain-specific risks.
•Specific remediation steps with verifiable on-chain evidence
•Compensation plan for affected users
•Structural changes to prevent similar incidents (new security roles, additional audits, bug bounty expansion)
Model
Example
Pro
Con
Full reimbursement from treasury
Wormhole ($320M via Jump Crypto)
Maximum trust restoration
Requires deep pockets
Debt token issuance
Euler (EUL debt tokens)
Allows gradual repayment
Complex, uncertain timeline
Protocol revenue sharing
Some smaller protocols
Sustainable, aligned
Slow, may take years
Insurance fund activation
Nexus Mutual claims
Purpose-built
Limited coverage amounts
Structural governance changes: Add security councils, emergency multisigs, and timelock guardians if they were missing
Transparent communication within 2-3 hours is non-negotiable
•White hat negotiation recovers more funds than any other strategy — approximately 20-25% of all stolen DeFi funds are eventually returned, primarily through bounty offers
•Post-incident rebuilding requires radical transparency and over-investment in security — the protocols that survived major exploits (Euler, Wormhole, Poly Network) all increased security spending by 3-5x
•Build your incident response plan before you need it — quarterly tabletop exercises and pre-negotiated security retainers are the cheapest insurance in Web3
•
Pseudonymity: The attacker may be pseudonymous, but on-chain forensics can often trace fund flows to centralized exchanges
Tool
Purpose
Alert Speed
Forta Network
Real-time smart contract monitoring
<30 seconds
OpenZeppelin Defender
Automated pause triggers
<1 minute
Tenderly Alerts
Transaction simulation + anomaly detection
<1 minute
Hypernative
Predictive threat detection (pre-exploit)
Minutes before attack
Custom Subgraphs
Protocol-specific invariant monitoring
Real-time
Incident Commander: Single decision-maker, typically CTO or Head of Security. Owns the timeline and authorizes all actions
•Specific remediation steps with verifiable on-chain evidence
•Compensation plan for affected users
•Structural changes to prevent similar incidents (new security roles, additional audits, bug bounty expansion)
Model
Example
Pro
Con
Full reimbursement from treasury
Wormhole ($320M via Jump Crypto)
Maximum trust restoration
Requires deep pockets
Debt token issuance
Euler (EUL debt tokens)
Allows gradual repayment
Complex, uncertain timeline
Protocol revenue sharing
Some smaller protocols
Sustainable, aligned
Slow, may take years
Insurance fund activation
Nexus Mutual claims
Purpose-built
Limited coverage amounts
Structural governance changes: Add security councils, emergency multisigs, and timelock guardians if they were missing
Transparent communication within 2-3 hours is non-negotiable
•White hat negotiation recovers more funds than any other strategy — approximately 20-25% of all stolen DeFi funds are eventually returned, primarily through bounty offers
•Post-incident rebuilding requires radical transparency and over-investment in security — the protocols that survived major exploits (Euler, Wormhole, Poly Network) all increased security spending by 3-5x
•Build your incident response plan before you need it — quarterly tabletop exercises and pre-negotiated security retainers are the cheapest insurance in Web3
