[TEMP CHECK] Adopt The SEAL Safe Harbor Agreement

[TEMP CHECK] Adopt The SEAL Safe Harbor Agreement

Authors: @samczsun, Skylock, bgdlabs.eth Date: 2025-05-20

Summary

This proposal outlines Aave Governance’s adoption of the SEAL (Security Alliance) Whitehat Safe Harbor Agreement (“Safe Harbor Agreement”). By adopting Safe Harbor, Aave improves the security of its on-chain assets by allowing whitehats to intervene during active exploits to save protocol funds. Safe Harbor provides legal protection and capped incentives for rapid, structured rescue of assets.

Motivation

The Safe Harbor Agreement addresses a critical need in crypto: enabling whitehats to step in when traditional responsible-disclosure procedures are too slow to prevent fund loss. Aave is committed to enhancing its security and protecting user funds during critical moments. While audits and preventive measures are vital, active exploits demand a swift, decisive response mechanism.

Benefits of adopting Safe Harbor:

• Agile Defense Against Exploits: Whitehats may intervene as soon as an active exploit is detected, providing a rapid response mechanism that complements Aave’s ability to pause pools. In cases where pausing is not fast enough to prevent fund loss, whitehat intervention can reduce damage and accelerate asset recovery.

• Clarified Rescue Process: A predetermined recovery workflow ensures whitehats know exactly where to send rescued funds, preventing chaotic negotiations and enabling efficient, decisive action.

• Clear Financial Boundaries: A capped bounty (matching Aave’s existing bug-bounty maximum) aligns incentives, eliminates post-exploit reward disputes, and keeps intervention focused on fund recovery rather than negotiating payouts.

• Industry-Standard Alignment: Adoption of Safe Harbor aligns Aave with leading protocol-security practices, reinforcing its proactive stance on asset protection.

Specification

Upon passing this TEMP CHECK, Aave Governance will proceed to the ARFC stage, where the following parameters will be fully defined and finalized for inclusion in the AIP and on-chain registration:

• Agreement Registration: The Safe Harbor Agreement will be registered on-chain by calling the Safe Harbor Registry at 0x8f72fcf695523a6fc7dd97eafdd7a083c386b7b6 on Ethereum with the appropriate adoptionDetails payload.

• Parameters to be Defined During ARFC:

  • Asset Recovery Addresses: Specific Aave-controlled addresses for recovered-fund deposits.

  • Scope: The full list of smart contracts to be covered under Safe Harbor (covering major systems such as Aave v2, Aave v3, GHO, etc).

  • Security Contact: Designated contact details for coordination during incidents.

  • Bounty Terms:

    • Percentage of recovered funds

    • USD-denominated cap

    • Whether bounties are retainable from recovered funds

  • Identity Requirements: Whitehat anonymity and KYC provisions

  • Diligence Requirements: Any additional conditions for eligibility or compliance

These elements will be specified in detail during the ARFC stage and proposed as part of the corresponding AIP.

Implementation Plan

1. On-chain Registration: The finalized registerSafeHarbor(...) transaction will be executed via the AIP.

2. Community Communication: Official announcement across Aave communication channels to educate users.

3. Future Scope Updates: Additional systems or contract versions will be added via subsequent governance votes.

Disclaimer

The authors are not presenting this TEMP CHECK on behalf of any third party and are not compensated for creating it.

Next Steps

1. Engage with the community and core security team to refine the detailed proposal.

2. Escalate to a TEMP CHECK Snapshot after community discussion.

3. If the Snapshot outcome is YAE, advance to the ARFC stage with detailed contract lists and adoption parameters.

Copyright

Copyright and related rights waived via CC0.