[AIP-118] - Adopt The SEAL Safe Harbor Agreement

Authors: Skylock.xyz

---

Introduction

This proposal outlines Alchemix Governance’s adoption of the SEAL (Security Alliance) Whitehat Safe Harbor Agreement (“Safe Harbor Agreement”). By adopting Safe Harbor, Alchemix improves the security of its on-chain assets by allowing whitehats to intervene during active exploits to save protocol funds.

What is the Safe Harbor Agreement?

The Safe Harbor Agreement addresses a critical need in crypto: enabling whitehats to intervene during active exploits when traditional responsible disclosure procedures are not feasible.

Key aspects of the agreement include:

• Authorized Whitehat Intervention During Active Exploits: Safe Harbor allows whitehats to intervene only during live, critical exploits where standard disclosure wouldn't prevent fund loss. They're required to follow strict operational guidelines and return all recovered funds to a designated protocol address within 72 hours. This ensures rapid fund recovery and minimizes risk to the protocol.

• Legal Protection and Incentives for Whitehats: By limiting legal liability and offering capped bounties for successful rescues, Safe Harbor encourages whitehats to act swiftly and responsibly during emergencies, protecting the protocol while operating within a secure legal framework.

---

Rationale

Alchemix is committed to enhancing its security and protecting user funds during critical moments. While security audits and other preventive measures are crucial, the unpredictable nature of exploits requires a swift, decisive response mechanism to minimize potential damage.

The Safe Harbor Agreement empowers whitehats to act immediately during an active exploit, providing a proactive and structured recovery process. By enabling whitehats to step in and recover assets during a crisis, Alchemix strengthens its defenses against emerging threats.

Benefits of adopting the Safe Harbor Agreement include:

• Rapid, Structured Exploit Response: Safe Harbor enables whitehats to act immediately during active exploits with a clear, predefined process for fund recovery. This minimizes damage, eliminates confusion during crises, and accelerates asset protection.

• Fair Incentives and Industry Alignment: A capped bounty system ensures transparent, conflict-free rewards for whitehats, separating exploit intervention from routine disclosures. By adopting this framework, Alchemix reinforces its commitment to industry-standard security practices.

Adoption of the agreement complements audits by providing an additional layer of security, ensuring that the protocol is better prepared to respond to active threats.

---

Adoption Details

Alchemix will adopt the agreement with the following parameters. For a full description of these adoption details, review the Safe Harbor for Protocols document.

1. Asset Recovery Address: Addresses controlled by Alchemix, which recovered funds will be returned to in the event of a hack.

Chain	Address
Ethereum	0x9e2b6378ee8ad2a4a95fe481d63caba8fb0ebbf9
Arbitrum	0x7e108711771dfdb10743f016d46d75a9379ca043
Base	0x24e9cbb9ddda1247ae4b4eeee3c569a2190ac401
Optimism	0xc224bf25dcc99236f00843c7d8c4194abe8aa94a
Metis	0x0f5c3a8b62ff7639895bb9737c5befb711c4f7f4
Linea	0x16a63fcd874f7f9e267a1f274c46677d5f3fcc65
Fraxtal	0x41ab74824b4d1b196eeb62569b907ef9a313df18

