Original Author: Frank, Foresight News
On the evening of February 14th, Paradigm's security director, samczsun, officially announced the launch of the "Security Alliance" white-hat hacker safe harbor plan, which quickly caused a stir in the crypto world. Leading protocols such as Uniswap, security organizations like SlowMist Technology and OpenZeppelin, and well-known figures like Ryan Selkis, co-founder and CEO of Messari, all interacted and made calls to show their support.
As the most prestigious white-hat hacker in the Web3 security field, what exactly is samczsun's so-called "Security Alliance" safe harbor plan, what specific actions will be taken, and what potential impact will it have on the crypto industry and Web3 security field?
What is "Security Alliance"?
First of all, as the name suggests, "Security Alliance" is dedicated to network security as a public welfare alliance organization:
Security Alliance has assembled a team of top experts in the field of network security, and through initiatives such as SEAL911 and Wargames, aims to help ensure the security of DeFi.
According to information disclosed by samczsun, as early as August 2022, when the cross-chain interoperability protocol Nomad was attacked (Foresight News note: Nomad incident resulted in a loss of $190 million), he collaborated with the security team of a16z crypto to participate in identifying and analyzing the hackers.
During this process, they cooperated to help the Nomad project recover up to $38.8 million from several white-hat hackers—these white-hat hackers intentionally took funds in advance to protect them from the attackers' impact, which also laid the foundation and operational concept for the early form of the Security Alliance organization.
Because white-hat hackers are often the first to notice or receive vulnerability alerts, this is actually the daily content of tweets from security researchers/institutions such as samczsun, SlowMist, and PeckShield that we are familiar with.
However, the problem is that due to the legal ambiguity of white-hat hacker rescue, many more mature developers and security researchers with white-hat intentions are unable to provide assistance:
Either because they are not allowed due to work reasons, or due to other concerns. In this context, if there could be a legal framework that allows white-hats to demonstrate their goodwill through action, then more people can participate, and the Nomad incident is a typical example.
In summary, samczsun decided to establish an organization that can provide security personnel with a worry-free environment and faster and better response to security incidents, so after more than a year of effort, the Security Alliance was born—"eliminating barriers that may prevent white-hat hackers from protecting our protocols in real time, empowering security researchers, so that if all other efforts fail, white-hat hackers can serve as the last line of defense."
In short, Security Alliance aims to provide a legal protection framework for white-hat hackers and to promptly notify owners of vulnerable systems, provide attack and defense exercise environments and support. Currently, Security Alliance has released a draft protocol on GitHub and opened it for community feedback for a period of 1 month, until March 14, 2024.
The official website shows that Security Alliance has more than 50 donors and partners, including Paradigm, Ethereum Foundation, a16z crypto, Vitalik Buterin, Filecoin Foundation, Coinbase, Dragonfly, Framework, Electric Capital, and others, making it a top-notch lineup.
Three main products/services
Currently, the main products/services listed by Security Alliance are: Whitehat Safe Harbor Agreement, SEAL 911, and SEAL Wargames.
Among them, crypto researcher @lex_node and Delphi Labs helped formulate the safe harbor agreement, and additional supporting measures are planned to be released later this year.
Whitehat Safe Harbor Agreement: White-hat operation norms
As mentioned above, Security Alliance, as a neutral public platform, has gathered many top experts from various tracks in the crypto field, forming a network that can access the entire crypto ecosystem to find the best talent in any professional field to help execute the plan.
Based on this, the Whitehat Safe Harbor Agreement is a comprehensive framework specifically for proactive attack incidents, which can be understood as "white-hat operation norms." In this framework, the agreement can provide legal protection for white-hat hackers who help recover assets during proactive attack incidents.
In other words, it is similar to a bug bounty. If the agreement adopts the safe harbor agreement before a proactive attack incident occurs, white-hat hackers will clearly understand how they can take action in potential rescue efforts, such as:
Which assets are within the scope of the agreement (e.g., any ERC20 tokens at specific addresses)?
