It started with the chaotic $190 million Nomad hack in August 2022. An exploit, or flaw in the code, was found for the bridge, and a colossal crowd of criminals rushed in to loot the funds.
In its analysis of the exploit, Immunifi said one problem was: “Staying true to DeFi Principles, this hack was permissionless — anyone could join in.”
Plenty of white hat hackers wanted to help but were forced to watch from the sidelines due to the legal risks of pitching in.
Looking back in February, famed white hat hacker Samczsun said the security community had wondered afterward, “How did we get to a point where random people felt comfortable stealing money from the bridge, but white hats felt it was too risky to intervene.”
Something needed to be done. Samczsun, who is also Paradigm’s head of security, decided that for future hacks, the SEAL911 bat signal could be shone into the metaphorical night so white hats could help combat hacks. But first, the legal issues needed to be sorted out.
SEAL: Security Alliance of white hat hackers
The idea for the Security Alliance (SEAL) emerged with the project officially launching February 14. SEAL 911 is a hot desk on the Telegram messaging service where a crack team of around 40 white hat hackers can pick up reports of hacks in progress and assist in real time.
Samczsun calls it a “firefighting helicopter” that will “show the world that crypto as an industry is taking security seriously.”
“The idea is that if someone finds a critical bug but doesn’t know who to talk to in the project team […] that’s one of the things SEAL911 can help with. Then we can also help respond to the hack, obviously.”
But the huge number of hacks happening every day is a massive job for a few dozen hackers, no matter how good.
“It’s super ambitious, part of it is that, for now, the volume is manageable. We want to serve all of crypto. We may split into teams, but for now, the teams are small because we are dealing with very sensitive information.”
Apart from white hats, there are auditors, bug bounty program coordinators and investigative sleuths. Ethereum creator Vitalik Buterin was the first donor, donating 250 ETH to kick things off, and various Web2 and Web3 companies, along with VCs, have also chipped in funding.
The emergency hotline is just one of three distinct initiatives from SEAL to try and help the crypto industry with these ongoing issues. It also conducts Wargames to develop strategies to deal with simulated attacks and came up with a Safe Harbor Legal Agreement for white hats, designed to protect the good guys from liability if things get hairy when trying to help patch an imminent or ongoing criminal hack. Until now, getting into legal trouble despite trying to help has been a constant concern
“If I mess up, which I will eventually, I’m only human — am I on the hook for it? For the 7, 8, 9 figures of TVL that I just accidently lost?”
Protocols sign up, let the white hats know which address to redirect the stolen funds to, and what kind of bounty they’ll receive.
The prototype for SEAL began in 2022 with a few volunteers and its first reported rescue happened in September 2023, as affiliated white hats volunteered to stop a thief mid-hack of a vulnerable smart contract at dice9win and saved $200,000. Now the organization’s remit has grown.
Read also
Who is white hat hacker Samczsun?
Samczsun is the poster boy for crypto in many ways. He is a firm believer in decentralization and is pseudo-anonymous. When he assists the FBI or other law enforcement agencies, it is always behind his anime avatar using a voice modifier. When I ask to record our interview, we have to pause for him to set up the voice modifier.
A very well-known personality in crypto, he chose to parlay his influencer status into creating SEAL.
“Objectively, SEAL is built on my reputation as a successful white hat,” he says.
Which begs the question: As a sh*t hot hacker, why not just steal the money yourself?
“I do get that a lot. The easiest way to put it is I’ve seen what it looks like for someone to be victimized by a hack. I’ve seen people fall victim to spy contract hacks, I’ve seen people fall victim to individual hacks. It sucks, it’s devastating to hear them talk about how they lost their life savings or the little amount of money they saved up trying to build a better future for their kids. I can’t do that. I can’t cause that much suffering to so many people.”
He seems pretty genuine. When we speak, the first thing he says is: “By the way, you know you have an impersonator on Twitter (X)?”
I have since discovered it’s quite hard to remove an impersonator on X.
Support pours in for white hat hacker SEAL team
Support pouring in from the crypto community and more than 75 collaborating organizations has helped give SEAL credibility and clout.
Buterin’s 250 ETH donation was followed by funds from the Ethereum Foundation, a16z crypto, Framework, Dragonfly, Electric Capital and Paradigm. There was also support from independent crypto participants who have benefited from more secure protocols and DApps.
SEAL is a legally registered 501c3 in the U.S. and has a leadership team and an independent board of directors. The idea is to build an organization that can continue on without Samczsun if necessary.
The Safe Harbor Agreement
For SEAL to succeed, Samczsun explaines it needed to solve the problem of legal liability for rescues gone wrong.
