‘SEAL 911’ team of white hats formed to fight crypto hacks in real time
If you have a problem, if no one else can help and if you can find them. Maybe you can hire, the SEAL team of white hat hackers.
It started with the chaotic $190 million Nomad hack in August 2022. An exploit, or flaw in the code, was found for the bridge, and a colossal crowd of criminals rushed in to loot the funds.
In its analysis of the exploit, Immunifi said one problem was: “Staying true to DeFi Principles, this hack was permissionless — anyone could join in.”
Plenty of white hat hackers wanted to help but were forced to watch from the sidelines due to the legal risks of pitching in.
Looking back in February, famed white hat hacker Samczsun said the security community had wondered afterward, “How did we get to a point where random people felt comfortable stealing money from the bridge, but white hats felt it was too risky to intervene.”
Something needed to be done. Samczsun, who is also Paradigm’s head of security, decided that for future hacks, the SEAL911 bat signal could be shone into the metaphorical night so white hats could help combat hacks. But first, the legal issues needed to be sorted out.
SEAL: Security Alliance of white hat hackers
The idea for the Security Alliance (SEAL) emerged with the project officially launching February 14. SEAL 911 is a hot desk on the Telegram messaging service where a crack team of around 40 white hat hackers can pick up reports of hacks in progress and assist in real time.
Samczsun calls it a “firefighting helicopter” that will “show the world that crypto as an industry is taking security seriously.”
“The idea is that if someone finds a critical bug but doesn’t know who to talk to in the project team […] that’s one of the things SEAL911 can help with. Then we can also help respond to the hack, obviously.”
“It’s super ambitious, part of it is that, for now, the volume is manageable. We want to serve all of crypto. We may split into teams, but for now, the teams are small because we are dealing with very sensitive information.”
Apart from white hats, there are auditors, bug bounty program coordinators and investigative sleuths. Ethereum creator Vitalik Buterin was the first donor, donating 250 ETH to kick things off, and various Web2 and Web3 companies, along with VCs, have also chipped in funding.
If I mess up, which I will eventually, I’m only human — am I on the hook for it? For the 7, 8, 9 figures of TVL that I just accidently lost?”
The prototype for SEAL began in 2022 with a few volunteers and its first reported rescue happened in September 2023, as affiliated white hats volunteered to stop a thief mid-hack of a vulnerable smart contract at dice9win and saved $200,000. Now the organization’s remit has grown.
pto, he chose to parlay his influencer status into creating SEAL.
“Objectively, SEAL is built on my reputation as a successful white hat,” he says.
Which begs the question: As a sh*t hot hacker, why not just steal the money yourself?
I can’t do that. I can’t cause that much suffering to so many people
“I do get that a lot.
The easiest way to put it is I’ve seen what it looks like for someone to be victimized by a hack. I’ve seen people fall victim to spy contract hacks, I’ve seen people fall victim to individual hacks. It sucks, it’s devastating to hear them talk about how they lost their life savings or the little amount of money they saved up trying to build a better future for their.”
I have since discovered it’s quite hard to remove an impersonator on X.
Buterin’s 250 ETH donation was followed by funds from the Ethereum Foundation, a16z crypto, Framework, Dragonfly, Filecoin Foundation, Electric Capital and Paradigm. There was also support from independent crypto participants who have benefited from more secure protocols and DApps.
SEAL is a legally registered 501c3 in the U.S. and has a leadership team and an independent board of directors. The idea is to build an organization that can continue on without Samczsun if necessary.
The Safe Harbor Agreement
For SEAL to succeed, Samczsun explains it needed to solve the problem of legal liability for rescues gone wrong.
I’ve intentionally over the last three, four years — in every live hack — explicitly said I’m not going to be the one that hits the button to send the transaction to rescue or patch the bug, because I don’t know what it means for me as far as liability goes.”
The open and transparent nature of blockchain means that it’s usually pretty obvious when a hack is occurring, meaning that white hats can front-run the hack and return the funds to their rightful owners.
“If white hats can find out about these hacks as they are being executed, why are we not giving them the ability to jump in and do something about it?”
For white hats, the sticking point in negotiating the agreement was: should there be a discrete categorical list of actions that white hats should be allowed to take?
In the end, the Safe Harbor Agreement effectively became “an open-ended list,” Charm tells Magazine.
The agreement contemplates endless scenarios and offers ways for white hat hackers to access funds using a discreet list of actions they can take. There’s a whole section of separate terms of engagement for bots that can front-run hacks.
It was a comprehensive attempt to close off every single legal issue, shepherded through multiple rounds of review.
Charm acknowledges the criticisms of SEAL’s ability to scale up to handle the sheer number of hacks but says the SHA is a toolkit and best practice guide for every white hat on the internet, in or outside of SEAL.
Miles Jennings, general counsel at a16z crypto, says the genius of the document is that it could actually work. “It’s noteworthy in trying to solve an incredibly complex problem. And one where if you don’t solve the problem, you make it worse.”
Specifically, we couldn’t empower black hats. For example you can’t consent to criminality, such as a single user can’t consent to market manipulation. So the agreement had to deal with these issues.”
The need for SEAL crystallized for Jennings during the Nomad hack when he blocked a16z’s security team from stepping in.
“I basically had to be the bad guy by saying ‘no, we can’t take on that risk,’ you weren’t legally authorized to engage in that activity, so potential criminal liability comes with it. Maybe there were funds we could’ve recovered, but I wouldn’t allow us to take on that risk.”
But he admits it ultimately comes down to whether parties adopt it and use it in good faith.
“It’s all fairly complex, layers on top of a risk, success is by no means guaranteed, but it’s still the most significant move in terms of white hats providing defense for the whole increasingly complex ecosystem.”
The hacks are getting more complicated, but SEAL can win
The hacks have definitely gotten more complicated.
"When I first started, the code was simple. It was sort of like, you were in elementary school doing addition, subtraction, multiplication and division. The hacks were like a teacher giving you a simple question. For us, trying to find a bug was like: what is three plus four? Then we moved on to algebra and calculus, quadratics. And now we’re doing square roots and exponentials.”
Yet Samczsun is optimistic SEAL can win. “It’s now the equivalent of taking a college-level course on quadratic equations. So things are getting harder, but it’s a good sign we are forcing the hackers to solve more and more complicated problems; one day, we will come up with a problem they can’t solve. It’s a matter of time.”
No comments:
Post a Comment