Introduction
The Lido Labs Security Operations team proposes Lido DAO adopt the SEAL (Security Alliance) Whitehat Safe Harbor Agreement (“Safe Harbor Agreement”) for the Lido on Ethereum protocol. By adopting the Safe Harbor Agreement, Lido DAO enhances the security of Lido protocol user funds and Lido DAO treasury assets by allowing Whitehats to intervene during active exploits to save affected funds. Lido Labs Foundation (“Lido Labs”), as a service provider to Lido DAO, will operate the Safe Harbor program on an ongoing basis (including running the designated security contact and assisting with incident handling and bounty processing).
What is the Safe Harbor Agreement?
The Safe Harbor Agreement addresses a critical need in crypto: enabling Whitehats to intervene during active exploits when the urgency of an attack makes traditional processes too slow to save funds. It was created by SEAL, a nonprofit founded by samczsun, to secure the future of crypto.
Key aspects of the agreement include:
-
Encouraging Whitehats to Protect the Protocol: By adopting the Safe Harbor Agreement, Lido DAO incentivizes Whitehats to step in and protect the protocol during active exploits by limiting their legal exposure.
-
Intervention Only During Active Exploits: Whitehats are authorized to act only when there is an immediate or ongoing exploit that threatens the protocol. This agreement is not intended for routine security testing or bug bounty reporting. It applies only to critical situations where the urgency of the exploit supersedes traditional procedures for responsible disclosure in order to save funds.
-
Mandatory Return of Rescued Funds: Under the terms of the Safe Harbor, Whitehats are required to return all rescued assets to a pre-designated recovery address controlled by the protocol within 72 hours of recovery to ensure these funds are quickly secured, preventing delay or potential loss.
-
Clear Guidelines and Legal Protection: The agreement establishes strict rules for how Whitehats must operate during an exploit, ensuring recovery efforts are conducted professionally and safely, minimizing the risk of mistakes or further damage to the protocol. By adhering to these guidelines, Whitehats can limit their potential legal exposure, allowing them to act in good faith without fear of liability.
-
Incentivized Rescue Efforts: To motivate Whitehats to act during critical situations, the agreement offers a bounty system that rewards rescuers with a percentage of the recovered assets, up to a predefined cap, for successful interventions.
Safe Harbor has already been adopted by leading protocols such as Uniswap, zkSync, and Aave (see the full list of protocols participating in Safe Harbor), establishing it as a trusted industry standard for empowering Whitehats during active exploits.
Terms
Safe Harbor Agreement — an agreement that sets forth the terms and conditions of the Safe Harbor Program.
Agreement Details Contract (or just Agreement Contract) — a smart contract specifying Agreement Details on-chain.
Agreement Details — configurable parameters of the Safe Harbor Agreement, such as bounty percentage and bounty cap, which will be solidified in the Agreement Details Contract on-chain.
Safe Harbor Registry — a smart contract used to signal adoption of the Safe Harbor Program by a protocol.
Rationale
Lido DAO is committed to enhancing its security and protecting user funds during critical moments. While security audits and other preventive measures are crucial, the unpredictable nature of active exploits requires a swift, decisive response mechanism to minimize potential damage.
Benefits of adopting the Safe Harbor Agreement include:
-
Agile Defense Against Exploits: Whitehats are authorized to intervene as soon as an active exploit is detected, enabling them to respond faster than traditional methods. Immediate action minimizes the window for malicious actors, reduces damages, and accelerates the recovery of assets during critical moments.
-
Clarified Rescue Process: The agreement ensures that every step, from intervention to fund recovery, is predetermined and streamlined. Whitehats know exactly where to send recovered funds, preventing chaotic negotiations or rushed decisions during an exploit. This clarity ensures efficient, decisive action when it matters most.
-
Clear Financial Boundaries: The predefined bounty system, with a cap matching Lido DAO existing bug bounty, ensures that Whitehats are incentivized fairly without creating conflicting priorities between exploit intervention and standard vulnerability disclosure. By setting expectations upfront, it eliminates post-exploit negotiations, ensuring funds are returned promptly without attempts to change the reward amount, keeping the process fair and transparent.
