An emergency recovery mechanism for the governance contract is included as a fallback in case something goes wrong with the governance contracts and they are no longer usable (e.g, if they are bricked because of a smart contract bug or incorrect parameterization change).

The emergency recovery mechanism is composed of a backup multisig combined with an optimistic approval mechanism and various safeguards as implemented in EmergencyRecovery.

The emergency recovery mechanism has the following properties:

• Multisig signers are assigned by governance and can be changed at any time

• The multisig can initiate an upgrade to the governance contract subject to a timelock

• (Optimistic approval) during the timelock, governance can vote to override the upgrade

• Emergency recovery has a sunset built in, which can optionally be extended by governance