Uniswapby

Dickson | Skylock & SEAL

[Temp Check] - Adopt The SEAL Safe Harbor Agreement

Voting ended about 1 year agoSucceeded

[Temp Check] - Adopt The SEAL Safe Harbor Agreement

Category: Temperature Check Authors: Skylock.xyz, @eek637

Introduction

This proposal outlines Uniswap Governance’s adoption of the SEAL (Security Alliance) Whitehat Safe Harbor Agreement (“Safe Harbor Agreement”). By adopting Safe Harbor, Uniswap improves the security of its on-chain assets by allowing whitehats to intervene during active exploits to save protocol funds.

What is the Safe Harbor Agreement?

The Safe Harbor Agreement addresses a critical need in crypto: enabling whitehats to intervene during active exploits when traditional responsible disclosure procedures are not feasible.

Key aspects of the agreement include:

Encouraging Whitehats to Protect the Protocol: By adopting Safe Harbor, Uniswap incentivizes whitehats to step in and protect the protocol during active exploits by limiting their legal exposure.
Intervention Only During Active Exploits: Whitehats are authorized to act only when there is an immediate or ongoing exploit that threatens the protocol. This agreement applies only to critical situations where responsible disclosure procedures would not save funds due to the urgency of the exploit, and it is not intended for routine security testing or vulnerability reporting.
Mandatory Return of Rescued Funds: Under the terms of the Safe Harbor, whitehats are required to return all rescued assets to a pre-designated recovery address controlled by the protocol within 72 hours of recovering them. This ensures that recovered funds are quickly secured, preventing delay or potential loss.
Clear Guidelines and Legal Protection: The agreement establishes strict rules for how whitehats must operate during an exploit, ensuring recovery efforts are conducted professionally and safely, minimizing the risk of mistakes or further damage to the protocol. By adhering to these guidelines, whitehats can limit their potential legal exposure, allowing them to act in good faith without fear of liability.
Incentivized Rescue Efforts: To motivate whitehats to act during critical situations, the agreement offers a bounty system similar to a bug bounty. Whitehats are rewarded with a percentage of the recovered assets, up to a predefined cap, for their successful interventions.

For more information, check out the Safe Harbor Agreement here.

Rationale

Uniswap, by design, does not include a pause function, meaning the protocol cannot be halted in the event of an exploit. This makes it essential to have a mechanism that allows rapid response and asset recovery during emergencies.

The Safe Harbor Agreement provides this necessary solution, empowering whitehats to act immediately during an exploit, offering a swift and structured recovery process without needing to pause the protocol.

Benefits of adopting the Safe Harbor Agreement include:

Agile Defense Against Exploits: Whitehats are authorized to intervene as soon as an active exploit is detected, enabling them to respond faster than traditional methods. This ensures that Uniswap is protected against threats even without the ability to halt the protocol. Immediate action minimizes the window for malicious actors, reduces damages, and accelerates the recovery of assets during critical moments.
Clarified Rescue Process: The agreement ensures that every step, from intervention to fund recovery, is predetermined and streamlined. Whitehats know exactly where to send recovered funds, preventing chaotic negotiations or rushed decisions during an exploit. This clarity ensures efficient, decisive action when it matters most.
Clear Financial Boundaries: The predefined bounty system, with a cap matching Uniswap Labs’ existing bug bounty for V3, ensures that whitehats are incentivized fairly without creating conflicting priorities between exploit intervention and standard vulnerability disclosure. By setting expectations upfront, it eliminates post-exploit negotiations, ensuring funds are returned promptly without attempts to change the reward amount, keeping the process fair and transparent.
Aligning with Industry Best Practices: By adopting the Safe Harbor Agreement, Uniswap aligns itself with leading security practices across the industry, reinforcing its commitment to staying at the forefront of protocol security.

Adoption of the agreement complements audits by providing an additional layer of security, ensuring that the protocol is better prepared to respond to active threats.

Adoption Details

Uniswap will adopt the agreement with the following parameters. For a full description of these adoption details, review the Safe Harbor for Protocols document.

