Skip to content
Oris Docs
Sign in Get API Key

Incident response

Every layer has a documented failure mode and a documented response. The principle: fail closed. No payment moves without a valid signed verdict.

Sanctions feed outage

Trigger: one of the six feeds returns stale data or 5xx for more than ten minutes.

Response:

  1. Veris hot path continues with remaining sources.
  2. WARN alert fires on the affected feed.
  3. If two feeds go down, all risk_tier decisions tighten one level (Medium becomes High, etc.) until restoration.
  4. If three or more feeds go down, the engine fails closed: all attestations return Blocked.

L3 Veris service down

Trigger: gRPC ping fails for more than thirty seconds.

Response:

  1. Pre-fail switch the engine to read-only mode (no new attestations).
  2. Pending payments queue with the verifier for retry.
  3. Operators run the Veris service restart playbook.
  4. Cached attestations within 60-second TTL continue to satisfy in-flight bundles.

L6 verifier downtime

Trigger: /verify/health returns 5xx for more than fifteen seconds.

Response:

  1. Networks switch to cached verifier pubkey + offline verification (see offline verification).
  2. The Solidity reference verifier on Base remains available.
  3. Operators restart the HTTP service.

Mass revocation event

Trigger: more than 100 Tier 1 revocations in a single flush cycle.

Response:

  1. Continue normal flush cadence (do not skip).
  2. CRIT alert fires.
  3. Operations reviews the trigger source (OFAC update, fraud incident, internal action).
  4. Communicate to subscribed networks via webhook.

Signing key compromise

Trigger: any signal that an MPC share has leaked.

Response:

  1. Immediate rotation per key rotation procedure.
  2. The old key continues to verify already-signed bundles within the one-hour overlap window.
  3. CRIT alert + post-mortem mandatory.
  4. Audit log entries marked for regulator notification.

On-chain anchor lag

Trigger: more than ninety minutes since the last anchor commit.

Response:

  1. WARN alert.
  2. Operators verify Base node connectivity.
  3. If the commit transaction failed, re-submit with higher gas.
  4. The audit chain itself is unaffected; only the on-chain confirmation lags.

Where to go next