The Whitehat Safe Harbor initiative is a framework in which protocols can offer legal protection to whitehats who help recover assets during an active exploit. Let’s dive deeper into why it was created and how it works.
Why? Imagine a whitehat finds a vulnerability in a DeFi protocol, and they can not contact the team to report the bug because they are in a different timezone, for example. If they wait, the bug could be exploited by a blackhat, and the funds could be stolen. But if they make a whitehat rescue (exploiting the vulnerability to secure the funds and return them to the protocol after the bug is fixed), they could also have legal issues, depending on many things, such as in what jurisdiction they or the protocol are located.
We also have cases where a protocol is exploited, and then the team needs to start negotiations with the exploiter regarding the return of funds and how much the exploiter will keep (if anything). These negotiations can take a lot of time, which will hurt the users even more. Even when some bounty is agreed between the team and the exploiter, and let’s say 90% of funds are returned, the exploiter could still face legal issues in the future for keeping that 10%.
So, how does it work?
The Safe Harbor initiative is a preemptive security measure for protocols, similar to a bug bounty. It is a framework specifically for active exploits, i.e., situations where a vulnerability has begun to be exploited by a malicious actor.
If a protocol has adopted Safe Harbor before such an incident occurs, whitehats will have clarity on how to act in a potential rescue and will be more likely to help intervene.
So, how can protocols adopt it?
They must first review the agreement and agree to some of its terms:
- Which assets are in the scope of the agreement
- What reward will be given to successful whitehat rescues
- Where should rescued funds be returned
You can check the Safe Harbor Agreement in this PDF.
Once the specifics are agreed upon, the protocol should create a governance proposal, which its members should vote on. For transparency, all relevant documents should be uploaded to IPFS. If the protocol doesn’t have an on-chain voting system, some alternatives can be explored. If the decision to adopt Safe Harbor becomes official, there are three final steps for adoption:
- An “Agreement Fact Page” must be created by the protocol.
- The “User Adoption Procedures” must be inserted into the protocol website’s terms of service.
- A governance address must send an on-chain transaction to the Safe Harbor registry contract.
The Safe Harbor Registry can be accessed in this Github.
What about whitehats?
If a whitehat agrees to the framework, they may later be eligible to participate in a whitehat rescue. These rescues should only be taken in very specific circumstances, and it is important to understand the following:
- The framework only applies to active exploits, and it is a violation of the agreement if the whitehat initiates an exploit themselves.
- The protocol is not responsible for ensuring the whitehat follows the law, and the whitehat can not be protected from criminal charges outside the agreement’s scope.
- There are nuances that can affect the agreement’s enforceability, and whitehats will assume many legal risks by becoming involved.
- If the whitehat proceeds with a whitehat rescue, they must follow the process: transferring rescued funds to the protocol’s “Asset Recovery Address” and promptly notifying the protocol of the fund recovery. The whitehat may keep (or later receive) a reward based on the terms.
This agreement was created after a RFC (request for comments) period of one month, during which many community calls were hosted so that everyone could ask questions or input ideas and changes. The discussions section in GitHub can be accessed here: Safe Harbor discussions.
SEAL founder Samczsun explaining the initiative
Check out this short video where Samczsun himself explains why Safe Harbor was created and how it can help security professionals:
Transcription of the video: Remember back in 2022, when the Nomad hack happened? Well, the hundreds of people who either accidentally or intentionally drained the bridge certainly do. Personally, I remember sitting in the war room, watching the entire thing go down, wondering whether it was legally safe for me to get involved or not. As it turns out, I wasn’t the only one. That’s where the safe harbor initiative comes in. Instead of forcing protocols to make the call on the spot, the Safe Harbor agreement allows protocols to tell whitehats ahead of time, “Hey, if we’re getting hacked, and only f we are getting hacked, we want your help, and we’ll even pay for it”. This is much less legally dubious than giving “whitehats” a “10% bounty”. To make this work, we sat down with some of the best crypto lawyers out there, and we put together a 45-page document that covers as many bases as possible. The next time you are having trouble falling asleep, give it a read, or if you’d rather not, simply take a look at our human-readable summary instead.
And now, one more short video by Samczsun on how Safe Harbor can help Protocols:
The transcript of this second video reads: So, you’ve done everything you can to secure your protocol. You wrote the tests, did the audits, and set up the bug bounty program. Now you are wondering: What else can I do to protect my users? To answer that question, the security alliance first introduced Seal 911: a way to contact trusted security researchers around the world at any time. Now, we are introducing the Safe Harbor, an additional security measure that we’re encouraging protocols like yours to adopt. The goal of the Safe Harbor initiative is to provide a legal framework where whitehats are allowed to frontrun or otherwise intercept an ongoing attack on your protocol. We hope that this will result in fewer successful attacks in the future, which means a less stressful experience for you and your users and a safer ecosystem for everyone.
Want to learn more about this initiative? All information has been consolidated in the Security Alliance Github
Frequented asked questions
You may have some questions like:
- What is the Safe Harbor Initiative?
- Who created the Safe Harbor Initiative?
- What are the components?
- How does this differ from a bug bounty program?
- What are the requirements for a whitehat to participate?
- Can a protocol impose KYC requirements on rescue payouts?
You can find the answers to all these questions in this web-site.
How to join Safe Harbor agreement
If you are a protocol interested in Safe Harbor and would like to get in touch, please use this signup form here.
Want to learn more about the Security Alliance? You can follow official X account: @_SEAL_Org or the official website.