[TEMP CHECK] Adopt The SEAL Safe Harbor Agreement

Title: [TEMP CHECK] Adopt The SEAL Safe Harbor Agreement

Authors: @samczsun, Skylock.xyz, bgdlabs.eth
Date: 2025-05-20

Disclaimer: I am submitting this proposal solely in my personal capacity

Summary

This proposal outlines Aave Governance’s adoption of the SEAL (Security Alliance) Whitehat Safe Harbor Agreement (“Safe Harbor Agreement”). By adopting Safe Harbor, Aave improves the security of its on-chain assets by allowing whitehats to intervene during active exploits to save protocol funds. Safe Harbor provides legal protection and capped incentives for rapid, structured rescue of assets.

Motivation

The Safe Harbor Agreement addresses a critical need in crypto: enabling whitehats to step in when traditional responsible-disclosure procedures are too slow to prevent fund loss. Aave is committed to enhancing its security and protecting user funds during critical moments. While audits and preventive measures are vital, active exploits demand a swift, decisive response mechanism.

Benefits of adopting Safe Harbor:

• Agile Defense Against Exploits: Whitehats may intervene as soon as an active exploit is detected, providing a rapid response mechanism that complements Aave’s ability to pause pools. In cases where pausing is not fast enough to prevent fund loss, whitehat intervention can reduce damage and accelerate asset recovery.

• Clarified Rescue Process: A predetermined recovery workflow ensures whitehats know exactly where to send rescued funds, preventing chaotic negotiations and enabling efficient, decisive action.

• Clear Financial Boundaries: A capped bounty (matching Aave’s existing bug-bounty maximum) aligns incentives, eliminates post-exploit reward disputes, and keeps intervention focused on fund recovery rather than negotiating payouts.

• Industry-Standard Alignment: Adoption of Safe Harbor aligns Aave with leading protocol-security practices, reinforcing its proactive stance on asset protection.

Specification

Upon passing this TEMP CHECK, Aave Governance will proceed to the ARFC stage, where the following parameters will be fully defined and finalized for inclusion in the AIP and on-chain registration:

• Agreement Registration: The Safe Harbor Agreement will be registered on-chain by calling the Safe Harbor Registry at
  0x8f72fcf695523a6fc7dd97eafdd7a083c386b7b6 on Ethereum with the appropriate adoptionDetails payload.

• Parameters to be Defined During ARFC:

  • Asset Recovery Addresses: Specific Aave-controlled addresses for recovered-fund deposits.

  • Scope: The full list of smart contracts to be covered under Safe Harbor (covering major systems such as Aave v2, Aave v3, GHO, etc).

  • Security Contact: Designated contact details for coordination during incidents.

  • Bounty Terms:

    • Percentage of recovered funds

    • USD-denominated cap

    • Whether bounties are retainable from recovered funds

  • Identity Requirements: Whitehat anonymity and KYC provisions

  • Diligence Requirements: Any additional conditions for eligibility or compliance

These elements will be specified in detail during the ARFC stage and proposed as part of the corresponding AIP.

Implementation Plan

1. On-chain Registration: The finalized registerSafeHarbor(...) transaction will be executed via the AIP.

2. Community Communication: Official announcement across Aave communication channels to educate users.

3. Future Scope Updates: Additional systems or contract versions will be added via subsequent governance votes.

Disclaimer

The authors are not presenting this TEMP CHECK on behalf of any third party and are not compensated for creating it.

Next Steps

1. Engage with the community and core security team to refine the detailed proposal.

2. Escalate to a TEMP CHECK Snapshot after community discussion.

3. If the Snapshot outcome is YAE, advance to the ARFC stage with detailed contract lists and adoption parameters.

Copyright

Copyright and related rights waived via CC0.

Hey everyone - I’m Dickson one of the leads of Safe Harbor & Co-founder of Skylock!

Feel free to comment and let us know if you have any questions! Always happy to talk about Safe Harbor!

Hey, thanks for putting this proposal together

Would you be open to sharing some of SEAL’s most notable achievements? For example, any major recoveries from hacks or involvement in high-profile incidents?

I think a lot of community members weren’t too familiar with SEAL before this temp check went live, so a bit more context could really help everyone better understand the initiative

Also, just to clarify: is SEAL the same as SEAL 911, or are they separate efforts?

Having collaborated on the TEMP CHECK, we can confirm we support this initiative.

We think a properly structured framework like the SEAL Safe Harbor Agreement is very aligned with both the security standards of the Aave protocol and with its DAO structure, by being able to signal subscription to the agreement in a decentralised manner, via an Aave governance proposal.

As commented on the TEMP CHECK, if passing, we are glad to refine the contracts covered and any special conditions for the Aave ecosystem, on the ARFC stage.

Very happy to support this proposal. I was this year in touch with seal due to a friend getting hacked. The speed and support were really great. Having Seal support for Aave is just securing the protocol and it’s user even better. There is no drawdown for us implementing this.

Hey Tor_GAINS!

SEAL is the Security Alliance started by Samczsun! Yes actually, SEAL911 is a part of SEAL! SEAL has a lot of different initiatives like SEAL911, SEAL Intel, Wargames, Frameworks, and Safe Harbor.

For Safe Harbor we’re beginning to gain adoption. For example, we recently adopted protocols like Uniswap, Zksync, & Balancer. We’d love for Aave to be next!

In terms of SEAL in general we’ve done a lot of awesome things! SEAL911 has helped out in countless major incidents in the past. Wargames has run wargames for many protocols like Yearn, Base, and Optimism. Actually there’s a good Coin Telegraph article here.

Let me know if you have any more questions! Happy to answer them!