From eece937010939fb91d7f38ccdb3af0b2d055e552 Mon Sep 17 00:00:00 2001
From: Jack Chuma <jack.chuma@coinbase.com>
Date: Wed, 13 May 2026 16:30:44 -0400
Subject: [PATCH 1/9] chore(mainnet): add incident multisig signer task

Set up a mainnet safe-management task for adding and removing multiple Incident Multisig signers with placeholder owner diffs.

Co-authored-by: Codex <noreply@openai.com>
---
 .../2026-05-13-incident-multisig-signers/.env |  14 ++
 .../FACILITATOR.md                            |  22 +++
 .../Makefile                                  |  30 ++++
 .../OwnerDiff.json                            |  12 ++
 .../README.md                                 |  54 ++++++++
 .../foundry.toml                              |  23 +++
 .../script/UpdateSigners.s.sol                | 131 ++++++++++++++++++
 7 files changed, 286 insertions(+)
 create mode 100644 mainnet/2026-05-13-incident-multisig-signers/.env
 create mode 100644 mainnet/2026-05-13-incident-multisig-signers/FACILITATOR.md
 create mode 100644 mainnet/2026-05-13-incident-multisig-signers/Makefile
 create mode 100644 mainnet/2026-05-13-incident-multisig-signers/OwnerDiff.json
 create mode 100644 mainnet/2026-05-13-incident-multisig-signers/README.md
 create mode 100644 mainnet/2026-05-13-incident-multisig-signers/foundry.toml
 create mode 100644 mainnet/2026-05-13-incident-multisig-signers/script/UpdateSigners.s.sol

