You wake up to a flood of messages. A protocol you use has been exploited. Millions drained. The front-end is down. Twitter is chaos. Your wallet has an active approval to the compromised contract. What do you do?
Most people freeze. The ones who don’t lose the least. This is the playbook for the first hour.
Minute 0–10: Confirm the Exploit
Before you act, confirm the exploit is real. Check the protocol’s official Twitter/X account and Discord. Check on-chain data via Etherscan or the relevant block explorer. Look for large, unusual outflows from the protocol’s contracts. Do not trust DMs, random Telegram messages, or unofficial sources — phishing campaigns launch within minutes of every major exploit, impersonating the affected protocol.
Minute 10–20: Revoke Your Approvals
If you have an active approval to the compromised contract, revoke it immediately. This is the single most important action. An approval is a standing permission — even if the exploit has been “patched,” your approval may still grant access to a vulnerable code path. Use AllowanceGuard or any approval manager to find and revoke the relevant allowance. Do not wait for the protocol team to tell you it’s safe.
Minute 20–40: Move Vulnerable Assets
If the compromised contract has approval to tokens with significant value, and you cannot revoke quickly (network congestion, gas spikes), consider moving the tokens to a different wallet that has no approval to the compromised contract. This is a brute-force defence — if the tokens aren’t in the approved wallet, the approval is worthless.
Minute 40–60: Assess Your Exposure
Once the immediate threat is neutralised, audit the rest of your approvals. An exploit in one protocol may indicate a broader vulnerability — shared codebases, forked contracts, or common dependencies. Scan every chain you use. Look for approvals to contracts in the same ecosystem as the compromised one.
After the First Hour
- Follow the post-mortem. Reputable protocols publish detailed post-mortems within 24–72 hours. Read them. They tell you what was vulnerable and whether your actions were sufficient.
- Check for compensation. Some protocols offer partial recovery through insurance funds, treasury reimbursement, or governance votes. Follow the official channels.
- Update your security routine. If this exploit caught you off guard, your monitoring wasn’t working. Set up continuous monitoring so the next alert comes before the Twitter thread.
The Rule
In the first hour after an exploit, the order of operations is: confirm, revoke, move, assess. Every minute you spend reading Twitter instead of revoking is a minute your approval is live and your tokens are at risk. Act first. Read later.