Asset Recovery Address: Addresses controlled by Uniswap, which recovered funds will be returned to in the event of a hack. Source

Chain	Address
Ethereum	0x1a9C8182C09F50C8318d769245beA52c32BE35BC
Arbitrum	0x2BAD8182C09F50c8318d769245beA52C32Be46CD
Avalanche	0xeb0BCF27D1Fb4b25e708fBB815c421Aeb51eA9fc
Base	0x31FAfd4889FA1269F7a13A66eE0fB458f27D72A9
Blast	0x2339C0d23b60739B3E5ABF201F05903D24A26C77
Boba	0x53163235746CeB81Da32293bb0932e1A599256B4
BSC	0x341c1511141022cf8eE20824Ae0fFA3491F1302b
Celo	0x0Eb863541278308c3A64F8E908BC646e27BFD071
Filecoin EVM	0xFf3b2DA1379cc67cc2755194604713f10b820b0E
Gnosis	0xfFA5599136fBaB9af7799A6703b57BB33E5390Cf
Linea	0x581F86Da293A1D5Cd087a10E7227a75d2d2201A8
Manta Pacific	0x683553d74D9779955a15d57D208234C956B6Eae6
Mantle	0x9b7aC6735b23578E81260acD34E3668D0cc6000A
Moonbeam	0xB2af16D6c7074228fC487F17929De830303E6531
Optimism	0xa1dD330d602c32622AA270Ea73d078B803Cb3518
Polygon	0x8a1B966aC46F42275860f905dbC75EfBfDC12374
Polygon zkEVM	0x1808cc3ffb04e8bB67BfEB5510D44e62cF380717
Redstone	0x2d00e94d78Fc307FC5E6195BBe2fB6aFC2FC07d4
Rootstock	0x38aE7De6f9c51e17f49cF5730DD5F2d29fa20758
Scroll	0xEfc9D1096fb65c832207E5e7F13C2D1102244dbe
Sei	0xe75358526ef4441db03ccaeb9a87f180fae80eb9
Taiko	0xf6b53E8dA8bc7dbddB8E7B39635d17D7CCdCD6E5
WorldChain	0xcb2436774C3e191c85056d248EF4260ce5f27A9D
ZkSync	0x2BAD8182C09F50c8318d769245beA52C32Be46CD
Zora	0x36eEC182D0B24Df3DC23115D64DB521A93D5154f

Scope: List of all on-chain assets protected under Safe Harbor.

For brevity, the scope details have been removed from this post. Please refer to the forum discussion post for scope details here

“All”: The Safe Harbor Agreement will cover both the subcontracts currently deployed under this contract and any future subcontracts deployed through it. This ensures that all present and future subcontracts are protected.

Contact Details: Designated security contact for Uniswap
- Name: Erin Koen
- Contact Information: erin@uniswapfoundation.org
  - Every 4 months. The person of contact will create a post to state their availability and whether or not they can continue being the person of contact.
Bounty Terms: Predetermined rewards for successful whitehats that protect protocol funds
- Bounty Percentage: 10% of recovered funds.
- Bounty Cap (USD): $2.25m
  - For clarification, the bounty is per whitehat per hack event. Please see the legal document for additional clarification.
- Retainable: True
  - This means that whitehats are allowed to retain their bounty directly from the recovered assets. After rescuing funds during an exploit, whitehats may deduct their bounty from the total recovered amount before transferring the remainder to the protocol’s designated asset recovery address. This streamlines the payout process, ensuring whitehats are rewarded promptly while still adhering to predefined bounty terms.
- Identity Verification: Anonymous
  - Whitehats are allowed to remain anonymous and are not required to provide their legal name or undergo identity verification. This ensures privacy for whitehats while still enabling them to participate in the bounty program and assist during exploits without revealing personal information.
- Diligence Requirements: None

Implementation Plan

Register Agreement On-Chain:
- The agreement will be registered on Ethereum in the Safe Harbor Registry at address 0x8f72fcf695523a6fc7dd97eafdd7a083c386b7b6, including all adoptionDetails. This ensures transparency and immutability.
Communicate Adoption:
- An official announcement will be made across all Uniswap communication channels, explaining the adoption and its significance to the community.
Future Updates to Scope:
- New versions of Uniswap (e.g., V4) will be reviewed and added to the Safe Harbor Agreement scope via Uniswap Governance vote, ensuring continued protection for all new contracts and functionalities.

Conclusion

Adopting the SEAL Whitehat Safe Harbor Agreement equips Uniswap with a rapid response mechanism for active exploits, enabling whitehats to step in effectively when needed most. The agreement provides clear guidelines for action, increasing the protection of user funds and demonstrating Uniswap's commitment to proactive security.

