SEAL’s Whitehat Safe Harbor agreement is a legal and technical framework which can be adopted by protocols and crypto communities to grant advanced permission to whitehats and MEV bots for frontrunning exploits so long as:

1. Funds are returned to a designated Asset Recovery Address determined by the protocol.
2. Action is only taken in the event of an Active Exploit.

By adopting Safe Harbor, protocols and whitehats can work together to increase their chances of recovering funds in the event of an attack.

Whitehat Explainer Video.mp4

If you’re reading this to respond to an active exploits, STOP. If you have time to read this, you have time to responsibly disclose. Contact SEAL-911 now.

Hacking protocols when there is not an active exploit is not covered under Safe Harbor, and by doing so you may be held liable.

TLDR

Pre-Hack

• Safe Harbor is a commitment made by protocols to you offering you certain protections
• When adopting Safe Harbor, protocols may modify a few aspects of their agreement (adoption details):
  • Bounty amounts.
  • Whitehat KYC Requirements.
  • Defining Asset and Asset Recovery Addresses.
  • Emergency Contact Information.
• Protocols may not change their adoption details retroactively.
• You can find a public database of all protocols that have adopted safe harbor in Skylock’s Database or through bounty.vision. Immunefi also lists whether a protocol has adopted safe harbor on their bounty pages.

During Hack

• Safe Harbor only applies during active exploits. If you as a human have enough time to look at and understand the hack, it’s probably not active. If there’s enough time to build your own attack there’s enough time to contact Seal 911
• In order to receive these protections, you must follow the rules outlined in Safe Harbor:
  • Safe Harbor only applies during active exploits.
  • You can only protect assets defined by protocols within their Safe Harbor registry.
  • You must return the assets to the protocol’s designated Asset Recovery Address.
  • You must abide by any KYC requirements requested by the protocol.
• If you follow the above rules, protocols waive their right to prosecute you for white-hat hacking their smart contracts and commit to paying you the defined bounty upon a successful whitehat.

Post Hack

• After securing at-risk assets, you must contact the protocol within 6 hours through their posted emergency contact information.
• SLRDF has partnered with SEAL to provide a Whitehat Defence Fund for Whitehats operating under Safe Harbor. If a protocol, despite their adoption of safe harbor, decides to litigate, SLRDF can help the Whitehat.