diff --git a/mainnet/2026-05-13-incident-multisig-signers/.env b/mainnet/2026-05-13-incident-multisig-signers/.env
new file mode 100644
index 00000000..224e6986
--- /dev/null
+++ b/mainnet/2026-05-13-incident-multisig-signers/.env
@@ -0,0 +1,14 @@
+# Required: Git commit hash for https://github.com/base/contracts
+BASE_CONTRACTS_COMMIT=be7c7a642e430fa64b04b63203839f8c81f48466
+
+# Network-specific addresses are automatically loaded from {network}/.env via include ../.env
+
+# Required: Address of the Gnosis Safe whose signers will be updated
+OWNER_SAFE=0x14536667Cd30e52C0b458BaACcB9faDA7046E056
+
+# Required: Address of a signer on OWNER_SAFE (used for simulation)
+# Must also match the sender defined in validations/base-signer.json
+SENDER=TODO
+
+# Enable state diff recording for validation
+RECORD_STATE_DIFF=true
diff --git a/mainnet/2026-05-13-incident-multisig-signers/FACILITATOR.md b/mainnet/2026-05-13-incident-multisig-signers/FACILITATOR.md
new file mode 100644
index 00000000..f3a0b84b
--- /dev/null
+++ b/mainnet/2026-05-13-incident-multisig-signers/FACILITATOR.md
@@ -0,0 +1,22 @@
+# Facilitator Guide
+
+Guide for facilitators managing this task.
+
+## Task Origin Signing
+
+After setting up the task, generate cryptographic attestations (sigstore bundles) to prove who created and facilitated the task. These signatures are stored in `<network>/signatures/<task-name>/`.
+
+### Task creator (run after task setup):
+```bash
+make sign-as-task-creator
+```
+
+### Base facilitator:
+```bash
+make sign-as-base-facilitator
+```
+
+### Security Council facilitator:
+```bash
+make sign-as-sc-facilitator
+```
diff --git a/mainnet/2026-05-13-incident-multisig-signers/Makefile b/mainnet/2026-05-13-incident-multisig-signers/Makefile
new file mode 100644
index 00000000..2b74b434
--- /dev/null
+++ b/mainnet/2026-05-13-incident-multisig-signers/Makefile
@@ -0,0 +1,30 @@
+include ../../Makefile
+include ../../Multisig.mk
+include ../.env
+include .env
+
+RPC_URL = $(L1_RPC_URL)
+SCRIPT_NAME = UpdateSigners
+
+# Validate required configuration before execution
+.PHONY: validate-config
+validate-config:
+	@test -n "$(BASE_CONTRACTS_COMMIT)" -a "$(BASE_CONTRACTS_COMMIT)" != "TODO" || (echo "BASE_CONTRACTS_COMMIT required" && exit 1)
+	@test -n "$(OWNER_SAFE)" -a "$(OWNER_SAFE)" != "TODO" || (echo "OWNER_SAFE required" && exit 1)
+	@test -n "$(SENDER)" -a "$(SENDER)" != "TODO" || (echo "SENDER required" && exit 1)
+	@echo "Configuration validated successfully"
+
+.PHONY: deps
+deps: new-forge-deps
+
+.PHONY: new-forge-deps
+new-forge-deps:
+	forge install --no-git safe-global/safe-smart-account@186a21a74b327f17fc41217a927dea7064f74604
+
+.PHONY: gen-validation
+gen-validation: validate-config deps-signer-tool
+	$(call GEN_VALIDATION,$(SCRIPT_NAME),,$(SENDER),base-signer.json,)
+
+.PHONY: execute
+execute: validate-config
+	$(call MULTISIG_EXECUTE,$(SIGNATURES))
diff --git a/mainnet/2026-05-13-incident-multisig-signers/OwnerDiff.json b/mainnet/2026-05-13-incident-multisig-signers/OwnerDiff.json
new file mode 100644
index 00000000..6ad463ec
--- /dev/null
+++ b/mainnet/2026-05-13-incident-multisig-signers/OwnerDiff.json
@@ -0,0 +1,12 @@
+{
+  "OwnersToAdd": [
+    "0x1111111111111111111111111111111111111111",
+    "0x2222222222222222222222222222222222222222",
+    "0x3333333333333333333333333333333333333333"
+  ],
+  "OwnersToRemove": [
+    "0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
+    "0xBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB",
+    "0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
+  ]
+}
diff --git a/mainnet/2026-05-13-incident-multisig-signers/README.md b/mainnet/2026-05-13-incident-multisig-signers/README.md
new file mode 100644
index 00000000..5af716e4
--- /dev/null
+++ b/mainnet/2026-05-13-incident-multisig-signers/README.md
@@ -0,0 +1,54 @@
+# Update Mainnet Incident Multisig Signers
+
+Status: TODO
+
+## Description
+
+We wish to update the owners of our [Incident Multisig](https://etherscan.io/address/0x14536667Cd30e52C0b458BaACcB9faDA7046E056) on Mainnet to be consistent with the current state of our Base Chain Eng team. This involves removing signers that are no longer closely involved with the team, and adding new team members as signers. The exact signer changes are outlined in the [OwnerDiff.json](./OwnerDiff.json) file.
+
+Before generating validations, replace the placeholder addresses in [OwnerDiff.json](./OwnerDiff.json) and set `SENDER` in [.env](./.env) to a current signer of the Incident Multisig.
+
+## Install dependencies
+
+### 1. Update foundry
+
+```bash
+foundryup
+```
+
+### 2. Install Node.js if needed
+
+First, check if you have node installed
+
+```bash
+node --version
+```
+
+If you see a version output from the above command, you can move on. Otherwise, install node
+
+```bash
+brew install node
+```
+
+## Approving Signers Update
+
+### 1. Update repo:
+
+```bash
+cd contract-deployments
+git pull
+```
+
+### 2. Run the signing tool (NOTE: do not enter the task directory. Run this command from the project's root).
+
+```bash
+make sign-task
+```
+
+### 3. Open the UI at [http://localhost:3000](http://localhost:3000)
+
+Be sure to select the correct task from the list of available tasks to sign.
+
+### 4. Send signature to facilitator
+
+You may now kill the Signer Tool process in your terminal window by running `Ctrl + C`.
diff --git a/mainnet/2026-05-13-incident-multisig-signers/foundry.toml b/mainnet/2026-05-13-incident-multisig-signers/foundry.toml
new file mode 100644
index 00000000..5b8fe4ae
--- /dev/null
+++ b/mainnet/2026-05-13-incident-multisig-signers/foundry.toml
@@ -0,0 +1,23 @@
+[profile.default]
+src = 'src'
+out = 'out'
+libs = ['lib']
+broadcast = 'records'
+fs_permissions = [{ access = "read-write", path = "./" }]
+optimizer = true
+optimizer_runs = 999999
+solc_version = "0.8.15"
+via-ir = false
+remappings = [
+    '@eth-optimism-bedrock/=lib/optimism/packages/contracts-bedrock/',
+    '@openzeppelin/contracts/=lib/openzeppelin-contracts/contracts',
