Multisig treasury incident response: when a company or DAO moves money unexpectedly

Treasury incidents blend IT security, governance, and on-chain forensics. This post is a communication and triage outline—not legal or accounting advice. Related: DeFi risks, hardware wallet security.

Declare roles immediately

Assign a single incident commander, a separate comms owner, and a technical lead who can export chain data without “helpful” employees sweeping wallets ad hoc. Parallel unauthorized transactions often get worse when well-meaning signers panic-sign “recovery” transactions suggested in Slack by attackers.

Preserve internal artifacts

Snapshot governance forum posts, Snapshot votes, Safe{Wallet} or multisig UI histories, signer device inventories, and VPN logs where policy allows. If a signer laptop is suspect, isolate it for forensic imaging rather than reformatting. Internal timelines help correlate on-chain events with compromised sessions.

On-chain containment options

Depending on architecture, you may still have timelocks, guardian roles, or circuit breakers. Do not discuss sensitive remediation steps in public Discord channels where attackers listen. External consultants—including tracing firms—should be engaged through counsel when privilege is a concern.

Tracing for treasuries

Corporate losses often hop through DEX aggregators and bridges immediately. Rapid tracing identifies CEX endpoints and stablecoin freeze candidates while there is still time pressure. Deliverables should integrate with your legal strategy; see subpoenas overview.

After-action

Rotate signer keys, review quorum thresholds, segment operational hot wallets from long-term reserves, and train executives on deepfake social engineering. Publish a transparent postmortem when legally appropriate—it helps the ecosystem and your SEO if done authentically.