[GAP-2] Adopt The SEAL Safe Harbor Agreement

[Draft-GAP] Adopt The SEAL Safe Harbor Agreement


Disclaimer: I am submitting this proposal solely in my personal capacity


Title Adopt The SEAL Safe Harbor Agreement
Proposal Type GAP
One Sentence Summary: This proposal advocates for the ZKsync Token Assembly’s adoption of the SEAL Whitehat Safe Harbor Agreement to enhance the security of its code base and on-chain assets by establishing a rapid response mechanism that enables whitehats to effectively intervene during active exploits, safeguarding user funds and reinforcing ZKsync’s proactive security measures.
Proposal Author Skylock.xyz
samczsun
Proposal Sponsor: TBC
Date Created: 2024-12-03
Version Version 1
Summary of Action Register Agreement On-Chain
Security Team Adoption
Update Terms of Service
Communicate Adoption
Link to contracts GitHub - security-alliance/safe-harbor

Abstract

This proposal outlines the adoption by the ZKsync Token Assembly of the SEAL (Security Alliance) Whitehat Safe Harbor Agreement (“Safe Harbor Agreement”). For more information, check out the Safe Harbor Agreement here.

Adopting the SEAL Whitehat Safe Harbor Agreement equips ZKsync with a rapid response mechanism for active exploits, enabling whitehats to step in effectively when needed most. The agreement provides clear guidelines for action, increasing the protection of user funds and demonstrating ZKsync’s commitment to proactive security.

Motivation

The Safe Harbor Agreement addresses a critical need in crypto: enabling whitehats to intervene during active exploits when traditional responsible disclosure procedures are not feasible.

Key aspects of the Safe Harbour agreement include:

  • Encouraging Whitehats to Protect the Protocol: By adopting Safe Harbor, ZKsync incentivizes whitehats to step in and protect the protocol during active exploits by limiting their legal exposure.
  • Intervention Only During Active Exploits: Whitehats are authorized to act only when there is an immediate or ongoing exploit that threatens the protocol. This agreement applies only to critical situations where responsible disclosure procedures would not save funds due to the urgency of the exploit, and it is not intended for routine security testing or vulnerability reporting.
  • Mandatory Return of Rescued Funds: Under the terms of the Safe Harbor, whitehats are required to return all rescued assets to a pre-designated recovery address controlled by the protocol within 72 hours of recovering them. This ensures that recovered funds are quickly secured, preventing delay or potential loss.
  • Clear Guidelines and Legal Protection: The agreement establishes strict rules for how whitehats must operate during an exploit, ensuring recovery efforts are conducted professionally and safely, minimizing the risk of mistakes or further damage to the protocol. By adhering to these guidelines, whitehats can limit their potential legal exposure, allowing them to act in good faith without fear of liability.
  • Incentivized Rescue Efforts: To motivate whitehats to act during critical situations, the agreement offers a bounty system similar to a bug bounty. Whitehats are rewarded with a percentage of the recovered assets, up to a predefined cap, for their successful interventions.

Rationale

ZKsync is committed to enhancing its security and protecting user funds during critical moments. While security audits and other preventive measures are crucial, the unpredictable nature of exploits requires a swift, decisive response mechanism to minimize potential damage.

The Safe Harbor Agreement empowers whitehats to act immediately during an active exploit, providing a proactive and structured recovery process. By enabling whitehats to step in and recover assets during a crisis, ZKsync strengthens its defenses against emerging threats.

Benefits of adopting the Safe Harbor Agreement include:

  • Agile Defense Against Exploits: Whitehats are authorized to intervene as soon as an active exploit is detected, enabling rapid response and minimizing the window for malicious actors to exploit vulnerabilities. Immediate action helps reduce damages and speeds up asset recovery during critical moments.
  • Clarified Rescue Process: The agreement ensures that every step, from intervention to fund recovery, is predetermined and streamlined. Whitehats know exactly where to send recovered funds, preventing chaotic negotiations or rushed decisions during an exploit. This clarity ensures efficient, decisive action when it matters most.
  • Clear Financial Boundaries: The predefined bounty system, with a cap of $1m USD paid out from ZKsync’s existing bug bounty, ensures that whitehats are incentivized fairly without creating conflicting priorities between exploit intervention and standard vulnerability disclosure. This keeps the security process balanced and transparent.
  • Aligning with Industry Best Practices: By adopting the Safe Harbor Agreement, ZKsync aligns itself with leading security practices across the industry, reinforcing its commitment to staying at the forefront of protocol security.