+    '@openzeppelin/contracts-upgradeable/=lib/openzeppelin-contracts-upgradeable/contracts',
+    '@rari-capital/solmate/=lib/solmate/',
+    '@base-contracts/=lib/contracts',
+    '@solady/=lib/solady/src/',
+]
+
+[lint]
+lint_on_build = false
+
+# See more config options https://github.com/foundry-rs/foundry/tree/master/config
diff --git a/mainnet/2026-05-13-incident-multisig-signers/script/UpdateSigners.s.sol b/mainnet/2026-05-13-incident-multisig-signers/script/UpdateSigners.s.sol
new file mode 100644
index 00000000..958b42a3
--- /dev/null
+++ b/mainnet/2026-05-13-incident-multisig-signers/script/UpdateSigners.s.sol
@@ -0,0 +1,131 @@
+// SPDX-License-Identifier: MIT
+pragma solidity 0.8.15;
+
+import {Vm} from "forge-std/Vm.sol";
+import {stdJson} from "forge-std/StdJson.sol";
+import {Simulation} from "@base-contracts/script/universal/Simulation.sol";
+
+import {MultisigScript} from "@base-contracts/script/universal/MultisigScript.sol";
+import {GnosisSafe} from "safe-smart-account/GnosisSafe.sol";
+import {OwnerManager} from "safe-smart-account/base/OwnerManager.sol";
+import {Enum} from "@base-contracts/script/universal/IGnosisSafe.sol";
+
+contract UpdateSigners is MultisigScript {
+    using stdJson for string;
+
+    address public constant SENTINEL_OWNERS = address(0x1);
+
+    address public immutable OWNER_SAFE;
+    uint256 public immutable THRESHOLD;
+    address[] public EXISTING_OWNERS;
+
+    address[] public OWNERS_TO_ADD;
+    address[] public OWNERS_TO_REMOVE;
+
+    mapping(address => address) public ownerToPrevOwner;
+    mapping(address => address) public ownerToNextOwner;
+    mapping(address => bool) public expectedOwner;
+
+    constructor() {
+        OWNER_SAFE = vm.envAddress("OWNER_SAFE");
+
+        GnosisSafe ownerSafe = GnosisSafe(payable(OWNER_SAFE));
+        THRESHOLD = ownerSafe.getThreshold();
+        EXISTING_OWNERS = ownerSafe.getOwners();
+
+        string memory rootPath = vm.projectRoot();
+        string memory path = string.concat(rootPath, "/OwnerDiff.json");
+        string memory jsonData = vm.readFile(path);
+
+        OWNERS_TO_ADD = abi.decode(jsonData.parseRaw(".OwnersToAdd"), (address[]));
+        OWNERS_TO_REMOVE = abi.decode(jsonData.parseRaw(".OwnersToRemove"), (address[]));
+    }
+
+    function setUp() external {
+        require(OWNERS_TO_ADD.length > 0, "Precheck 00");
+        require(OWNERS_TO_REMOVE.length > 0, "Precheck 01");
+
+        GnosisSafe ownerSafe = GnosisSafe(payable(OWNER_SAFE));
+        address prevOwner = SENTINEL_OWNERS;
+
+        for (uint256 i = OWNERS_TO_ADD.length; i > 0; i--) {
+            uint256 index = i - 1;
+            // Make sure owners to add are not already owners
+            require(!ownerSafe.isOwner(OWNERS_TO_ADD[index]), "Precheck 03");
+            // Prevent duplicates
+            require(!expectedOwner[OWNERS_TO_ADD[index]], "Precheck 04");
+
+            ownerToPrevOwner[OWNERS_TO_ADD[index]] = prevOwner;
+            ownerToNextOwner[prevOwner] = OWNERS_TO_ADD[index];
+            prevOwner = OWNERS_TO_ADD[index];
+            expectedOwner[OWNERS_TO_ADD[index]] = true;
+        }
+
+        for (uint256 i; i < EXISTING_OWNERS.length; i++) {
+            ownerToPrevOwner[EXISTING_OWNERS[i]] = prevOwner;
+            ownerToNextOwner[prevOwner] = EXISTING_OWNERS[i];
+            prevOwner = EXISTING_OWNERS[i];
+            expectedOwner[EXISTING_OWNERS[i]] = true;
+        }
+
+        for (uint256 i; i < OWNERS_TO_REMOVE.length; i++) {
+            // Make sure owners to remove are owners
+            require(ownerSafe.isOwner(OWNERS_TO_REMOVE[i]), "Precheck 05");
+            // Prevent duplicates
+            require(expectedOwner[OWNERS_TO_REMOVE[i]], "Precheck 06");
+            expectedOwner[OWNERS_TO_REMOVE[i]] = false;
+
+            // Remove from linked list to keep ownerToPrevOwner up to date
+            // Note: This works as long as the order of OWNERS_TO_REMOVE does not change during `_buildCalls()`
+            address nextOwner = ownerToNextOwner[OWNERS_TO_REMOVE[i]];
+            address prevPtr = ownerToPrevOwner[OWNERS_TO_REMOVE[i]];
+            ownerToPrevOwner[nextOwner] = prevPtr;
+            ownerToNextOwner[prevPtr] = nextOwner;
+        }
+    }
+
+    function _postCheck(Vm.AccountAccess[] memory, Simulation.Payload memory) internal view override {
+        GnosisSafe ownerSafe = GnosisSafe(payable(OWNER_SAFE));
+        address[] memory postCheckOwners = ownerSafe.getOwners();
+        uint256 postCheckThreshold = ownerSafe.getThreshold();
+
+        uint256 expectedLength = EXISTING_OWNERS.length + OWNERS_TO_ADD.length - OWNERS_TO_REMOVE.length;
+
+        require(postCheckThreshold == THRESHOLD, "Postcheck 00");
+        require(postCheckOwners.length == expectedLength, "Postcheck 01");
+
+        for (uint256 i; i < postCheckOwners.length; i++) {
+            require(expectedOwner[postCheckOwners[i]], "Postcheck 02");
+        }
+    }
+
+    function _buildCalls() internal view override returns (Call[] memory) {
+        Call[] memory calls = new Call[](OWNERS_TO_ADD.length + OWNERS_TO_REMOVE.length);
+
+        for (uint256 i; i < OWNERS_TO_ADD.length; i++) {
+            calls[i] = Call({
+                operation: Enum.Operation.Call,
+                target: OWNER_SAFE,
+                data: abi.encodeCall(OwnerManager.addOwnerWithThreshold, (OWNERS_TO_ADD[i], THRESHOLD)),
+                value: 0
+            });
+        }
+
+        for (uint256 i; i < OWNERS_TO_REMOVE.length; i++) {
+            calls[OWNERS_TO_ADD.length + i] = Call({
+                operation: Enum.Operation.Call,
+                target: OWNER_SAFE,
+                data: abi.encodeCall(
+                    OwnerManager.removeOwner, (ownerToPrevOwner[OWNERS_TO_REMOVE[i]], OWNERS_TO_REMOVE[i], THRESHOLD)
+                ),
+                value: 0
+            });
+        }
+
+        return calls;
+    }
+
+    function _ownerSafe() internal view override returns (address) {
+        return OWNER_SAFE;
+    }
+}

