Emergency Freeze and Unwind Logic

Surf is designed with the assumption that extreme situations will occur.

Markets break. Protocols fail. Oracles desync. Liquidity disappears. Smart contracts get attacked. Black swans happen.

The system must be able to stop and safely exit without relying on human reaction time.

This is the role of the Emergency Freeze and Unwind Logic.

---

Purpose

The goal is simple:

When something goes wrong, capital must stop moving immediately, risk must stop increasing, and positions must be exited in a controlled, verifiable way.

Not after a committee call. Not after governance voting. Not after social media notices.

By architecture.

---

Freeze Triggers

A global or vault-specific freeze can be triggered when any of the following occur:

Market and Liquidity Events

• Sudden liquidity collapse

• Slippage beyond bounded thresholds

• Abnormal utilisation spikes

• Failed atomic execution paths

Protocol Health Events

• Oracle deviation beyond safety bounds

• Price feed outages or stale updates

• Smart contract exploit disclosures

• Emergency pause or shutdown by underlying protocol

System Integrity Events

• Guardian rule violations

• Unexpected state transitions

• Simulation divergence from on-chain outcomes

• MPC signer anomalies or quorum loss

Anomaly Detection

• Behavioural patterns outside historical distributions

• Correlated failures across venues

• Sudden volatility regime shifts

When any trigger fires, execution is halted.

No new allocations. No rebalances. No leverage increases. No routing.

---

Freeze Scope Freezes can operate at three levels:

Vault Level Isolates a single user vault or strategy instance.

Strategy Level Halts all execution for a given strategy class across all vaults.

System Level Global halt across the entire Surf execution layer.

This ensures containment without overreacting.

---

Unwind Logic

Once frozen, the system enters controlled unwind mode.

This is not a panic sell. It is a deterministic, stepwise exit process.

Key principles:

Order of Operations

• Highest risk exposures reduced first

• Illiquid positions unwound before liquid ones degrade

• Leverage closed before principal is reallocated

Execution Safety

• Only allowlisted exit paths

• Slippage bounds enforced

• Partial fills allowed with state checkpoints

• Atomic batch execution where possible

Capital Preservation

• Prioritise solvency over yield

• Accept lower execution quality to guarantee exit

• Avoid forced liquidations unless unavoidable

---

Guardian Layer Enforcement

Freeze and unwind are enforced by the Guardian Layer, not by operators.

Once triggered:

• AI cannot override

• Human operators cannot bypass

• Smart contracts reject unsafe state transitions

• Signing policies restrict all non-exit flows

The system moves from optimisation mode to protection mode.

---

Observability and Auditability

Every freeze and unwind event produces:

• On-chain state markers

• Execution logs

• Rule violation reasons

• Oracle snapshots

• Slippage and liquidity telemetry

This allows:

• Post-incident analysis

• External audit review

• Transparency to users and institutions

• Continuous improvement of safety rules

---

Why This Matters

Most DeFi systems assume:

“Markets are liquid and contracts are fine.”

Surf assumes:

“Something will break, and when it does, the system must survive it.”

Emergency Freeze and Unwind Logic ensures:

• Capital cannot spiral into cascading loss

• Automation cannot amplify failure

• Black swans are contained, not multiplied

• Users remain in control even during chaos

This is how autonomous execution becomes resilient.

Not by hoping things go well. By designing for when they do not.