February 14, 2024 - Crypto ❤️ Security Researchers - Cover art by yue
Security researchers and whitehat hackers are often the first to notice or be alerted to an exploit. This was the case in early August 2022, when Spreek discovered what turned out to be one of the largest crypto hacks to date: an attack on the Nomad bridge, executed by more than 300 unique addresses and draining more than $186M in funds. You can read the postmortem on the hack here.
Early members of the Security Alliance (SEAL) – including samczsun, the Head of Security at Paradigm, and the security team at a16z crypto – were involved in identifying the root cause of the hack and helping the Nomad project recover $38.8M in funds from several whitehats who had intentionally drained the bridge to protect funds from the attackers.
However, many more technically sophisticated and well-intentioned developers and security researchers were unable to assist, whether because they were prohibited by their employers or simply because they felt uncomfortable, due to the legal ambiguity surrounding whitehat rescues. Members of the security community lamented that had there been a legal framework in place that enabled whitehats to crystallize good faith with action, more people could have helped. So, we decided to build one.
The open nature of crypto, through an expectation of open source by default and lack of gatekeepers, makes crypto protocols more vulnerable to hackers than traditional software companies. Furthermore, nation states such as North Korea have no limitations when it comes to which protocols they choose to attack and when they choose to do it. As a result, we need to empower security researchers by removing barriers that might prevent them from protecting our protocols in real-time, so they can serve as our last line of defense if all else fails.
The Nomad hack is just one such example of why creating the Whitehat Safe Harbor Agreement was so important to us from the very beginning. Now, after over a year of hard work, we are publishing our final draft of the Agreement today on GitHub, and we want to hear your feedback. We are soliciting comments from the community for 1 month, beginning today and ending March 14, 2024 (Pi Day!).
Many of us have extensive experience working in security, a sharp intuition around what sort of changes would have the highest impact, and have wished for a “magic wand” that could clear obstacles, gather resources, align stakeholders, and make those changes a reality. Through SEAL, we want to provide the security community with the superpower to do exactly that: to execute the creative visions that have been percolating in their imaginations throughout their time working in the crypto industry.
Not all solutions are easily commercialized, some are not profitable ventures at all, and yet they are still worth doing. SEAL is the method through which we can make that happen. We operate as a neutral platform on top of which even those who may be competitors can still come together and collaborate with each other. We are not controlled by commercial interests, and we always put the best interests of the ecosystem first.
Our earliest members fought in the trenches of crypto security alongside samczsun, where they demonstrated experience, talent, and a shared interest in securing the future of crypto. Since then, we have found new friends and allies much in the same way - by identifying shared interests and potential collaborative opportunities.
This approach brought together a unique collective of top tier experts from many different corners of crypto. Collectively, we form a network with access across the entire ecosystem to find the very best talent in any area of expertise that can help us execute our initiatives. We count among our members bug bounty programs, audit firms, independent researchers, foundations, developers, and so many more.
In addition to the Safe Harbor Agreement, SEAL has been working on many other initiatives over the past year, and has launched two of them in public.
When faced with an emergency situation, it might be hard to know who to turn to. Users, developers, and other security researchers who need access to urgent security advice, help with disclosing a critical vulnerability, or to simply sync on progress with other researchers can use our dedicated Telegram bot to connect with our team of carefully vetted expert volunteers. The SEAL 911 Team will triage the request and assist directly, or route it to the right point of contact.
Over the past 6 months, SEAL 911 has helped disrupt, intercept, and remediate several hacks, as well as assisted numerous people with other security problems.
Many developers have never experienced the high-intensity environment of a security incident before, making it hard to stay focused and productive during a time when every second could mean millions of additional dollars lost to attackers. Through the SEAL Chaos Team, we provide projects with the resources and training they need in order to be prepared for the doomsday scenario. Each wargame consists of two phases: