Breakglass

BreakGlass is a 24/7 agentic incident-response system for Safe multisig treasuries. It monitors any Safe address across 22 chains every 30 seconds, and when a suspicious pending transaction appears, it does something no alert tool does: it investigates.

A multi-turn AI investigation agent gathers on-chain evidence before forming a verdict — Safe wallet configuration, counterparty address type, token metadata, recent Safe activity. For unrecognized transactions, it goes further: it decodes raw calldata against the 4byte.directory signature database, unpacks Safe MultiSend batches to expose hidden sub-calls (a known attack vector), and scans for proxy upgrade patterns, Permit2 abuse, and flash loan callbacks. It then returns a structured verdict — HALT, INVESTIGATE, or APPROVE — with specific findings and an operator recommendation.

Known high-confidence incidents (suspicious approvals, ownership changes, threshold reductions, module enablements, large transfers) compile into deterministic runbooks with dependency-ordered containment steps. Novel transactions route to the open-ended investigation path, where the agent forms its own threat hypothesis from first principles.
Independent peer reviewer nodes on Gensyn AXL assess each containment plan before execution. KeeperHub simulates every runbook step. Incident receipts are anchored on-chain via 0G. One click from the dashboard submits a rejection transaction directly to the Safe queue.The design principle: AI agents investigate and review. Deterministic policy constrains execution. Treasury response should be agent-assisted, not agent-unbounded.

BreakGlass is a Node.js monorepo with four apps (orchestrator, dashboard, agent-reviewer, agent-router) and six packages (policies, runbooks, agent-mesh, ai, integrations, storage-0g).
The investigation agent in packages/ai/src/investigator.js uses native multi-turn tool calling with Gemini (function declarations) and Anthropic (tool_use
blocks). The agent decides which tools to call and in what order — it is not pre-scripted. For known incidents, it follows a structured evidence-gathering path. For novel transactions it receives a different system prompt that instructs it to form an independent threat hypothesis. Three new tools extend the
existing four: decode_calldata resolves function selectors against the 4byte.directory API and flags known attack signatures; decode_multisend parses Safe MultiSend binary encoding to expose every sub-call, its operation type, and any matching attack pattern; scan_attack_patterns locally matches calldata against proxy upgrade, Permit2, flash loan, and delegatecall signatures. The provider cascade is Gemini → Anthropic → Nvidia → Mistral → OpenRouter with automatic fallback. Peer review runs over Gensyn AXL via MCP. Each reviewer node receives the incident and compiled runbook, independently verifies the first containment step
matches the correct deterministic rule for that incident class, and optionally calls an LLM for additional reasoning. Quorum gates execution.

KeeperHub receives every runbook step via webhook for simulation. Safe SDK handles rejection transaction preparation and execution. 0G stores signed incident
receipts on-chain (txHash + rootHash). The dashboard renders investigation verdicts, key findings, tool call evidence, and the full containment runbook — all server-side rendered with no framework dependencies.

The novel threat demo loads a MultiSend transaction containing a hidden upgradeToAndCall proxy upgrade sub-call that bypasses all five deterministic detectors. The investigation agent decodes the batch, identifies the sub-call selector as a proxy upgrade pattern, and returns HALT.