Authors: Edo, skylock.xyz
Introduction
This proposal outlines Inverse Finance’s adoption of the SEAL (Security Alliance) Whitehat Safe Harbor Agreement (“Safe Harbor Agreement”). By adopting Safe Harbor, Inverse improves the security of its on-chain assets by allowing whitehats to intervene during active exploits to save protocol funds.
What is the Safe Harbor Agreement?
The Safe Harbor Agreement addresses a critical need in crypto: enabling whitehats to intervene during active exploits when traditional responsible disclosure procedures are not feasible.
Key aspects of the agreement include:
- Encouraging Whitehats to Protect the Protocol: By adopting Safe Harbor, Inverse incentivizes whitehats to step in and protect the protocol during active exploits by limiting their legal exposure.
- Intervention Only During Active Exploits: Whitehats are authorized to act only when there is an active exploit that threatens the protocol. This agreement applies only to critical situations where responsible disclosure procedures would not save funds due to the urgency of the exploit, and it is not intended for routine security testing or vulnerability reporting.
- Mandatory Return of Rescued Funds: Under the terms of the Safe Harbor, whitehats are required to return all rescued assets to a pre-designated recovery address controlled by the protocol within 72 hours of recovery.
- Clear Guidelines and Legal Protection: The agreement establishes strict rules for how whitehats must operate during an exploit, ensuring recovery efforts are conducted professionally and safely, and minimizing the risk of mistakes or further damage to the protocol.
- Incentivized Rescue Efforts: To motivate whitehats to act during critical situations, the agreement offers a bounty system similar to a bug bounty. Whitehats are rewarded with a percentage of the recovered assets, up to a predefined cap, for their successful interventions.
For more information, check out the Safe Harbor Agreement here.
Rationale
The Safe Harbor Agreement empowers whitehats to act immediately during an exploit, offering a swift and structured asset recovery process. Benefits of adopting the Safe Harbor Agreement include:
- Agile Defense Against Exploits: Whitehats are authorized to intervene as soon as an active exploit is detected, enabling them to respond faster than traditional methods. Immediate action minimizes the window for malicious actors, reduces damages, and accelerates the recovery of assets during critical moments.
- Clarified Rescue Process: The agreement ensures that every step, from intervention to fund recovery, is predetermined and streamlined. Whitehats know exactly where to send recovered funds, preventing chaotic negotiations or rushed decisions during an exploit. This clarity ensures efficient, decisive action when it matters most.
- Clear Financial Boundaries: The predefined bounty system, with a cap matching Inverse’s existing bug bounty, ensures that whitehats are incentivized fairly without creating conflicting priorities between exploit intervention and standard vulnerability disclosure. By setting expectations upfront, Safe Harbor eliminates post-exploit negotiations, ensuring funds are returned promptly without attempted negotiations.
- Aligning with Industry Best Practices: By adopting the Safe Harbor Agreement, Inverse aligns itself with leading security practices across the industry, reinforcing its commitment to staying at the forefront of protocol security.
Adoption of the agreement complements audits and bug bounties by providing an additional layer of security, ensuring that the protocol is better prepared to respond to active threats.
Adoption Details
Inverse Finance will adopt the agreement with the following parameters. For a full description of these adoption details, review the Safe Harbor for Protocols document.
- Asset Recovery Address:
| Chain | Address |
|---|---|
| Ethereum | 0x926df14a23be491164dcf93f4c468a50ef659d5b |
| OP | 0xa283139017a2f5BAdE8d8e25412C600055D318F8 |
| Base | 0x586CF50c2874f3e3997660c0FD0996B090FB9764 |
| Arbitrum | 0x23dEDab98D7828AFBD2B7Ab8C71089f2C517774a |
| BNB Chain | 0xF7Da4bC9B7A6bB3653221aE333a9d2a2C2d5BdA7 |
- Scope: The assets under scope will include all assets in scope on Inverse Finance’s immune bug bounty page as of 2025-01-29: https://immunefi.com/bug-bounty/inversefinance/scope
- Contact Details:
- Edo - edo@inverse.finance
- Karm - karm@inverse.finance
- Harry - cryptoharry@inverse.finance
- Nour - nour@inverse.finance
- Bounty Terms:
- Bounty Percentage: 10%
- Bounty Cap (USD): $100,000
- Retainable: true
- After rescuing funds during an exploit, whitehats may deduct their bounty from the total recovered amount before transferring the remainder to the protocol’s designated asset recovery address.
- Identity Verification: Anonymous
- Whitehats are allowed to remain anonymous and are not required to provide their legal name or undergo identity verification.
- Diligence Requirements: None
Implementation Plan
- Register Agreement On-Chain:
- The agreement will be registered on Ethereum in the Safe Harbor Registry at address 0x8f72fcf695523a6fc7dd97eafdd7a083c386b7b6, including all adoptionDetails. This ensures transparency and immutability.
- Update ToS:
- Exhibit D: User Adoption Procedures will be added to Inverse Finance’s Terms of Services. References to Safe Harbor will also be added to Inverse Finance’s technical documentation.
- Communicate Adoption:
- An official announcement will be made across all Inverse Finance’s official communication channels, explaining the adoption and its significance to the community.
- Future Updates to Scope:
- New smart contracts deployed by Inverse Finance will be reviewed and added to the Safe Harbor Agreement scope via governance vote, ensuring continued protection.
Conclusion
Adopting the SEAL Whitehat Safe Harbor Agreement equips Inverse Finance with a rapid response mechanism for active exploits, enabling whitehats to step in effectively when needed most. The agreement provides clear guidelines for action, increasing the protection of user funds and demonstrating Inverse Finance’s commitment to proactive security.
References
- SEAL Whitehat Safe Harbor Agreement: GitHub Repository
- SEAL Whitehat Safe Harbor Agreement Overview: Notion
- Inverse Finance Bug Bounty: Immunefi
Please share your thoughts and feedback in the discussion below before the proposal moves to a formal vote.