References

SEAL Whitehat Safe Harbor Agreement: GitHub Repository
SEAL Whitehat Safe Harbor Agreement Overview: Notion
Uniswap Bug Bounty: Uniswap Labs Bug Bounty Update

Off-Chain Vote

For

34.78M UNI93.3%

Against

31.11 UNI0%

Abstain

2.49M UNI6.7%

Quorum:373%

Download mobile app to vote

Discussion

[Temp Check] - Adopt The SEAL Safe Harbor Agreement

Timeline

Dec 16, 2024Proposal created

Dec 16, 2024Proposal vote started

Dec 21, 2024Proposal vote ended

Apr 10, 2025Proposal updated

[Temp Check] - Adopt The SEAL Safe Harbor Agreement

Category: Temperature Check Authors: Skylock.xyz, @eek637

Introduction

What is the Safe Harbor Agreement?

The Safe Harbor Agreement addresses a critical need in crypto: enabling whitehats to intervene during active exploits when traditional responsible disclosure procedures are not feasible.

Key aspects of the agreement include:

Encouraging Whitehats to Protect the Protocol: By adopting Safe Harbor, Uniswap incentivizes whitehats to step in and protect the protocol during active exploits by limiting their legal exposure.
Intervention Only During Active Exploits: Whitehats are authorized to act only when there is an immediate or ongoing exploit that threatens the protocol. This agreement applies only to critical situations where responsible disclosure procedures would not save funds due to the urgency of the exploit, and it is not intended for routine security testing or vulnerability reporting.
Mandatory Return of Rescued Funds: Under the terms of the Safe Harbor, whitehats are required to return all rescued assets to a pre-designated recovery address controlled by the protocol within 72 hours of recovering them. This ensures that recovered funds are quickly secured, preventing delay or potential loss.
Clear Guidelines and Legal Protection: The agreement establishes strict rules for how whitehats must operate during an exploit, ensuring recovery efforts are conducted professionally and safely, minimizing the risk of mistakes or further damage to the protocol. By adhering to these guidelines, whitehats can limit their potential legal exposure, allowing them to act in good faith without fear of liability.
Incentivized Rescue Efforts: To motivate whitehats to act during critical situations, the agreement offers a bounty system similar to a bug bounty. Whitehats are rewarded with a percentage of the recovered assets, up to a predefined cap, for their successful interventions.

For more information, check out the Safe Harbor Agreement here.

Rationale

Benefits of adopting the Safe Harbor Agreement include:

Agile Defense Against Exploits: Whitehats are authorized to intervene as soon as an active exploit is detected, enabling them to respond faster than traditional methods. This ensures that Uniswap is protected against threats even without the ability to halt the protocol. Immediate action minimizes the window for malicious actors, reduces damages, and accelerates the recovery of assets during critical moments.
Clarified Rescue Process: The agreement ensures that every step, from intervention to fund recovery, is predetermined and streamlined. Whitehats know exactly where to send recovered funds, preventing chaotic negotiations or rushed decisions during an exploit. This clarity ensures efficient, decisive action when it matters most.
Clear Financial Boundaries: The predefined bounty system, with a cap matching Uniswap Labs’ existing bug bounty for V3, ensures that whitehats are incentivized fairly without creating conflicting priorities between exploit intervention and standard vulnerability disclosure. By setting expectations upfront, it eliminates post-exploit negotiations, ensuring funds are returned promptly without attempts to change the reward amount, keeping the process fair and transparent.
Aligning with Industry Best Practices: By adopting the Safe Harbor Agreement, Uniswap aligns itself with leading security practices across the industry, reinforcing its commitment to staying at the forefront of protocol security.

Adoption of the agreement complements audits by providing an additional layer of security, ensuring that the protocol is better prepared to respond to active threats.

Adoption Details

Uniswap will adopt the agreement with the following parameters. For a full description of these adoption details, review the Safe Harbor for Protocols document.