Adoption of the agreement complements audits by providing an additional layer of security, ensuring that the protocol is better prepared to respond to active threats.

Specification

Adoption Details

The ZKsync Token Assembly will adopt, or will ensure that an adjacent entity in the ZKsync ecosystem adopts, the agreement with the following parameters. For a full description of these adoption details, review the Safe Harbor for Protocols document.

  1. Asset Recovery Address: Addresses controlled by ZKsync, which recovered funds will be returned to in the event of a hack

    Chain Address Notes
    Ethereum 0xb13dF19C56a75f9087CC03b10D482B4a775daB47 Multisig controlled by the ZKsync Security Council
    ZKsync Era 0xfFB6126FF8401665081b771bB11cCD0e09f95D5A Multisig controlled by the ZKsync Security Council
  2. Scope: List of all onchain assets protected under Safe Harbor

Chain(s) Name Address Type (Direct / Parent)
Ethereum Protocol Upgrade Handler 0x8f7a9912416e8AdC4D9c21FAe1415D3318A11897 Direct
Ethereum Security Council 0xBDFfCC71FE84020238F2990a6D2954e87355De0D Direct
Ethereum Guardians 0xD677e09324F8Bb3cC64F009973693f751c33A888 Direct
Ethereum Emergency Protocol Upgrade 0xdEFd1eDEE3E8c5965216bd59C866f7f5307C9b29 Direct
Ethereum ZKsync Era DiamondProxy 0x32400084c286cf3e17e7b677ea9583e60a000324 Direct
Ethereum ZKsync Era Chain Admin 0x2cf3bD6a9056b39999F3883955E183F655345063 Direct
Ethereum BridgeHub 0x303a465B659cBB0ab36eE643eA362c509EEb5213 Direct
Ethereum L1 SharedBridge 0xD7f9f54194C633F36CCD5F3da84ad4a1c38cB2cB Direct
Ethereum L1 ERC20 Legacy Bridge 0x57891966931Eb4Bb6FB81430E6cE0A03AAbDe063 Direct
Ethereum State Transition Manager 0xc2eE6b6af7d616f6e27ce7F4A451Aedc2b0F5f5C Direct
Ethereum Validator Timelock 0x5D8ba173Dc6C3c90C8f7C04C9288BeF5FDbAd06E Direct
ZKsync ZK Protocol Governor 0x76705327e682F2d96943280D99464Ab61219e34f Direct
ZKsync ZK Token Governor 0x10560f8B7eE37571AD7E3702EEb12Bc422036E89 Direct
ZKsync ZK GovOps Governor 0x496869a7575A1f907D1C5B1eca28e4e9E382afAb Direct
ZKsync ZK Token 0x5A7d6b2F92C77FAD6CCaBd7EE0624E64907Eaf3E Direct
ZKsync L2 SharedBridge 0x11f943b2c77b743AB90f4A0Ae7d5A4e7FCA3E102 Direct
ZKsync L2 Beacon Proxy 0x1Eb710030273e529A6aD7E1e14D4e601765Ba3c6 Direct
ZKsync L2 Wrapped Ether 0x57891966931Eb4Bb6FB81430E6cE0A03AAbDe063 Direct
  1. Contact Details: Designated security contact for ZKsync
    • Name: Vlad Bochok
    • Contact Information: x.com
  2. Bounty Terms:
    • Bounty Percentage: 10% of recovered funds

    • Bounty Cap (USD): $1,000,000 USD

    • Retainable: No

      This means that whitehats cannot retain their bounty directly from the recovered assets. Instead, all rescued funds must be returned to the protocol’s designated asset recovery address, and the bounty will be paid out separately afterwards.

    • Identity Verification: Named

      Whitehats must provide their full legal name. This requirement ensures compliance with legal obligations and is similar to the identity verification standards seen in traditional bug bounty programs.