From 3bd3007dfe60eac32a2a6ea43e0d74b57c91bd63 Mon Sep 17 00:00:00 2001
From: Jack Chuma <jack.chuma@coinbase.com>
Date: Wed, 13 May 2026 16:40:06 -0400
Subject: [PATCH 2/9] chore(mainnet): update incident task contracts commit

Use the latest base/contracts commit and trim explicit Foundry remappings to the remaining base-contracts alias. Update imports for the latest base/contracts scripts directory layout.

Co-authored-by: Codex <noreply@openai.com>
---
 mainnet/2026-05-13-incident-multisig-signers/.env          | 2 +-
 mainnet/2026-05-13-incident-multisig-signers/foundry.toml  | 7 +------
 .../script/UpdateSigners.s.sol                             | 6 +++---
 3 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/mainnet/2026-05-13-incident-multisig-signers/.env b/mainnet/2026-05-13-incident-multisig-signers/.env
index 224e6986..46e3b63c 100644
--- a/mainnet/2026-05-13-incident-multisig-signers/.env
+++ b/mainnet/2026-05-13-incident-multisig-signers/.env
@@ -1,5 +1,5 @@
 # Required: Git commit hash for https://github.com/base/contracts
-BASE_CONTRACTS_COMMIT=be7c7a642e430fa64b04b63203839f8c81f48466
+BASE_CONTRACTS_COMMIT=8b5baf316c8dd1011b8b0dcfa9f6eac5a0f216e5
 
 # Network-specific addresses are automatically loaded from {network}/.env via include ../.env
 
diff --git a/mainnet/2026-05-13-incident-multisig-signers/foundry.toml b/mainnet/2026-05-13-incident-multisig-signers/foundry.toml
index 5b8fe4ae..66c234aa 100644
--- a/mainnet/2026-05-13-incident-multisig-signers/foundry.toml
+++ b/mainnet/2026-05-13-incident-multisig-signers/foundry.toml
@@ -9,12 +9,7 @@ optimizer_runs = 999999
 solc_version = "0.8.15"
 via-ir = false
 remappings = [
-    '@eth-optimism-bedrock/=lib/optimism/packages/contracts-bedrock/',
-    '@openzeppelin/contracts/=lib/openzeppelin-contracts/contracts',
-    '@openzeppelin/contracts-upgradeable/=lib/openzeppelin-contracts-upgradeable/contracts',
-    '@rari-capital/solmate/=lib/solmate/',
-    '@base-contracts/=lib/contracts',
-    '@solady/=lib/solady/src/',
+    '@base-contracts/=lib/contracts/',
 ]
 
 [lint]
diff --git a/mainnet/2026-05-13-incident-multisig-signers/script/UpdateSigners.s.sol b/mainnet/2026-05-13-incident-multisig-signers/script/UpdateSigners.s.sol
index 958b42a3..65b7fbb1 100644
--- a/mainnet/2026-05-13-incident-multisig-signers/script/UpdateSigners.s.sol
+++ b/mainnet/2026-05-13-incident-multisig-signers/script/UpdateSigners.s.sol
@@ -3,12 +3,12 @@ pragma solidity 0.8.15;
 
 import {Vm} from "forge-std/Vm.sol";
 import {stdJson} from "forge-std/StdJson.sol";
-import {Simulation} from "@base-contracts/script/universal/Simulation.sol";
+import {Simulation} from "@base-contracts/scripts/universal/Simulation.sol";
 
-import {MultisigScript} from "@base-contracts/script/universal/MultisigScript.sol";
+import {MultisigScript} from "@base-contracts/scripts/universal/MultisigScript.sol";
 import {GnosisSafe} from "safe-smart-account/GnosisSafe.sol";
 import {OwnerManager} from "safe-smart-account/base/OwnerManager.sol";
-import {Enum} from "@base-contracts/script/universal/IGnosisSafe.sol";
+import {Enum} from "@base-contracts/scripts/universal/IGnosisSafe.sol";
 
 contract UpdateSigners is MultisigScript {
     using stdJson for string;

From 55271f8139f38b0a4c5f6a06fdc0879a2b3fc26e Mon Sep 17 00:00:00 2001
From: Jack Chuma <jack.chuma@coinbase.com>
Date: Wed, 13 May 2026 16:48:39 -0400
Subject: [PATCH 3/9] chore(mainnet): fill incident multisig signer diff

Replace placeholder mainnet Incident Multisig owner add and remove entries with the requested signer addresses.

Co-authored-by: Codex <noreply@openai.com>
---
 .../OwnerDiff.json                                  | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/mainnet/2026-05-13-incident-multisig-signers/OwnerDiff.json b/mainnet/2026-05-13-incident-multisig-signers/OwnerDiff.json
index 6ad463ec..45555690 100644
--- a/mainnet/2026-05-13-incident-multisig-signers/OwnerDiff.json
+++ b/mainnet/2026-05-13-incident-multisig-signers/OwnerDiff.json
@@ -1,12 +1,13 @@
 {
   "OwnersToAdd": [
-    "0x1111111111111111111111111111111111111111",
-    "0x2222222222222222222222222222222222222222",
-    "0x3333333333333333333333333333333333333333"
+    "0x082Cc00d1031a57d53496aBf6dAD8A6247159452",
+    "0x0c1Ea3aCA9fc2cFa3640fec98a3214A849715b43",
+    "0x8fab0b6b31a0b50a2c3d1ffbe6c0e1125699ae9d"
   ],
   "OwnersToRemove": [
-    "0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
-    "0xBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB",
-    "0xCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
+    "0x4427683AA1f0ff25ccDC4a5Db83010c1DE9b5fF4",
+    "0xA31E1c38d5c37D8ECd0e94C80C0F7FD624d009A3",
+    "0x24c3AE1AeDB8142D32BB6d3B988f5910F272D53b",
+    "0x5468985B560D966dEDEa2DAF493f5756101137DC"
   ]
 }

From 3a6d37be7f75992ef108c065bd14ad73647e25a3 Mon Sep 17 00:00:00 2001
From: Jack Chuma <jack.chuma@coinbase.com>
Date: Wed, 13 May 2026 16:56:43 -0400
Subject: [PATCH 4/9] chore(mainnet): set incident task sender

Set the mainnet Incident Multisig task sender to a current owner that is not removed by the task.