Asset Recovery Address: Addresses controlled by Uniswap, which recovered funds will be returned to in the event of a hack. Source

Chain	Address
Ethereum	0x1a9C8182C09F50C8318d769245beA52c32BE35BC
Arbitrum	0x2BAD8182C09F50c8318d769245beA52C32Be46CD
Avalanche	0xeb0BCF27D1Fb4b25e708fBB815c421Aeb51eA9fc
Base	0x31FAfd4889FA1269F7a13A66eE0fB458f27D72A9
Blast	0x2339C0d23b60739B3E5ABF201F05903D24A26C77
Boba	0x53163235746CeB81Da32293bb0932e1A599256B4
BSC	0x341c1511141022cf8eE20824Ae0fFA3491F1302b
Celo	0x0Eb863541278308c3A64F8E908BC646e27BFD071
Filecoin EVM	0xFf3b2DA1379cc67cc2755194604713f10b820b0E
Gnosis	0xfFA5599136fBaB9af7799A6703b57BB33E5390Cf
Linea	0x581F86Da293A1D5Cd087a10E7227a75d2d2201A8
Manta Pacific	0x683553d74D9779955a15d57D208234C956B6Eae6
Mantle	0x9b7aC6735b23578E81260acD34E3668D0cc6000A
Moonbeam	0xB2af16D6c7074228fC487F17929De830303E6531
Optimism	0xa1dD330d602c32622AA270Ea73d078B803Cb3518
Polygon	0x8a1B966aC46F42275860f905dbC75EfBfDC12374
Polygon zkEVM	0x1808cc3ffb04e8bB67BfEB5510D44e62cF380717
Redstone	0x2d00e94d78Fc307FC5E6195BBe2fB6aFC2FC07d4
Rootstock	0x38aE7De6f9c51e17f49cF5730DD5F2d29fa20758
Scroll	0xEfc9D1096fb65c832207E5e7F13C2D1102244dbe
Sei	0xe75358526ef4441db03ccaeb9a87f180fae80eb9
Taiko	0xf6b53E8dA8bc7dbddB8E7B39635d17D7CCdCD6E5
WorldChain	0xcb2436774C3e191c85056d248EF4260ce5f27A9D
ZkSync	0x2BAD8182C09F50c8318d769245beA52C32Be46CD
Zora	0x36eEC182D0B24Df3DC23115D64DB521A93D5154f

Scope: List of all on-chain assets protected under Safe Harbor.

For brevity, the scope details have been removed from this post. Please refer to the forum discussion post for scope details here

“All”: The Safe Harbor Agreement will cover both the subcontracts currently deployed under this contract and any future subcontracts deployed through it. This ensures that all present and future subcontracts are protected.

Contact Details: Designated security contact for Uniswap
- Name: Erin Koen
- Contact Information: erin@uniswapfoundation.org
  - Every 4 months. The person of contact will create a post to state their availability and whether or not they can continue being the person of contact.
Bounty Terms: Predetermined rewards for successful whitehats that protect protocol funds
- Bounty Percentage: 10% of recovered funds.
- Bounty Cap (USD): $2.25m
  - For clarification, the bounty is per whitehat per hack event. Please see the legal document for additional clarification.
- Retainable: True
  - This means that whitehats are allowed to retain their bounty directly from the recovered assets. After rescuing funds during an exploit, whitehats may deduct their bounty from the total recovered amount before transferring the remainder to the protocol’s designated asset recovery address. This streamlines the payout process, ensuring whitehats are rewarded promptly while still adhering to predefined bounty terms.
- Identity Verification: Anonymous
  - Whitehats are allowed to remain anonymous and are not required to provide their legal name or undergo identity verification. This ensures privacy for whitehats while still enabling them to participate in the bounty program and assist during exploits without revealing personal information.
- Diligence Requirements: None

Implementation Plan

Register Agreement On-Chain:
- The agreement will be registered on Ethereum in the Safe Harbor Registry at address 0x8f72fcf695523a6fc7dd97eafdd7a083c386b7b6, including all adoptionDetails. This ensures transparency and immutability.
Communicate Adoption:
- An official announcement will be made across all Uniswap communication channels, explaining the adoption and its significance to the community.
Future Updates to Scope:
- New versions of Uniswap (e.g., V4) will be reviewed and added to the Safe Harbor Agreement scope via Uniswap Governance vote, ensuring continued protection for all new contracts and functionalities.

Conclusion

References

SEAL Whitehat Safe Harbor Agreement: GitHub Repository
SEAL Whitehat Safe Harbor Agreement Overview: Notion
Uniswap Bug Bounty: Uniswap Labs Bug Bounty Update