-
Aligning with Industry Best Practices: By adopting the Safe Harbor Agreement, Lido DAO aligns with leading security practices across the industry, reinforcing its commitment to staying at the forefront of protocol security.
-
Mitigating Increased Attack Frequency: In light of recent exploits affecting even well-established protocols like Balancer V2 and Yearn yETH, adoption of the Safe Harbor Agreement is being prioritized in anticipation of the Lido V3 release to harden Lido on Ethereum security. The community is encouraged to proceed with this initiative to ensure the protocol’s continued resilience.
Adoption of the agreement complements audits by providing an additional layer of security, ensuring that the protocol is better prepared to respond to active threats.
Adoption Details
Protocol Details
Protocol Name: Lido on Ethereum
Bounty Terms
Predetermined rewards for successful Whitehats that recover protocol funds. For more information, review the Safe Harbor Scope document.
-
Percentage: 10.0% of the recovered amount
-
Bounty Cap (USD): $2,000,000
- The maximum bounty amount for a single Whitehat, in USD.
-
Aggregate Cap (USD): $2,000,000
- The maximum total bounty payout across all Whitehats for a single incident. Bounties will be distributed pro rata.
-
Retainable: False
-
Whitehats are required to return all recovered funds to the protocol, which will then pay out the bounty after verification.
-
The compensation for Whitehats will be distributed via a dedicated Lido DAO governance vote, once the vulnerability is resolved and malicious actions are stopped.
-
-
Identity: Anonymous
- By default, Whitehats are allowed to remain anonymous and are not required to provide any information about themselves to the protocol, except in cases where we reasonably expect that a Whitehat might be in breach of the Diligence Requirements (see the Diligence Requirements section below).
-
Diligence Requirements:
As a condition to eligibility for any bounty under the Safe Harbor program, a Whitehat represents, warrants, and covenants that they:
-
are at least 18 or the age of majority in their jurisdiction (whichever is higher) and have full legal capacity;
-
are not (i) a citizen or resident of, located, incorporated, or otherwise established in any jurisdiction that is the subject of comprehensive sanctions or an embargo administered or enforced by the United States, United Kingdom, European Union, or United Nations, or (ii) a person that is, or that is owned or controlled by, or acting on behalf of, any person that is the subject of any sanctions administered or enforced by any of those authorities;
-
are not (and for the prior 12 months have not been) an employee, contractor, or service provider of any Lido Labs or Lido Ecosystem affiliate, nor an immediate family member of such a person, and are not acting on their behalf or receiving any advice from the said persons;
-
The Whitehat further acknowledges that the Lido Labs, acting solely in its diligence-support capacity, may require additional information (including information relating to their identity and jurisdiction) and may provide Lido DAO with all information gathered as a result of this diligence check and an assessment of whether making such payment would violate, or would present an undue risk of violating, any applicable law or regulation (including sanctions, anti–money laundering, or anti–terrorist–financing laws). Lido Labs will not make any payment determinations, which remain exclusively within the authority of Lido DAO.
-
These representations, warranties, and acknowledgements are continuing and are conditions precedent to eligibility for any bounty.
-
Relationship with Lido’s Bug Bounty Program
Safe Harbor is distinct from Lido’s existing Bug Bounty program on Immunefi:
-
Bug bounty: for responsible disclosure of vulnerabilities before an active exploit, following Immunefi rules.
-
Safe Harbor: for live, active exploits where immediate intervention is needed and normal disclosure is too slow.
Safe Harbor and the Bug Bounty program are mutually exclusive from a rewards perspective. A Whitehat rewarded via the Bug Bounty program cannot receive a reward for the same exploit under Safe Harbor, even if Safe Harbor’s legal protections apply.