Co-authored-by: Codex <noreply@openai.com>
---
 mainnet/2026-05-13-incident-multisig-signers/.env | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mainnet/2026-05-13-incident-multisig-signers/.env b/mainnet/2026-05-13-incident-multisig-signers/.env
index 46e3b63c..1503ac51 100644
--- a/mainnet/2026-05-13-incident-multisig-signers/.env
+++ b/mainnet/2026-05-13-incident-multisig-signers/.env
@@ -8,7 +8,7 @@ OWNER_SAFE=0x14536667Cd30e52C0b458BaACcB9faDA7046E056
 
 # Required: Address of a signer on OWNER_SAFE (used for simulation)
 # Must also match the sender defined in validations/base-signer.json
-SENDER=TODO
+SENDER=0x1841CB3C2ce6870D0417844C817849da64E6e937
 
 # Enable state diff recording for validation
 RECORD_STATE_DIFF=true

From 6db629a8bc8c0bdca17d113bc2294dae837e1c82 Mon Sep 17 00:00:00 2001
From: Jack Chuma <jack.chuma@coinbase.com>
Date: Wed, 13 May 2026 17:09:35 -0400
Subject: [PATCH 5/9] chore(mainnet): ready incident signer task docs

Set the task docs to ready-to-sign and include facilitator validation and execution guidance.

Co-authored-by: Codex <noreply@openai.com>
---
 .../FACILITATOR.md                            | 42 ++++++++++++++++++-
 .../OwnerDiff.json                            |  2 +-
 .../README.md                                 |  6 ++-
 3 files changed, 45 insertions(+), 5 deletions(-)

diff --git a/mainnet/2026-05-13-incident-multisig-signers/FACILITATOR.md b/mainnet/2026-05-13-incident-multisig-signers/FACILITATOR.md
index f3a0b84b..7a1d00f7 100644
--- a/mainnet/2026-05-13-incident-multisig-signers/FACILITATOR.md
+++ b/mainnet/2026-05-13-incident-multisig-signers/FACILITATOR.md
@@ -1,10 +1,10 @@
 # Facilitator Guide
 
-Guide for facilitators managing this task.
+Guide for facilitators managing the mainnet Incident Multisig signer update.
 
 ## Task Origin Signing
 
-After setting up the task, generate cryptographic attestations (sigstore bundles) to prove who created and facilitated the task. These signatures are stored in `<network>/signatures/<task-name>/`.
+After setting up the task, generate cryptographic attestations (sigstore bundles) to prove who created and facilitated the task. These signatures are stored in `mainnet/signatures/2026-05-13-incident-multisig-signers/`.
 