    • Diligence Requirements: KYC & Global Sanction Verification

      ZKsync requires all eligible whitehats to undergo Know Your Customer (KYC) verification and be screened against global sanctions lists, including OFAC, UK, and EU regulations. This process ensures that all bounty recipients are compliant with legal and regulatory standards before qualifying for payment.

Implementation Plan

  1. Register Agreement On-Chain:
    • The agreement will be registered on ZKsync Era in the Safe Harbor Registry at address 0x5f5eEc1a37F42883Df9DacdAb11985467F813877, including all adoptionDetails. This ensures transparency and immutability.
  2. Security Team Adoption:
    • The ZKsync Security Team will complete the procedures outlined in “Exhibit C: Security Team Adoption Procedures” of the Safe Harbor Agreement. Upon completion, the signed adoption document will be uploaded to IPFS, ensuring public accessibility and transparency.
  3. Update Terms of Service:
    • The ZKsync front-end Terms of Service will be updated in accordance with “Exhibit D: User Adoption Procedures” of the Safe Harbor Agreement. These updates will reflect the protocol’s adoption of Safe Harbor, ensuring that users are informed and provide their consent accordingly.
  4. Communicate Adoption:
    • An official announcement will be made across all ZKsync communication channels, explaining the adoption and its significance to the community.

Conclusion

Adopting the SEAL Whitehat Safe Harbor Agreement equips ZKsync with a rapid response mechanism for active exploits, enabling whitehats to step in effectively when needed most. The agreement provides clear guidelines for action, increasing the protection of user funds and demonstrating ZKsync’s commitment to proactive security.

References

15 Likes

Hey everyone - I’m Dickson one of the leads of Safe Harbor & Co-founder of Skylock!

Feel free to comment and let us know if you have any questions! Always happy to talk about Safe Harbor!

2 Likes

I believe this would be an important measure to adopt. I’ve been following your work and previously proposed its adoption for a different protocol. I look forward to the voting process and implementation if/once approved.

1 Like

I’m supportive of this initiative to adopt the SEAL Safe Harbor Agreement for the ZkSync Protocol.

As a contributor to the Security Alliance, I’ve been providing feedback on the development of Safe Harbor since its early inception. It’s come a long way in maturity and is now being adopted by security platforms such as Immunefi. Its been recently adopted by major protocols including Origin and Compound Finance, the latter of which I was specifically involved in sponsoring as Compound’s Protocol Security Advisor. You can read more about my reasoning and the Immunefi proposal that led to its adoption on Compound here.

My only caveat is that I do believe that the circumstances of when whitehats can perform an exploit within Safe Harbor should be carefully considered and limited to very specific circumstances such as front-running a malicious exploit transaction that has been submitted to the mempool with no other option left to stop the attack. In any other scenario, whitehats should report exploits to the ZkSync Bug Bounty program on Immunefi so that issue mitigation can be managed by the Matter Labs team and/or Security Council.

3 Likes

Want to echo @michael-lewellen’s points here.

Also, curious on how the bounty payout numbers were chosen? Seeing a very similar proposal here on Uniswap, but with substantially different numbers: [RFC] - Adopt The SEAL Safe Harbor Agreement - Requests for Comment - Uniswap Governance

1 Like

100% agree with Michael! Safe Harbor only applies to active exploits. Anything else should be responsibly disclosed through the bug bounty and to the team. Safe Harbor only covers scenarios where responsible disclosure couldn’t save funds (like the mempool example Michael brought up)

1 Like

Thanks for reviewing the proposal! We worked with each team and let them decide on the bounty to put forth in the DAO proposal. We also have a baseline recommendation (10% of recovered funds up to $1M cap), and we decided to go with that in this draft.

If you think the number(s) should be different let us know and we’ll take it into consideration!

1 Like

I am in favor, IIRC this was part of samczsun’s chopping block podcast episode, right?

Still one question: Since you said

We worked with each team and let them decide on the bounty to put forth in the DAO proposal.

This means the zksync team (especially the mentioned Vlad Bochok) is onboard and supportive?

1 Like

I don’t have much experience with security measures and best practices for handling situations like this, but it seems like a no-brainer whether to implement this or not. I see no downside and huge potential upside, so I’m fully in support of this.