Contact Details
Designated security contact for the protocol, whom Whitehats will contact following a Safe Harbor recovery
Security Team, [email protected]
Chains & Asset Recovery Addresses
Addresses controlled by the protocol that recovered protocol funds will be returned to by the Whitehat
Aragon Voting, 0x2e59A20f205bB85a89C53f1936454680651E618e
Aragon Voting was selected because it provides a predictable, resilient, and timely decision-making framework for both routine operations and potential emergency scenarios. Its use enables Lido DAO to respond quickly, avoiding the extended governance delays that can arise under Dual Governance. By directing all recovered assets to the Aragon Voting contract, those assets remain fully under the control of the Lido DAO. Any subsequent action — such as redistribution, user compensation, or other follow-up steps — will therefore require explicit approval through Lido DAO governance. If a Whitehat needs to return ETH to the Recovery Address, the ETH must first be wrapped into wETH. As the initiative evolves, the implementation of a separate AssetRecoveryVault, similar to the InsuranceFund, may be considered.
Accounts
List of all on-chain assets owned by the protocol protected under Safe Harbor
Chain: eip155:1 (Ethereum Mainnet)
ChildContractScope: All (all contracts, whether created by Address before or after calling adoptSafeHarbor, are in scope for Eligible Funds Rescues and will automatically fall under Safe Harbor protections and will not require a separate vote)
All contract addresses can be verified via Lido Docs.
The address list will be updated with the pending Lido V3 eip155:1 (Ethereum Mainnet) addresses expected on December 3
Core protocol
| Name | Address |
|---|---|
| Lido Locator (proxy) | 0xC1d0b3DE6792Bf6b4b37EccdcC24e45978Cfd2Eb |
| Lido and stETH token (proxy) | 0xae7ab96520DE3A18E5e111B5EaAb095312D7fE84 |
| wstETH | 0x7f39c581f595b53c5cb19bd0b3f8da6c935e2ca0 |
| wstETH referral staker | 0xa88f0329C2c4ce51ba3fc619BBf44efE7120Dd0d |
| EIP-712 helper for stETH | 0x8F73e4C2A6D852bb4ab2A45E6a9CF5715b3228B7 |
| StakingRouter (proxy) | 0xFdDf38947aFB03C621C71b06C9C70bce73f12999 |
| Deposit Security Module | 0xffa96d84def2ea035c7ab153d8b991128e3d72fd |
| Execution Layer Rewards Vault | 0x388C818CA8B9251b393131C08a736A67ccB19297 |
| Withdrawal Queue ERC721 (proxy) | 0x889edC2eDab5f40e902b864aD4d7AdE8E412F9B1 |
| Withdrawal Vault (proxy) | 0xb9d7934878b5fb9610b3fe8a5e441e8fad7e293f |
| Burner | |
| MEV Boost Relay Allowed List | 0xf95f069f9ad107938f6ba802a3da87892298610e |
| Triggerable Withdrawals Gateway | 0xDC00116a0D3E064427dA2600449cfD2566B3037B |
| Validator Exit Delay Verifier | 0xbDb567672c867DB533119C2dcD4FB9d8b44EC82f |
Oracle Contracts
| Name | Address |
|---|---|
| AccountingOracle (proxy) | 0x852deD011285fe67063a08005c71a85690503Cee |
| Accounting Oracle / HashConsensus | 0xD624B08C83bAECF0807Dd2c6880C3154a5F0B288 |
| ValidatorsExitBusOracle (proxy) | 0x0De4Ea0184c2ad0BacA7183356Aea5B8d5Bf5c6e |
| Validators Exit Bus / HashConsensus | 0x7FaDB6358950c5fAA66Cb5EB8eE5147De3df355a |
| OracleReportSanityChecker | |
| OracleDaemonConfig | 0xbf05A929c3D7885a6aeAd833a992dA6E5ac23b09 |
Lido DAO Contracts