 ### Task creator (run after task setup):
 ```bash
@@ -20,3 +20,41 @@ make sign-as-base-facilitator
 ```bash
 make sign-as-sc-facilitator
 ```
+
+## Generate Validation File
+
+Run this after any change to [OwnerDiff.json](./OwnerDiff.json), [.env](./.env), or [script/UpdateSigners.s.sol](./script/UpdateSigners.s.sol).
+
+```bash
+cd contract-deployments
+git pull
+cd mainnet/2026-05-13-incident-multisig-signers
+make deps
+make gen-validation
+```
+
+This produces `validations/base-signer.json`. Check that the `cmd` field uses:
+
+```text
+--sender 0x1841CB3C2ce6870D0417844C817849da64E6e937
+```
+
+## Collect Signatures
+
+Ask signers to follow [README.md](./README.md). They should run `make sign-task` from the repo root and select `mainnet/2026-05-13-incident-multisig-signers` in the signing UI.
+
+## Execute
+
+After collecting enough signatures:
+
+```bash
+cd contract-deployments
+git pull
+cd mainnet/2026-05-13-incident-multisig-signers
+make deps
+SIGNATURES=AAABBBCCC make execute
+```
+
+Replace `AAABBBCCC` with the concatenated signatures collected from signers.
+
+After execution, update [README.md](./README.md) status to `EXECUTED` with the transaction link and check in any generated execution records.
diff --git a/mainnet/2026-05-13-incident-multisig-signers/OwnerDiff.json b/mainnet/2026-05-13-incident-multisig-signers/OwnerDiff.json
index 45555690..6d3eaf13 100644
--- a/mainnet/2026-05-13-incident-multisig-signers/OwnerDiff.json
+++ b/mainnet/2026-05-13-incident-multisig-signers/OwnerDiff.json
@@ -2,7 +2,7 @@
   "OwnersToAdd": [
     "0x082Cc00d1031a57d53496aBf6dAD8A6247159452",
     "0x0c1Ea3aCA9fc2cFa3640fec98a3214A849715b43",
-    "0x8fab0b6b31a0b50a2c3d1ffbe6c0e1125699ae9d"
+    "0x8faB0B6b31A0b50A2c3d1FFBE6C0e1125699aE9d"
   ],
   "OwnersToRemove": [
     "0x4427683AA1f0ff25ccDC4a5Db83010c1DE9b5fF4",
diff --git a/mainnet/2026-05-13-incident-multisig-signers/README.md b/mainnet/2026-05-13-incident-multisig-signers/README.md
index 5af716e4..46d4a2f2 100644
--- a/mainnet/2026-05-13-incident-multisig-signers/README.md
+++ b/mainnet/2026-05-13-incident-multisig-signers/README.md
@@ -1,12 +1,12 @@
 # Update Mainnet Incident Multisig Signers
 
-Status: TODO
+Status: READY TO SIGN
 
 ## Description
 
 We wish to update the owners of our [Incident Multisig](https://etherscan.io/address/0x14536667Cd30e52C0b458BaACcB9faDA7046E056) on Mainnet to be consistent with the current state of our Base Chain Eng team. This involves removing signers that are no longer closely involved with the team, and adding new team members as signers. The exact signer changes are outlined in the [OwnerDiff.json](./OwnerDiff.json) file.
 
-Before generating validations, replace the placeholder addresses in [OwnerDiff.json](./OwnerDiff.json) and set `SENDER` in [.env](./.env) to a current signer of the Incident Multisig.
+The signer changes are configured in [OwnerDiff.json](./OwnerDiff.json), and the simulation sender is configured in [.env](./.env).
 
 ## Install dependencies
 
@@ -49,6 +49,8 @@ make sign-task
 
 Be sure to select the correct task from the list of available tasks to sign.
 
+Task name: `mainnet/2026-05-13-incident-multisig-signers`
+
 ### 4. Send signature to facilitator
 
 You may now kill the Signer Tool process in your terminal window by running `Ctrl + C`.

From 7c589de2351e52f6fc808a61fe790788dd3c6683 Mon Sep 17 00:00:00 2001
From: Jack Chuma <jack.chuma@coinbase.com>
Date: Wed, 13 May 2026 17:24:44 -0400
Subject: [PATCH 6/9] Add mainnet incident multisig owner

Co-authored-by: Codex <noreply@openai.com>
---
 mainnet/2026-05-13-incident-multisig-signers/OwnerDiff.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mainnet/2026-05-13-incident-multisig-signers/OwnerDiff.json b/mainnet/2026-05-13-incident-multisig-signers/OwnerDiff.json
index 6d3eaf13..321fe604 100644
--- a/mainnet/2026-05-13-incident-multisig-signers/OwnerDiff.json
+++ b/mainnet/2026-05-13-incident-multisig-signers/OwnerDiff.json
@@ -2,7 +2,8 @@
   "OwnersToAdd": [
     "0x082Cc00d1031a57d53496aBf6dAD8A6247159452",
     "0x0c1Ea3aCA9fc2cFa3640fec98a3214A849715b43",
-    "0x8faB0B6b31A0b50A2c3d1FFBE6C0e1125699aE9d"
+    "0x8faB0B6b31A0b50A2c3d1FFBE6C0e1125699aE9d",
+    "0xD56C6462DC3A943596c7a54d6B0Dba404490E206"
   ],
   "OwnersToRemove": [
     "0x4427683AA1f0ff25ccDC4a5Db83010c1DE9b5fF4",

From c9010be47955d40c23059c6b37c2f9d5bb1744b4 Mon Sep 17 00:00:00 2001
From: Jack Chuma <jack.chuma@coinbase.com>
Date: Wed, 13 May 2026 17:26:59 -0400
Subject: [PATCH 7/9] Remove mainnet task config validation

Co-authored-by: Codex <noreply@openai.com>
---
 .../2026-05-13-incident-multisig-signers/Makefile    | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/mainnet/2026-05-13-incident-multisig-signers/Makefile b/mainnet/2026-05-13-incident-multisig-signers/Makefile
index 2b74b434..3b45ac37 100644
--- a/mainnet/2026-05-13-incident-multisig-signers/Makefile
+++ b/mainnet/2026-05-13-incident-multisig-signers/Makefile
@@ -6,14 +6,6 @@ include .env
 RPC_URL = $(L1_RPC_URL)
 SCRIPT_NAME = UpdateSigners
 
-# Validate required configuration before execution
-.PHONY: validate-config
-validate-config:
-	@test -n "$(BASE_CONTRACTS_COMMIT)" -a "$(BASE_CONTRACTS_COMMIT)" != "TODO" || (echo "BASE_CONTRACTS_COMMIT required" && exit 1)
-	@test -n "$(OWNER_SAFE)" -a "$(OWNER_SAFE)" != "TODO" || (echo "OWNER_SAFE required" && exit 1)
