🛡️ Operations Playbooks

Purpose

These playbooks define the policies and responsibilities for securely operating the KAT Bridge. They are not step-by-step manuals, but high-level requirements that all operators and administrators must follow.

Key Ceremonies

Distributed Key Generation (DKG)

  • All FROST key shares must be generated via a secure DKG process.

  • No single operator may hold or reconstruct the full private key.

  • DKG transcripts must be archived, hashed, and published for transparency.

Attestor & Key Updates

  • Attestor addresses on L2 and the aggregate FROST key on L1 are both managed through governance.

  • Updates require on-chain approval, ensuring transparent and community-visible changes.

  • Rotation events must be logged publicly in the Transparency section of this GitBook.

Incident Response

Relayer Failure

  • If a relayer fails or becomes unresponsive:

    • Deposits (L1 → L2) stall until all 5 attestations are present.

    • Withdrawals (L2 → L1) can continue if quorum is met; missing relayers should be restored quickly.

  • Operators must investigate within 24 hours of a failure notification.

Compromised Relayer

  • Immediate governance proposal to remove/replace the attestor or key share.

  • Public disclosure in the Transparency section, including impact analysis.

  • DKG re-run if a FROST share is compromised.

Coordinator Failure

  • Withdrawals stall until the coordinator is restored.

  • Deposits are unaffected (attestations are independent).

  • Coordinators may be redeployed, but must not be given signing capability.

Monitoring & Reporting

  • Relayers and coordinator must expose basic health metrics (uptime, event processing, signature success rate).

  • Failures trigger retry + admin notification after two consecutive failures.

  • All incidents must be recorded and published in the Transparency section.

Governance & Transparency

  • All critical parameters (attestor set, FROST key, contract versions) are governed via on-chain voting.

  • Governance changes are final only once executed on-chain.

  • Operators and the Foundation must maintain a public changelog documenting:

    • Governance proposals and results.

    • Key/attestor rotations.

    • Known issues and incident reports.

Principles

  1. Safety before liveness: Funds must never move unless all security conditions are satisfied, even if this causes delays.

  2. Transparency: All key ceremonies, incidents, and governance changes must be publicly documented.

  3. Least Authority: Relayers may only sign/attest; coordinator may only aggregate; no component has unilateral power.

  4. Community Accountability: Governance decisions are visible and binding on-chain.

Previous📤 Relayer & InfrastructureNext📚 Transparency Reports