“I’ve intentionally over the last three, four years — in every live hack — explicitly said I’m not going to be the one that hits the button to send the transaction to rescue or patch the bug, because I don’t know what it means for me as far as liability goes.”
So, SEAL came up with the crypto equivalent of Good Samaritan laws — the laws that provide legal protection so that people who give the Heimlich maneuver to a choking person don’t get sued if they accidentally break some ribs.
The open and transparent nature of blockchain means that it’s usually pretty obvious when a hack is occurring, meaning that white hats can front-run the hack and return the funds to their rightful owners.
“If white hats can find out about these hacks as they are being executed, why are we not giving them the ability to jump in and do something about it?”
In mid-February, SEAL released the Safe Harbor Agreement (SHA) for comment. It aims to protect white hat hackers from unfair persecution and provide legal clarity around their actions should they intervene in a hack. The agreement is between the protocol being hacked and the white hat rescue and gives them a safe harbor to jump in and attempt to re-direct funds to a safe recovery address instead of the attacker’s wallet address.
Read also
Crypto-native lawyers helped draft Safe Harbor Agreement
“The LexPunk army” — an activist group of crypto native lawyers — played a critical role in drafting the agreement. LexPunk contributor “Charm,” who managed SHA to completion, says it was important to come up with a crypto-specific agreement because “legal systems don’t handle novelty well.”
Many computer protection laws in the U.S. hark back to the Reagan administration and hacking cases from the 1980s. The agreement “relies on a very broad concept of permissions that can be granted by all involved parties. But defining that access for funds and smart contract code was really difficult.”
For white hats, the sticking point in negotiating the agreement was: should there be a discrete categorical list of actions that white hats should be allowed to take?
In the end, the Safe Harbor Agreement effectively became “an open-ended list,” Charm tells Magazine.
The agreement contemplates endless scenarios and offers ways for white hat hackers to access funds using a discreet list of actions they can take. There’s a whole section of separate terms of engagement for bots that can front-run hacks.
It was a comprehensive attempt to close off every single legal issue, shepherded through multiple rounds of review.
Charm acknowledges the criticisms of SEAL’s ability to scale up to handle the sheer number of hacks but says the Safe Harbor Agreement is a toolkit and best practice guide for every white hat on the internet, in or outside of SEAL.
Miles Jennings, general counsel at a16z crypto, says the genius of the document is that it could actually work. “It’s noteworthy in trying to solve an incredibly complex problem. And one where if you don’t solve the problem, you make it worse.”
“Specifically, we couldn’t empower black hats. For example you can’t consent to criminality, such as a single user can’t consent to market manipulation. So the agreement had to deal with these issues.”
The need for SEAL crystallized for Jennings during the Nomad hack when he blocked a16z’s security team from stepping in.
“I basically had to be the bad guy by saying ‘no, we can’t take on that risk,’ you weren’t legally authorized to engage in that activity, so potential criminal liability comes with it. Maybe there were funds we could’ve recovered, but I wouldn’t allow us to take on that risk.”
He says SHA is clear on “what types of hacks and white hat activity to allow versus not allow” and includes a list in especially clear and understandable language for white hats.
But he admits it ultimately comes down to whether parties adopt it and use it in good faith.
“It’s all fairly complex, layers on top of a risk, success is by no means guaranteed, but it’s still the most significant move in terms of white hats providing defense for the whole increasingly complex ecosystem.”
The hacks are getting more complicated, but SEAL can win
The protocols are getting bigger, the equations are getting longer, and the hacks are evolving in step. Precise hacks like the Kyber hack of November 2023 are based on specific math that only occurs in very specific conditions, explains Samczsun.
“The hacks have definitely gotten more complicated. When I first started, the code was simple. It was sort of like, you were in elementary school doing addition, subtraction, multiplication and division. The hacks were like a teacher giving you a simple question. For us, trying to find a bug was like: what is three plus four? Then we moved on to algebra and calculus, quadratics. And now we’re doing square roots and exponentials.”
Yet Samczsun is optimistic SEAL can win. “It’s now the equivalent of taking a college-level course on quadratic equations. So things are getting harder, but it’s a good sign we are forcing the hackers to solve more and more complicated problems; one day, we will come up with a problem they can’t solve. It’s a matter of time.”
Subscribe
The most engaging reads in blockchain. Delivered once a
week.
Max Parasol
Max Parasol has worked as a crypto and AI researcher at the RMIT Blockchain Innovation Hub, as a lawyer, in private equity and was part of an early-stage crypto start up that was overly ambitious.