-	@test -n "$(SENDER)" -a "$(SENDER)" != "TODO" || (echo "SENDER required" && exit 1)
-	@echo "Configuration validated successfully"
-
 .PHONY: deps
 deps: new-forge-deps
 
@@ -22,9 +14,9 @@ new-forge-deps:
 	forge install --no-git safe-global/safe-smart-account@186a21a74b327f17fc41217a927dea7064f74604
 
 .PHONY: gen-validation
-gen-validation: validate-config deps-signer-tool
+gen-validation: deps-signer-tool
 	$(call GEN_VALIDATION,$(SCRIPT_NAME),,$(SENDER),base-signer.json,)
 
 .PHONY: execute
-execute: validate-config
+execute:
 	$(call MULTISIG_EXECUTE,$(SIGNATURES))

From 18344baaaa1bc17f7dcd5810b6536236770104ad Mon Sep 17 00:00:00 2001
From: Jack Chuma <jack.chuma@coinbase.com>
Date: Wed, 13 May 2026 17:27:57 -0400
Subject: [PATCH 8/9] Update mainnet signer tool pin

Co-authored-by: Codex <noreply@openai.com>
---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 038b78c6..b58a7449 100644
--- a/Makefile
+++ b/Makefile
@@ -143,7 +143,7 @@ checkout-base-contracts-commit:
 ##
 # Task Signer Tool
 ##
-SIGNER_TOOL_COMMIT=db50e4234a5475a3f109e61a83fd047924916b41
+SIGNER_TOOL_COMMIT=43c55040fee45ec90a33400b10215f1756687ad7
 SIGNER_TOOL_PATH=signer-tool
 
 .PHONY: checkout-signer-tool

From d7e26deb75acdd7f0a808d0f972d81d17320755b Mon Sep 17 00:00:00 2001
From: Jack Chuma <jack.chuma@coinbase.com>
Date: Wed, 13 May 2026 19:01:26 -0400
Subject: [PATCH 9/9] Add mainnet incident signer validation

Co-authored-by: Codex <noreply@openai.com>
---
 .../validations/base-signer.json              | 138 ++++++++++++++++++
 1 file changed, 138 insertions(+)
 create mode 100644 mainnet/2026-05-13-incident-multisig-signers/validations/base-signer.json

diff --git a/mainnet/2026-05-13-incident-multisig-signers/validations/base-signer.json b/mainnet/2026-05-13-incident-multisig-signers/validations/base-signer.json
new file mode 100644
index 00000000..2ba2569b
--- /dev/null
+++ b/mainnet/2026-05-13-incident-multisig-signers/validations/base-signer.json
@@ -0,0 +1,138 @@
+{
+  "cmd": "forge script --rpc-url https://eth-mainnet.public.blastapi.io UpdateSigners --sig sign(address[]) [] --sender 0x1841CB3C2ce6870D0417844C817849da64E6e937",
+  "ledgerId": 0,
+  "rpcUrl": "https://eth-mainnet.public.blastapi.io",
+  "expectedDomainAndMessageHashes": {
+    "address": "0x14536667Cd30e52C0b458BaACcB9faDA7046E056",
+    "domainHash": "0xf3474c66ee08325b410c3f442c878d01ec97dd55a415a307e9d7d2ea24336289",
+    "messageHash": "0x753699c81ccbc257e50879009fa831002a29f7c1f51adbec42e1c24633233c77"
+  },
+  "stateOverrides": [
+    {
+      "name": "Incident Safe - Mainnet",
+      "address": "0x14536667Cd30e52C0b458BaACcB9faDA7046E056",
+      "overrides": [
+        {
+          "key": "0x0000000000000000000000000000000000000000000000000000000000000004",
+          "value": "0x0000000000000000000000000000000000000000000000000000000000000001",
+          "description": "Override the threshold to 1 so the transaction simulation can occur.",
+          "allowDifference": false
+        },
+        {
+          "key": "0x599c9e965dd1777a11bbf5f82e91ae3c228e9b1380c82f34e9428c742e419947",
+          "value": "0x0000000000000000000000000000000000000000000000000000000000000001",
+          "description": "Simulates an approval from msg.sender in order for the task simulation to succeed.",
+          "allowDifference": false
+        }
+      ]
+    }
+  ],
+  "stateChanges": [
+    {
+      "name": "Incident Safe - Mainnet",
+      "address": "0x14536667Cd30e52C0b458BaACcB9faDA7046E056",
+      "changes": [
+        {
+          "key": "0x0000000000000000000000000000000000000000000000000000000000000004",
+          "before": "0x0000000000000000000000000000000000000000000000000000000000000001",
+          "after": "0x0000000000000000000000000000000000000000000000000000000000000003",
+          "description": "Restores the execution threshold from the simulation override value 1 to the expected value 3.",
+          "allowDifference": false
+        },
+        {
+          "key": "0x0000000000000000000000000000000000000000000000000000000000000005",
+          "before": "0x0000000000000000000000000000000000000000000000000000000000000069",
+          "after": "0x000000000000000000000000000000000000000000000000000000000000006a",
+          "description": "Increments the Safe nonce from 105 to 106.",
+          "allowDifference": false
+        },
+        {
+          "key": "0x35f8ca6c240a9b89272a80f341f4a22b46f2a01c8311b54080373c9b91208c98",
+          "before": "0x00000000000000000000000026c72586fb396325f58718152fefa94e93cf177b",
+          "after": "0x0000000000000000000000000000000000000000000000000000000000000000",
+          "description": "Owners linked list: Removes signer 0x5468985b560d966dedea2daf493f5756101137dc by clearing its pointer to 0x26c72586fb396325f58718152fefa94e93cf177b.",
+          "allowDifference": false
+        },
+        {
+          "key": "0x56a2719ad2beef0c19441f84d407dd2c9784ca8c8f85fb6f5c8696628c63fd10",
+          "before": "0x0000000000000000000000004427683aa1f0ff25ccdc4a5db83010c1de9b5ff4",
+          "after": "0x000000000000000000000000b37b2d42cb0c10ebf96279cceca2cbfc47c6f236",
