Emergency Controls
MultiSub gives Safe owners several levers to respond to incidents quickly. All emergency actions require a multisig transaction — sub-accounts cannot modify their own permissions.
Available Controls
| Function | Effect | Reversible? |
|---|---|---|
pause() | Freeze all module operations | Yes — unpause() |
revokeRole(account, role) | Remove all permissions from a sub-account | Yes — re-grant role |
unregisterSelector(selector) | Block a specific function selector globally | Yes — re-register |
setAllowedAddresses(subAccount, [addr], false) | Remove a protocol from a sub-account's allowlist | Yes — re-add |
Global Pause
Calling pause() from the Safe immediately halts every executeOnProtocol, executeOnProtocolWithValue, and transferToken call across all sub-accounts.
Use this when:
- A zero-day exploit is discovered in a supported protocol
- Unusual activity is detected that requires investigation
- A sub-account private key may have been compromised
Resume normal operation with unpause() once the situation is resolved.
Role Revocation
revokeRole(subAccount, DEFI_EXECUTE_ROLE) instantly prevents that sub-account from executing any further operations. The sub-account retains no residual permissions.
This is the fastest targeted response when a single operator is compromised without affecting other sub-accounts.
Selector Removal
unregisterSelector(selector) removes a function selector from the registry. Even if a sub-account has the correct role and an allowlisted protocol address, it cannot call an unregistered selector.
Use this to surgically disable a specific operation type (e.g., all Uniswap V3 swaps) without revoking access to other operations.
Protocol Allowlist Removal
setAllowedAddresses(subAccount, [protocolAddress], false) removes a specific protocol contract from one sub-account's allowlist. The sub-account can still operate on its other whitelisted protocols.
Recommended Response Playbook
| Scenario | Action |
|---|---|
| Single sub-account compromised | revokeRole(subAccount, role) |
| Protocol exploit (e.g. Aave hack) | unregisterSelector(selector) or setAllowedAddresses(false) |
| Widespread incident / unknown threat | pause() |
| Specific operation type suspicious | unregisterSelector(selector) |
Because all controls are on-chain and require multisig approval, they are auditable and cannot be triggered by any single compromised party.