It would be kinda cool if this extended to cover the entire elastic chain, not just Era, but I guess all in good time.

1 Like

Matter Labs currently manages the Immunifi Big Bounty for ZKsync. We were happy to work with Skylock to select parameters for the Safe Harbor Agreement that reflect the existing bounty tiers for ZKsync.

3 Likes

@samczsun can you please update the L1 and L2 recovery addresses to the following:

  • L1 recovery address: 0xb13dF19C56a75f9087CC03b10D482B4a775daB47
  • L2 recovery address: 0xfFB6126FF8401665081b771bB11cCD0e09f95D5A

Both of these addresses are multisigs controlled by the ZKsync Security Council, and require a 75% signing threshold (9/12) to be met in order for any actions to be executed.

Also the most up-to-date list of onchain assets:

Chain(s) Name Address Type (Direct / Parent)
Ethereum Protocol Upgrade Handler 0x8f7a9912416e8AdC4D9c21FAe1415D3318A11897 Direct
Ethereum Security Council 0xBDFfCC71FE84020238F2990a6D2954e87355De0D Direct
Ethereum Guardians 0xD677e09324F8Bb3cC64F009973693f751c33A888 Direct
Ethereum Emergency Protocol Upgrade 0xdEFd1eDEE3E8c5965216bd59C866f7f5307C9b29 Direct
Ethereum ZKsync Era DiamondProxy 0x32400084c286cf3e17e7b677ea9583e60a000324 Direct
Ethereum ZKsync Era Chain Admin 0x2cf3bD6a9056b39999F3883955E183F655345063 Direct
Ethereum BridgeHub 0x303a465B659cBB0ab36eE643eA362c509EEb5213 Direct
Ethereum L1 SharedBridge 0xD7f9f54194C633F36CCD5F3da84ad4a1c38cB2cB Direct
Ethereum L1 ERC20 Legacy Bridge 0x57891966931Eb4Bb6FB81430E6cE0A03AAbDe063 Direct
Ethereum State Transition Manager 0xc2eE6b6af7d616f6e27ce7F4A451Aedc2b0F5f5C Direct
Ethereum Validator Timelock 0x5D8ba173Dc6C3c90C8f7C04C9288BeF5FDbAd06E Direct
ZKsync ZK Protocol Governor 0x76705327e682F2d96943280D99464Ab61219e34f Direct
ZKsync ZK Token Governor 0x10560f8B7eE37571AD7E3702EEb12Bc422036E89 Direct
ZKsync ZK GovOps Governor 0x496869a7575A1f907D1C5B1eca28e4e9E382afAb Direct
ZKsync ZK Token 0x5A7d6b2F92C77FAD6CCaBd7EE0624E64907Eaf3E Direct
ZKsync L2 SharedBridge 0x11f943b2c77b743AB90f4A0Ae7d5A4e7FCA3E102 Direct
ZKsync L2 Beacon Proxy 0x1Eb710030273e529A6aD7E1e14D4e601765Ba3c6 Direct
ZKsync L2 Wrapped Ether 0x57891966931Eb4Bb6FB81430E6cE0A03AAbDe063 Direct
2 Likes

Security is a top priority for every protocol, and ZKsync community takes security very seriously.
I support the ZkSync protocol adopting the SEAL Safe Harbor Agreement.

Bounty Cap (USD): $1,000,000 USD. Reflects ZKsync’s existing bounty tiers on immunefi. Reasonable.

1 Like

High priority given to the security of the protocol is necessary. The proposal process is very clear. I support and look forward to the vote.

One question:
Whitehats to step in and protect the ZKsync protocol during active exploits, get a bounty.
Will still collect the ZKsync immunefi Bug Bounty?

1 Like

Hi Lisanc! For your question - The Safe Harbor Agreement covers only active exploits - Which, I believe, would be considered out of scope of ZKsync’s Bug Bounty. So whitehats would only be paid once through Safe Harbor

1 Like

Hey all! Sam updated the proposal and we’re ready to go!

I support this proposal, let’s get it moving forward :+1:

1 Like

I think this proposal is a great idea, and would definitely support it myself!