+          "description": "Owners linked list: Relinks signer 0x541a833e4303eb56a45be7e8e4a908db97568d1e to point to 0xb37b2d42cb0c10ebf96279cceca2cbfc47c6f236 after removing 0x4427683aa1f0ff25ccdc4a5db83010c1de9b5ff4 and 0xa31e1c38d5c37d8ecd0e94c80c0f7fd624d009a3.",
+          "allowDifference": false
+        },
+        {
+          "key": "0x738e743b0e4f327810ae0f138c7c5012854e2f43043547bef588cf84df24f166",
+          "before": "0x00000000000000000000000024c3ae1aedb8142d32bb6d3b988f5910f272d53b",
+          "after": "0x000000000000000000000000644e3dedb0e4f83bfcf8f9992964d240224b74dc",
+          "description": "Owners linked list: Relinks signer 0xb37b2d42cb0c10ebf96279cceca2cbfc47c6f236 to point to 0x644e3dedb0e4f83bfcf8f9992964d240224b74dc after removing 0x24c3ae1aedb8142d32bb6d3b988f5910f272d53b.",
+          "allowDifference": false
+        },
+        {
+          "key": "0x87fac1b7a53c40e489763073338f9f3a8d07a2058ee5f00a64dd1eeae74550a4",
+          "before": "0x0000000000000000000000000000000000000000000000000000000000000000",
+          "after": "0x000000000000000000000000082cc00d1031a57d53496abf6dad8a6247159452",
+          "description": "Owners linked list: Adds signer 0x0c1ea3aca9fc2cfa3640fec98a3214a849715b43 pointing to next owner 0x082cc00d1031a57d53496abf6dad8a6247159452.",
+          "allowDifference": false
+        },
+        {
+          "key": "0x95d1aa1bb172c2bf1f8f9d26147578664d9c87a13833e5ec836b94816dd5e63c",
+          "before": "0x0000000000000000000000005468985b560d966dedea2daf493f5756101137dc",
+          "after": "0x00000000000000000000000026c72586fb396325f58718152fefa94e93cf177b",
+          "description": "Owners linked list: Relinks signer 0x7ad8e6b7b1f6d66f49559f20053cef8a7b6c488e to point to 0x26c72586fb396325f58718152fefa94e93cf177b after removing 0x5468985b560d966dedea2daf493f5756101137dc.",
+          "allowDifference": false
+        },
+        {
+          "key": "0xaae1b570ab817af80d8c0d204fb15e028c217d77afad5a3c8113d93575274af8",
+          "before": "0x000000000000000000000000a31e1c38d5c37d8ecd0e94c80c0f7fd624d009a3",
+          "after": "0x0000000000000000000000000000000000000000000000000000000000000000",
+          "description": "Owners linked list: Removes signer 0x4427683aa1f0ff25ccdc4a5db83010c1de9b5ff4 by clearing its pointer to 0xa31e1c38d5c37d8ecd0e94c80c0f7fd624d009a3.",
+          "allowDifference": false
+        },
+        {
+          "key": "0xb15fe2848d40596069252cc647bd74a278cd49bf36cb5c08459942bd90414084",
+          "before": "0x0000000000000000000000000000000000000000000000000000000000000000",
+          "after": "0x0000000000000000000000000c1ea3aca9fc2cfa3640fec98a3214a849715b43",
+          "description": "Owners linked list: Adds signer 0x8fab0b6b31a0b50a2c3d1ffbe6c0e1125699ae9d pointing to next owner 0x0c1ea3aca9fc2cfa3640fec98a3214a849715b43.",
+          "allowDifference": false
+        },
+        {
+          "key": "0xb66edc9a114e89f02d0b7982582a48a539d388af46cfade8e93f01cba0973729",
+          "before": "0x000000000000000000000000b37b2d42cb0c10ebf96279cceca2cbfc47c6f236",
+          "after": "0x0000000000000000000000000000000000000000000000000000000000000000",
+          "description": "Owners linked list: Removes signer 0xa31e1c38d5c37d8ecd0e94c80c0f7fd624d009a3 by clearing its pointer to 0xb37b2d42cb0c10ebf96279cceca2cbfc47c6f236.",
+          "allowDifference": false
+        },
+        {
+          "key": "0xbb0ca364a5d59aeb597ecc0746c7932123c2f20efece9f164f8af2f2e5ee7618",
+          "before": "0x0000000000000000000000000000000000000000000000000000000000000000",
+          "after": "0x0000000000000000000000008fab0b6b31a0b50a2c3d1ffbe6c0e1125699ae9d",
+          "description": "Owners linked list: Adds signer 0xd56c6462dc3a943596c7a54d6b0dba404490e206 pointing to next owner 0x8fab0b6b31a0b50a2c3d1ffbe6c0e1125699ae9d.",
+          "allowDifference": false
+        },
+        {
+          "key": "0xd8206f987b26f969100b1584f87a78b15e14b9d64fcad9bdc2466f6cb7becb87",
+          "before": "0x000000000000000000000000644e3dedb0e4f83bfcf8f9992964d240224b74dc",
+          "after": "0x0000000000000000000000000000000000000000000000000000000000000000",
+          "description": "Owners linked list: Removes signer 0x24c3ae1aedb8142d32bb6d3b988f5910f272d53b by clearing its pointer to 0x644e3dedb0e4f83bfcf8f9992964d240224b74dc.",
+          "allowDifference": false
+        },
+        {
+          "key": "0xe2e7e1f18e3e0546efbef39088f820c7d9c78019eec558886d8826ad49444d6b",
+          "before": "0x0000000000000000000000000000000000000000000000000000000000000000",
+          "after": "0x0000000000000000000000001841cb3c2ce6870d0417844c817849da64e6e937",
+          "description": "Owners linked list: Adds signer 0x082cc00d1031a57d53496abf6dad8a6247159452 pointing to next owner 0x1841cb3c2ce6870d0417844c817849da64e6e937.",
+          "allowDifference": false
+        },
+        {
+          "key": "0xe90b7bceb6e7df5418fb78d8ee546e97c83a08bbccc01a0644d599ccd2a7c2e0",
+          "before": "0x0000000000000000000000001841cb3c2ce6870d0417844c817849da64e6e937",
+          "after": "0x000000000000000000000000d56c6462dc3a943596c7a54d6b0dba404490e206",
+          "description": "Owners linked list: Updates SENTINEL to point to new head 0xd56c6462dc3a943596c7a54d6b0dba404490e206.",
+          "allowDifference": false
+        }
+      ]
+    }
+  ],
+  "balanceChanges": [],
+  "skipTaskOriginValidation": true
+}