| Name | Address |
|---|---|
| Lido DAO (Kernel) (proxy) | 0xb8FFC3Cd6e7Cf5a098A1c92F48009765B24088Dc |
| LDO token | 0x5A98FcBEA516Cf06857215779Fd812CA3beF1B32 |
| Aragon Voting (proxy) | 0x2e59A20f205bB85a89C53f1936454680651E618e |
| Aragon Token Manager (proxy) | 0xf73a1260d222f447210581DDf212D915c09a3249 |
| Aragon Finance (proxy) | 0xB9E5CBB9CA5b0d659238807E84D0176930753d86 |
| Aragon Agent (proxy) | 0x3e40D73EB977Dc6a537aF587D48316feE66E9C8c |
| Aragon ACL (proxy) | 0x9895f0f17cc1d1891b6f18ee0b483b6f221b37bb |
| EVMScriptRegistry (proxy) | 0x853cc0D5917f49B57B8e9F89e491F5E18919093A |
| Aragon PM (proxy) | 0x0cb113890b04b49455dfe06554e2d784598a29c9 |
| Voting Repo (proxy) | 0x4ee3118e3858e8d7164a634825bfe0f73d99c792 |
| Lido App Repo (proxy) | 0xF5Dc67E54FC96F993CD06073f71ca732C1E654B1 |
| Node Operators Registry Repo | 0x0D97E876ad14DB2b183CFeEB8aa1A5C788eB1831 |
| Simple DVT Repo | 0x2325b0a607808dE42D918DB07F925FFcCfBb2968 |
| Insurance Fund | 0x8B3f33234ABD88493c0Cd28De33D583B70beDe35 |
| GateSeal Blueprint | 0xEe06EA501f7d9DC6F4200385A8D910182D155d3e |
| GateSeal Factory | 0x6c82877cac5a7a739f16ca0a89c0a328b8764a24 |
| GateSeal (VEB and TWG) | 0xA6BC802fAa064414AA62117B4a53D27fFfF741F1 |
| GateSeal (Withdrawal Queue) | 0x8A854C4E750CDf24f138f34A9061b2f556066912 |
Dual Governance Contracts
| Name | Address |
|---|---|
| Emergency Protected Timelock | 0xCE0425301C85c5Ea2A0873A2dEe44d78E02D2316 |
| Admin Executor | 0x23E0B465633FF5178808F4A75186E2F2F9537021 |
| Dual Governance | 0xC1db28B3301331277e307FDCfF8DE28242A4486E |
| Dual Governance Config Provider | 0xa1692Af6FDfdD1030E4E9c4Bc429986FA64CB5EF |
| Emergency Governance | 0x553337946F2FAb8911774b20025fa776B76a7CcE |
| Veto Signaling Escrow (proxy) | 0x165813A31446a98c84E20Dda8C101BB3C8228e1c |
| Reseal Manager | 0x7914b5a1539b97Bd0bbd155757F25FD79A522d24 |
| Tiebreaker Core Committee | 0xf65614d73952Be91ce0aE7Dd9cFf25Ba15bEE2f5 |
| Builders Sub Committee | 0x3D3ba54D54bbFF40F2Dfa2A8e27bD4dE3dab2951 |
| Node Operators Sub Committee | 0xDBfa0B8A15a503f25224fcA5F84a3853230A715C |
| Ethereum Ecosystem Sub Committee | 0xBF048f2111497B6Df5E062811f5fC422804D4baE |
| Time Constraints | 0x2a30F5aC03187674553024296bed35Aa49749DDa |
Staking Modules Contracts
| Name | Address |
|---|---|
| Curated SM / Node Operators Registry (proxy) | 0x55032650b14df07b85bF18A3a3eC8E0Af2e028d5 |
| Simple DVT SM / Node Operators Registry (proxy) | 0xaE7B191A31f627b4eB1d4DaC64eaB9976995b433 |
| Community SM / PermissionlessGate | 0xcF33a38111d0B1246A3F38a838fb41D626B454f0 |
| Community SM / VettedGate (proxy) | 0xB314D4A76C457c93150d308787939063F4Cc67E0 |
| Community SM / CSModule (proxy) | 0xdA7dE2ECdDfccC6c3AF10108Db212ACBBf9EA83F |
| Community SM / CSAccounting (proxy) | 0x4d72BFF1BeaC69925F8Bd12526a39BAAb069e5Da |
| Community SM / CSParametersRegistry (proxy) | 0x9D28ad303C90DF524BA960d7a2DAC56DcC31e428 |
| Community SM / CSFeeDistributor (proxy) | 0xD99CC66fEC647E68294C6477B40fC7E0F6F618D0 |
| Community SM / CSVerifier | 0xdC5FE1782B6943f318E05230d688713a560063DC |
| Community SM / CSGateSeal | 0xE1686C2E90eb41a48356c1cC7FaA17629af3ADB3 |
| Community SM / CSFeeOracle (proxy) | 0x4D4074628678Bd302921c20573EEa1ed38DdF7FB |
