Emergency subDAO
Concept
The Emergency DAO is an idea pioneered by Curve that empowers a small group to "kill" pools and gauges in the event of malicious activity and/or potential loss of funds. The subDAO is further authorized to pause pools when needed. The Balancer emergency subDAO was established after the following vote.
Relationship to Balancer Onchain Limited
As of BIP-882, the Emergency subDAO operates alongside the Balancer Onchain Limited structure. In emergency situations:
- The Emergency subDAO retains its bounded authority to kill gauges, pause pools, and protect the protocol
- The Treasury Council maintains override capability on critical infrastructure
- The Balancer Onchain Ltd Safe can intervene in emergency situations or swap out the operator if needed
- The self-insurance fund remains available for unforeseen complications
Members
The Balancer Emergency subDAO is a 3-of-7 multisig with the following members as appointed by this vote:
| Person | Address |
|---|---|
| Mike B | 0xF01Cc7154e255D20489E091a5aEA10Bc136696a8 |
| Zen Dragon | 0x7c2eA10D3e5922ba3bBBafa39Dc0677353D2AF17 |
| Juani | 0xDA07B188daE2ee63B2eC61Ee4cdB9673C03d2293 |
| Hypernative | 0x202B1AA0d702898CA474aB6ED31d53BA309308D9 |
| Franz | 0x89c7D6ABA9Cd18D8A93571E583EEAc58Da75acE6 |
| Daniel | 0x606681E47afC7869482660eCD61bd45B53523D83 |
| Xeonus | 0x7019Be4E4eB74cA5F61224FeAf687d2b43998516 |
Multisigs
The Balancer Emergency subDAO operates through the following multisigs which are authorized to perform emergency actions
Specifications
As per this vote
| Call | Contract(s) | Purpose |
|---|---|---|
| killGauge | Gauge contracts | To stop all distribution of BAL to a gauge. |
| denylistToken | ProtocolFeeWithdrawer | Instructs the ProtocolFeeWithdrawer to blacklist fee collection of a specific token. |
As per BIP-139 The Emergency DAO Multisigs are authorized to make the following calls to protocol contracts:
| Call | Contract(s) | Purpose |
|---|---|---|
| enableRecoveryMode | Pool contracts | for Pools to provide a simple way to exit pools proportionally at the cost of disabling protocol fees(swaps, joins, etc. still work). |
| disable | Pool factory contracts | to shutdown pool factories. This is to prevent further pools from being created, existing pools remain unaffected. |
As per BIP-353 the Emergency DAO multisig are authorized to make the following calls to protocol contracts:
| Call | Contract(s) | Purpose |
|---|---|---|
| disableRecoveryMode | Pool contracts | Remove a pool from recovery mode, restoring normal operations. |
As per BIP-794 the Emergency DAO multisig was further authorized to install safe modules managed by Hypernative to pause Balancer v2 composable stable v6 pools in an event of an exploit:
| Call | Contract(s) | Purpose |
|---|---|---|
| pause | Pool contracts | Pauses a specific Balancer v2 pool based on the Composable v6 pool factory. |
As per BIP-883, following a comprehensive security review by the Security Council, two critical improvements were implemented: the signer threshold was reduced from 4/7 to 3/7 across all chains to enable faster response times, and the VaultAdmin.disableQueryPermanently() permission was revoked from all emergency safes on chains with Balancer v3 deployments as it was not required for legitimate emergency response scenarios.
| Change | Scope | Purpose |
|---|---|---|
| Threshold reduction (4/7 → 3/7) | All emergency safes | Enable faster response times during critical security incidents while maintaining multi-entity quorum. |
Revoke disableQueryPermanently | Emergency safes on v3 chains | Remove unnecessary permission that could permanently impact protocol functionality if compromised. |