What rewards will successful white-hat rescues receive (e.g., 10% of the rescued funds, or a maximum of $1 million)?
Where should the rescued funds be returned to (e.g., a specific multi-signature address)?
This means that white-hat hackers can clearly understand their operational boundaries, code of conduct, and reward criteria, and receive legal protection. Of course, if a white-hat decides to conduct a white-hat rescue, they must follow the procedures specified in the agreement.
SEAL 911: 24/7 emergency hotline
The form of "SEAL 911" is a Telegram bot, which can be seen as a direct emergency hotline between project teams and the community. Anyone can use it to contact a project team in an emergency situation, and any messages sent to it will be automatically forwarded to the corresponding project team.
Imagine if one day you were the first to discover clues to an on-chain attack against a protocol. In such an emergency situation, time is money, but you may find it difficult to know who to seek help from or how to disclose and alert officials in a timely manner, especially how to notify official personnel.
SEAL 911 provides a channel for users, developers, and other individuals who need to obtain emergency security advice, help disclose critical vulnerabilities, or simply synchronize progress with other researchers. They can use this Telegram bot to contact a team of carefully reviewed expert volunteers.
Subsequently, the SEAL 911 team will categorize the requests and provide direct assistance, or route them to the correct contact point. According to samczsun, in the past 6 months, SEAL 911 has helped interrupt, intercept, and rectify several hacker attacks, and has helped many others with other security issues.
SEAL Wargames: Providing red team/blue team attack and defense environment
"SEAL Wargames," officially positioned as "red team exercises," can be understood as providing a red team/blue team attack and defense environment.
Because many developers may have never experienced a high-intensity security event before, it makes it difficult for them to stay focused and efficient, as every second could mean a loss of millions of dollars by attackers.
SEAL Wargames can provide the resources and training needed for projects to prepare for extreme scenarios, and includes two phases:
Tabletop exercises, where the SEAL Chaos team and project developers jointly formulate hypothetical attack scenarios and record potential weaknesses;
Simulated attacks, where the SEAL Chaos team uses vulnerabilities on the test network to challenge project developers, categorize different types of vulnerabilities, and make repairs;
Therefore, if a project is in need of emergency response due to a hack, or needs to conduct red team exercises in advance to prepare for extreme situations, this tool can be used.
Who is samczsun?
As a research partner and security director at Paradigm, samczsun focuses on the investment portfolio companies of Paradigm and research on security and related topics.
In the past two years, samczsun has been the first to issue warnings and has been active in various Web3 security events, making him the most well-known white-hat hacker in the crypto industry:
According to incomplete statistics, over the past few years, Samczsun has helped at least dozens of projects discover related vulnerabilities in advance, avoiding losses of hundreds of millions of dollars, including SushiSwap, ENS, and others.
If we were to organize it by timeline, we would find that samczsun's open-source contributions to Web3 security have been consistent:
In September 2022, samczsun developed and launched the Ethereum Tags Database, a website for tagging and searching Ethereum addresses, which can be contributed to by anyone, and allows searching by address and tag (using wildcards);
In August 2023, he launched the Telegram bot "SEAL 911" mentioned earlier;
Conclusion
We often say, "The Web3 world is a paradise for technical talent and hackers," especially since the DeFi boom in 2020, the security risks in the Web3 world have been like an asymmetric one-way hunt, undoubtedly a never-ending ATM for hackers, and for project teams and ordinary users, it's more like a "sword of Damocles" that could fall at any time.
Through a series of combinations, Security Alliance allows crypto users affected by security events to access a 24/7 emergency hotline, provides legal protection for white-hat hackers rescuing stolen funds, and offers free practice for Web3 developers to simulate adversarial network attacks against organizational systems to identify vulnerabilities and prepare effective responses.
At least for the current crypto field, this is already a set of the most comprehensive Web3 security solutions, and whether it can make the journey through the crypto dark forest a little less cruel remains to be seen.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
