Skip to main content

Design Philosophy

The GuardianPausable contract solves a critical timing problem in DeFi: exploits happen in seconds but teams respond in minutes. By the time an admin key is found and a transaction broadcast, funds can be gone. ClawTrust’s solution: separate pause from unpause.
  • Pause — instant, single-party (Safe), no delay
  • Unpause — slow, goes through 48h Timelock, community can review

How It Works

All five ClawTrust contracts inherit GuardianPausable:

Emergency Response Playbook

1

Anomaly detected

Oracle detects abnormal fund movement or a researcher reports a critical bug.
2

Safe signers notified

Two of three Gnosis Safe signers are alerted via Telegram/Signal.
3

Pause transaction submitted

Either signer calls pause() from the Safe. Any 2-of-3 confirmation freezes all contracts immediately.
4

All operations halt

lockUSDC, release, refund, vote, and bond deposit all revert with EnforcedPause while paused.
5

Investigation begins

Team identifies root cause. If a patch is needed, it is queued in the Timelock.
6

Community review

Queued patch is visible on-chain for 48 hours. Auditors, users, and integrators can review.
7

Unpause (post-patch)

Safe proposes unpause via Timelock. After 48 hours, anyone executes. Contracts resume.

What Stays Accessible During Pause

Timeout-based refunds are intentionally left unpaused so users can always recover their funds without relying on the team.

Guardian Rotation

The guardian address (Gnosis Safe) can only be changed through the Timelock — preventing the guardian from replacing itself silently: