Category: Request for Comment
Authors: erik@euler.xyz, lucas@spearbit.com
Introduction
This proposal outlines Euler Finance’s adoption of the SEAL (Security Alliance) Whitehat Safe Harbor Agreement (“Safe Harbor Agreement”). By adopting the Safe Harbor Agreement, Euler Finance improves the security of its on-chain assets by allowing whitehats to intervene during active exploits to save protocol funds.
What is the Safe Harbor Agreement?
The Safe Harbor Agreement addresses a critical need in crypto: enabling whitehats to intervene during active exploits when the urgency of an attack makes traditional processes too slow to save funds.
The Safe Harbor Agreement was created by SEAL, a nonprofit founded by samczsun, to secure the future of crypto. In addition to the Safe Harbor Agreement, SEAL runs multiple initiatives including SEAL 911 (emergency response hotline for exploits), SEAL Intel (crypto-native threat intelligence sharing), SEAL Frameworks (open source security best practices and playbooks), SEAL Wargames (incident response training), and more in development.
Key aspects of the agreement include:
- Encouraging Whitehats to Protect the Protocol: By adopting the Safe Harbor Agreement, Euler Finance incentivizes whitehats to step in and protect the protocol during active exploits by limiting their legal exposure.
- Intervention Only During Active Exploits: Whitehats are authorized to act only when there is an immediate or ongoing exploit that threatens the protocol. This agreement is not intended for routine security testing or bug bounty reporting. It applies only to critical situations where the urgency of the exploit supersedes traditional procedures for responsible disclosure in order to save funds.
- Mandatory Return of Rescued Funds: Under the terms of the Safe Harbor, whitehats are required to return all rescued assets to a pre-designated recovery address controlled by the protocol within 72 hours of recovery to ensure these funds are quickly secured, preventing delay or potential loss.
- Clear Guidelines and Legal Protection: The agreement establishes strict rules for how whitehats must operate during an exploit, ensuring recovery efforts are conducted professionally and safely, minimizing the risk of mistakes or further damage to the protocol. By adhering to these guidelines, whitehats can limit their potential legal exposure, allowing them to act in good faith without fear of liability.
- Incentivized Rescue Efforts: To motivate whitehats to act during critical situations, the agreement offers a bounty system that rewards rescuers with a percentage of the recovered assets, up to a predefined cap, for successful interventions.
Safe Harbor has already been adopted by leading protocols such as Uniswap, Zksync, Pendle, Pancakeswap, and Balancer, establishing it as a trusted industry standard for empowering whitehats during active exploits.
Rationale
Euler Finance is committed to enhancing its security and protecting user funds during critical moments. While security audits and other preventive measures are crucial, the unpredictable nature of active exploits requires a swift, decisive response mechanism to minimize potential damage.
Benefits of adopting the Safe Harbor Agreement include:
- Agile Defense Against Exploits: Whitehats are authorized to intervene as soon as an active exploit is detected, enabling them to respond faster than traditional methods. Immediate action minimizes the window for malicious actors, reduces damages, and accelerates the recovery of assets during critical moments.
- Clarified Rescue Process: The agreement ensures that every step, from intervention to fund recovery, is predetermined and streamlined. Whitehats know exactly where to send recovered funds, preventing chaotic negotiations or rushed decisions during an exploit. This clarity ensures efficient, decisive action when it matters most.
- Clear Financial Boundaries: The predefined bounty system, with a cap matching Euler Finance’s existing bug bounty, ensures that whitehats are incentivized fairly without creating conflicting priorities between exploit intervention and standard vulnerability disclosure. By setting expectations upfront, it eliminates post-exploit negotiations, ensuring funds are returned promptly without attempts to change the reward amount, keeping the process fair and transparent.
- Aligning with Industry Best Practices: By adopting the Safe Harbor Agreement, Euler Finance aligns itself with leading security practices across the industry, reinforcing its commitment to staying at the forefront of protocol security.
Adoption of the agreement complements audits by providing an additional layer of security, ensuring that the protocol is better prepared to respond to active threats.
Adoption Details
Protocol Details
Protocol Name: Euler Finance
Bounty Terms
Predetermined rewards for successful whitehats that recover protocol funds. For more information review the Safe Harbor Scope document.
