Incident Postmortem

The foundation of an effective postmortem is a blameless culture that focuses on systemic failures, not individual error. The document begins by constructing a detailed timeline of the incident, using timestamps from block explorers, node logs, and monitoring tools to establish an objective sequence of events from detection to resolution.

This is the core diagnostic phase, moving beyond symptoms to identify the fundamental technical or procedural failure. Common RCAs in blockchain include:

• Smart contract vulnerability (e.g., reentrancy, logic error)
• Consensus failure (e.g., validator slashing, network partition)
• Oracle malfunction (e.g., price feed manipulation or downtime)
• Economic design flaw (e.g, insufficient incentives for liquidation)

A quantitative and qualitative measurement of the incident's consequences. This section details:

• Financial Impact: Total value lost, exploited, or temporarily frozen (e.g., "$X in user funds were at risk").
• Network Impact: Downtime duration, missed blocks, forked chain height.
• User Impact: Number of affected addresses, failed transactions, and protocol functionality loss.

The actionable outcome of the postmortem. It lists specific, trackable tasks to fix the immediate issue and prevent similar ones. Actions are often categorized as:

• Short-term fixes: Hotfixes, emergency multisig transactions, pausing contracts.
• Long-term improvements: Code audits, protocol upgrade proposals, enhanced monitoring (e.g., Forta bots, Tenderly alerts), and governance process changes.

For decentralized protocols, publishing the postmortem is a core transparency requirement. It rebuilds trust with users, token holders, and developers. Communication typically follows a staged process: immediate incident alert, status updates during mitigation, and final detailed report. Examples include posts on the project's forum, governance portal, and mirror.xyz.

A Root Cause Analysis (RCA) is the diagnostic process used within a postmortem. The postmortem is the comprehensive document that includes the RCA along with the timeline, impact, actions, and lessons learned. Think of RCA as the "why" and the postmortem as the full story of "what happened, why, and what we're doing about it."

A concise, high-level overview of the incident, designed for leadership and stakeholders. It includes the incident timeline, total financial impact, and the primary root cause. This section answers the 'what happened' and 'how bad was it' questions in under two minutes of reading.

The technical core of the postmortem, detailing the proximate cause (e.g., a logic bug in a smart contract) and the underlying systemic causes (e.g., inadequate audit scope, missing invariant tests). It uses methodologies like 5 Whys or fault tree analysis to move beyond symptoms to fundamental failures in process or design.

A quantified breakdown of the incident's consequences. This is not limited to direct financial loss but includes:

• Financial Impact: Total value lost, exploited, or frozen.
• Protocol Impact: Downtime, forked blocks, halted operations.
• Reputational Impact: Erosion of user trust, social sentiment, governance fallout.
• Ecosystem Impact: Effects on integrated dApps, oracles, and liquidity partners.

A minute-by-minute or block-by-block chronological log of the incident, from detection through mitigation to resolution. Key elements include:

• Detection Time: When anomalous activity was first noticed.
• Exploit Window: The period during which funds were actively drained.
• Response Actions: Specific steps taken (e.g., pausing contracts, governance alerts).
• Resolution Time: When the protocol was fully secured and operational.

A concrete, actionable plan to fix the immediate vulnerability and improve long-term resilience. Items are often categorized as:

• Short-term (Fix): Patch the specific bug, recover funds if possible.
• Medium-term (Improve): Enhance monitoring, upgrade incident response playbooks.
• Long-term (Prevent): Implement formal verification, revise governance procedures, or adopt more secure design patterns.

This section translates the technical analysis into actionable knowledge for the broader web3 community. It discusses what the team would do differently and is often published openly to help other protocols avoid similar pitfalls. Transparency here is a key tenet of security culture in decentralized ecosystems.

A key performance metric measuring the average time taken to restore service after an incident is detected. In DeFi or blockchain networks, this includes the time to diagnose, develop a fix (e.g., a patch or governance proposal), and deploy it. A low MTTR is critical for maintaining user trust and minimizing financial loss during outages or exploits.

A predefined, step-by-step operational playbook for responding to specific types of incidents. For node operators or protocol teams, a runbook provides clear instructions for scenarios like chain halts, consensus failures, or oracle malfunctions. It standardizes the response, reduces decision latency, and ensures critical steps (e.g., pausing contracts, coordinating validators) are not missed under pressure.

Security measures implemented after an incident to mitigate risk while a permanent fix is developed. Following a hack or bug, a protocol might deploy temporary controls such as:

• Transaction throttling or pausing vulnerable contracts
• Increasing multisig thresholds for sensitive operations
• Enhancing monitoring for specific attack patterns These are interim solutions documented in the postmortem.

An organizational principle where the focus of an incident review is on systemic failures and process improvements, not individual blame. This is essential in decentralized ecosystems where failures are often complex and multi-faceted. A blameless culture encourages transparent reporting, honest analysis, and shared learning, which is vital for the security of open-source, collaborative projects like blockchains.