2. Scope: List of all on-chain assets protected under Safe Harbor.

Chain	Name	Address	Type (None, Existing Only, All)
Ethereum	alETH Alchemist	0x062Bf725dC4cDF947aa79Ca2aaCCD4F385b13b5c	Existing Only
Ethereum	alUSD Alchemist	0x5C6374a2ac4EBC38DeA0Fc1F8716e5Ea1AdD94dd	Existing Only
Ethereum	ETH Transmuter	0x03323143a5f0D0679026C2a9fB6b0391e4D64811	Existing Only
Ethereum	ETH Buffer	0xbc2FB245594a68c927C930FBE2d00680A8C90B9e	Existing Only
Ethereum	DAI Transmuter	0xA840C73a004026710471F727252a9a2800a5197F	Existing Only
Ethereum	Transmuter Buffer	0x1EEd2DbeB9fc23Ab483F447F38F289cA15f79Bac	Existing Only
Ethereum	USDC Transmuter	0x49930AD9eBbbc0EB120CCF1a318c3aE5Bb24Df55	Existing Only
Ethereum	USDT Transmuter	0xfC30820ba6d045b95D13a5B8dF4fB0E6B5bdF5b9	Existing Only
Ethereum	FRAX Transmuter	0xE107Fa35D775C77924926C0292a9ec1FC14262b2	Existing Only
Ethereum	alETH AMO	0x9fb54d1F6F506Feb4c65B721bE931e59BB538c63	Existing Only
Ethereum	alUSD AMO	0x06378717d86B8cd2DBa58c87383dA1EDA92d3495	Existing Only
Arbitrum	alETH Alchemist	0x654e16a0b161b150F5d1C8a5ba6E7A7B7760703A	Existing Only
Arbitrum	alUSD Alchemist	0xb46eE2E4165F629b4aBCE04B7Eb4237f951AC66F	Existing Only
Arbitrum	alETH Transmuter	0x1EB7D78d7f6D73e5de67Fa62Fd8b55c54Aa9c0D4	Existing Only
Arbitrum	alUSD Transmuter	0xe7ec71B894583E9C1b07873fA86A7e81f3940eA8	Existing Only
Arbitrum	alETH Buffer	0xECAd08EE07f1AA87f3E080997eBa6d02d28bb9D2	Existing Only
Arbitrum	alUSD Buffer	0x00E33722ba54545667E76a18CE9D544130eEAbcC	Existing Only
Optimism	alETH Alchemist	0xe04Bb5B4de60FA2fBa69a93adE13A8B3B569d5B4	Existing Only
Optimism	alUSD Alchemist	0x10294d57A419C8eb78C648372c5bAA27fD1484af	Existing Only
Optimism	alETH Transmuter	0xb7C4250f83289ff3Ea9f21f01AAd0b02fb19491a	Existing Only
Optimism	USDC Transmuter	0xA7ea9ef9E2b5e15971040230F5d6b75C68Aab723	Existing Only
Optimism	USDT Transmuter	0x4e7d2115E4FeEcD802c96E77B8e03D98104415fa	Existing Only
Optimism	DAI Transmuter	0xFCD619923456E20EAe298B35E3606277b391BBB4	Existing Only
Optimism	alETH Buffer	0x7f50923EE8E2BC3596a63998495baf2948a28f68	Existing Only
Optimism	alUSD Buffer	0xe99a9A717c60F9639B235ede422c27d60FBEB3b9	Existing Only

“Existing Only”: The Safe Harbor Agreement will only cover the subcontracts currently deployed under this contract.

3. Contact Details: Designated security contact for Alchemix

   • Name: Ov3rkoalafied

   • Contact Information: Telegram: @Ov3rkoalafied

4. Bounty Terms: Predetermined rewards for successful whitehats that protect protocol funds

   • Bounty Percentage: 10% of recovered funds.

   • Bounty Cap (USD): $300k

   • Retainable: True

     1. This means that whitehats are allowed to retain their bounty directly from the recovered assets. After rescuing funds during an exploit, whitehats may deduct their bounty from the total recovered amount before transferring the remainder to the protocol’s designated asset recovery address. This streamlines the payout process, ensuring whitehats are rewarded promptly while still adhering to predefined bounty terms.

   • Identity Verification: Anonymous

     1. Whitehats are allowed to remain anonymous and are not required to provide their legal name or undergo identity verification. This ensures privacy for whitehats while still enabling them to participate in the bounty program and assist during exploits without revealing personal information.

   • Diligence Requirements: None

---

Implementation Plan

1. Register Agreement On-Chain:

   • The agreement will be registered on Ethereum in the Safe Harbor Registry at address 0x8f72fcf695523a6fc7dd97eafdd7a083c386b7b6, including all adoptionDetails. This ensures transparency and immutability.

2. Communicate Adoption:

   • An official announcement will be made across all Alchemix communication channels, explaining the adoption and its significance to the community.

3. Future Updates to Scope:

   • New versions of Alchemix will be reviewed and added to the Safe Harbor Agreement scope via Alchemix Governance vote, ensuring continued protection for all new contracts and functionalities.

---

Conclusion

Adopting the SEAL Whitehat Safe Harbor Agreement equips Alchemix with a rapid response mechanism for active exploits, enabling whitehats to step in effectively when needed most. The agreement provides clear guidelines for action, increasing the protection of user funds and demonstrating Alchemix’s commitment to proactive security.

---

References

• SEAL Whitehat Safe Harbor Agreement: GitHub Repository

• Alchemix Bug Bounty: Alchemix’s Bug Bounty

---