- Percentage: 10.0%
- Cap (USD): $2.5M
- Retainable: False
- When retainable is True, whitehats are allowed to retain their bounty from the recovered funds directly. This streamlines the payout process for whitehats and protocols.
- When retainable is False, whitehats are required to return all recovered funds to the protocol, which will then payout the bounty after verification by the protocol.
- Identity: Named
- When identity is Anonymous whitehats are allowed to remain anonymous and are not required to provide any information about themselves to the protocol.
- When identity is Pseudonymous whitehats must identify themselves to the protocol, but are not required to provide their real name or any identification.
- When identity is Named whitehats must identify themselves to the protocol with their full legal name.
- Diligence Requirements: All participants to this program must conduct a KYC with Cantina in order to be eligible for the funds.
Contact Details
Designated security contacts for the protocol who whitehats will contact following a safe harbor recovery
| Name | Contact |
|---|---|
| Euler Security | security@euler.xyz |
Chains & Asset Recovery Addresses
Addresses controlled by the protocol which recovered protocol funds will be returned to by the whitehat
| Chain | Asset Recovery Address |
|---|---|
| eip155:1 | 0xcAD001c30E96765aC90307669d578219D4fb1DCe |
| eip155:56 | 0xa5a4AA0749Aa84ee67bd8CAf22338c1A5cA7313A |
| eip155:130 | 0xf6d781B96b65495f8b0429f3023Df2194AfCF06F |
| eip155:143 | 0xdA3da5c8f93c0B7630412B8cd7dE571011Df8963 |
| eip155:146 | 0x399764B234078E64506f84b89F81336399dC7fDa |
| eip155:239 | 0xDd8fb4177B35083EEC8Be7c0F2D0f9388b6dD540 |
| eip155:1923 | 0x8c2EceEe32359af9eec2326f841d187FaA8A5Ce2 |
| eip155:8453 | 0x1e13B0847808045854Ddd908F2d770Dc902Dcfb8 |
| eip155:9745 | 0xfD30738fcB5eb5Ba418a84e672007912F991E539 |
| eip155:42161 | 0xe55798d71193bAA789031415b668A992F2e566EE |
| eip155:43114 | 0x9506a63e5f1C595f58Ef1e1D9788Eb5A47722ee8 |
| eip155:59144 | 0x89Ad331C4B69d7b251C9937DD9A9CEA6E357997a |
| eip155:60808 | 0x84423e1B4a5EB2B81947d9284fE098E56017aB35 |
| eip155:80094 | 0x396686C3aA2B14EDF15bF8603463110b2B8fE1D9 |
Accounts
List of all on-chain assets owned by the protocol protected under Safe Harbor
The Scope includes the following repositories:
ChildContractScope
- When None, only the address listed above will be considered in scope
- When ExistingOnly, only the address and child contracts of that address deployed before the adoption of safe harbor will be considered in scope.
- When FutureOnly, only the address and child contracts of that address deployed after the adoption of safe harbor will be considered in scope.
- When All, the address and all of its child contracts will be considered in scope.
Core
Contracts making up the core Euler V2 protocol. These addresses are unlikely to change.
| Chain | Name | Address | Child Contract Scope |
|---|---|---|---|
| eip155:1 | eVaultFactory | 0x29a56a1b8214D9Cf7c5561811750D5cBDb45CC8e | All |
| eip155:1 | eulerEarnFactory | 0x59709B029B140C853FE28d277f83C3a65e308aF4 | All |
| eip155:56 | eVaultFactory | 0x7F53E2755eB3c43824E162F7F6F087832B9C9Df6 | All |
| eip155:56 | eulerEarnFactory | 0xc456d04E3F43597CC7E5a2AF284fF4C4AdDA0cb1 | All |
| eip155:130 | eVaultFactory | 0xbAd8b5BDFB2bcbcd78Cc9f1573D3Aad6E865e752 | All |
| eip155:130 | eulerEarnFactory | 0xD785adD5F081F56616898E45b90dE307e3DC7d3E | All |
| eip155:143 | eVaultFactory | 0xba4Dd672062dE8FeeDb665DD4410658864483f1E | All |
| eip155:143 | eulerEarnFactory | 0xF463d4Acb650cc6C4E1D6cD4D0d1b0cb224094cF | All |
| eip155:146 | eVaultFactory | 0xF075cC8660B51D0b8a4474e3f47eDAC5fA034cFB | All |
| eip155:146 | eulerEarnFactory | 0x3397ec7d28cF645A017869Fe4B41c75f5B0b75a8 | All |
| eip155:239 | eVaultFactory | 0x2b21621b8Ef1406699a99071ce04ec14cCd50677 | All |
| eip155:239 | eulerEarnFactory | 0x7670572aa76E6140400A948e7AAFAB0210a86d9f | All |
| eip155:1923 | eVaultFactory | 0x238bF86bb451ec3CA69BB855f91BDA001aB118b9 | All |
| eip155:1923 | eulerEarnFactory | 0x3073e1B42f8Cc933f2d678DdA10acDE51F4E49a3 | All |
| eip155:8453 | eVaultFactory | 0x7F321498A801A191a93C840750ed637149dDf8D0 | All |
| eip155:8453 | eulerEarnFactory | 0x75F49a2621b6DeC6a5baB22ce961bF3e676EFAE6 | All |
| eip155:9745 | eVaultFactory | 0x42388213C6F56D7E1477632b58Ae6Bba9adeEeA3 | All |
| eip155:9745 | eulerEarnFactory | 0xA3843A73e6a9F81309B931237Ca4759B3B02ff0E | All |
| eip155:42161 | eVaultFactory | 0x78Df1CF5bf06a7f27f2ACc580B934238C1b80D50 | All |
| eip155:42161 | eulerEarnFactory | 0xB9B5d62B9fE9E1B505466e75817aB178A1D2ec9d | All |
| eip155:43114 | eVaultFactory | 0xaf4B4c18B17F6a2B32F6c398a3910bdCD7f26181 | All |
| eip155:43114 | eulerEarnFactory | 0x574B00f5a0C56D370F19fa887a5545d74F52fAC2 | All |
| eip155:59144 | eVaultFactory | 0x84711986Fd3BF0bFe4a8e6d7f4E22E67f7f27F04 | All |
| eip155:59144 | eulerEarnFactory | 0x377879A039343FEc7564e54616e519328951DA6D | All |
| eip155:60808 | eVaultFactory | 0x046a9837A61d6b6263f54F4E27EE072bA4bdC7e4 | All |
| eip155:60808 | eulerEarnFactory | 0x8F01c6640A1c0a6085C79843F861fF0F89b9fED6 | All |
| eip155:80094 | eVaultFactory | 0x5C13fb43ae9BAe8470f646ea647784534E9543AF | All |
| eip155:80094 | eulerEarnFactory | 0x9cbc3030e6d133D1AAa148D598FD82D70263495c | All |
Implementation Plan
- Register Agreement On-Chain:
- The agreement will be registered on Ethereum Mainnet in the Safe Harbor Registry at address 0x1eaCD100B0546E433fbf4d773109cAD482c34686, including all adoptionDetails. This ensures transparency and immutability.
- Communicate Adoption:
- An official announcement will be made across all Euler Finance communication channels, explaining the adoption and its significance to the community.
- Future Updates to Scope:
- New versions of Euler Finance will be reviewed and added to the Safe Harbor Agreement scope via Euler Finance Governance vote, ensuring continued protection for all new contracts and functionalities.
Conclusion
Adopting the SEAL Whitehat Safe Harbor Agreement equips Euler Finance with a rapid response mechanism for active exploits, enabling whitehats to step in effectively when needed most. The agreement provides clear guidelines for action, increasing the protection of user funds and demonstrating Euler Finance’s commitment to proactive security.
Note: This proposal does not request any funds from the DAO treasury and does not involve any budget allocation. It solely seeks governance approval for Euler Finance to adopt the SEAL Whitehat Safe Harbor Agreement.
References
- SEAL Whitehat Safe Harbor Agreement Documentation: Framework
- SEAL Whitehat Safe Harbor Agreement Legal Agreement: Link
- Euler Finance Bug Bounty: Euler Finance Bug Bounty
Voting & Community Feedback
Under Euler’s optimistic governance framework, this proposal does not require formal on- or off-chain voting to be executed. However, community feedback is strongly encouraged to ensure alignment with the broader goals of Euler DAO.
Please share your thoughts and feedback in the discussion below before the proposal moves to a formal vote.