| Community SM / HashConsensus | 0x71093efF8D8599b5fA340D665Ad60fA7C80688e4 |
| Community SM / CSStrikes | 0xaa328816027F2D32B9F56d190BC9Fa4A5C07637f |
| Community SM / CSEjector | 0xc72b58aa02E0e98cF8A4a0E9Dce75e763800802C |
| Community SM / CSExitPenalties (proxy) | 0x06cd61045f958A209a0f8D746e103eCc625f4193 |
| Community SM / VettedGateFactory | 0xFdab48c4D627e500207e9AF29c98579d90Ea0ad4 |
Easy Track Contracts
| Name | Address |
|---|---|
| EasyTrack | 0xF0211b7660680B49De1A7E9f25C65660F0a13Fea |
| EVMScriptExecutor | 0xFE5986E06210aC1eCC1aDCafc0cc7f8D63B3F977 |
Lido V3 Contracts
| Name | Address |
|---|---|
| Accounting | |
| Vault Hub | |
| Predeposit Guarantee | |
| Operator Grid | |
| Staking Vault Factory | |
| Staking Vault Beacon | |
| Staking Vault Implementation | |
| Staking Vault Pinned Beacon Proxy | |
| Dashboard Implementation | |
| Validator Consolidation Requests | |
| Lazy Oracle | |
| GateSeal (Vault Hub & PDG) |
Next Steps
To ensure protocol safety while the Safe Harbor smart contracts undergo a security audit, it’s recommended splitting the adoption process into two distinct phases. Phase 1 involves adopting the Safe Harbor initiative, along with the proposed Agreement Details, through a Snapshot vote. Subsequently, once the security audit of Safe Harbor is complete, Phase 2 will commence, transferring management of the Safe Harbor Agreement Contract directly to the Aragon Voting contract through an on-chain Aragon vote.
Phase 1
-
Create a temporary Safe Harbor Management Committee to manage the Adoption Details Accounts scope until Phase 2. Proposed committee configuration:
-
Purpose: A short-lived, DAO-mandated working group established solely to manage the Agreement Details Contract during the audit and rollout, ensuring changes to the allowlist are aligned with DAO intent. This committee will maintain the list by making necessary additions and updates to the set of contracts in scope for Safe Harbor until ownership is handed over to Lido DAO governance. The committee will not manage or custody any funds.
-
Participants: TheDZhon, tamtamchik, n0guest, Nikita_K, George
-
Quorum: 4/5
-
Funding: No budget requested, except for transaction gas for on‑chain actions, to be requested from the Gas Supply Committee as needed.
-
Lifespan: The committee will be created before the Safe Harbor initiative goes live. The committee will be dissolved immediately once ownership is transferred to Aragon Voting or Safe Harbor is decommissioned.
-
-
Deploy the Agreement Contract with the parameters specified in this proposal using a one-time wallet, with a Safe Harbor Management Committee set as a temporary owner.
-
Conduct a Snapshot vote to get Lido DAO approval on this initiative.
-
If the Snapshot vote passes:
-
Register agreement on-chain with the Safe Harbor Management Committee as an owner on Ethereum Mainnet in the Safe Harbor Registry at address 0x1eaCD100B0546E433fbf4d773109cAD482c34686.
-
Communicate adoption across all Lido DAO communication channels, explaining the adoption and its significance to the community.
-
Phase 2
Once a security audit of Safe Harbor is complete (provided that Phase 1 Snapshot passed).
-
Change Agreement Contract ownership to Aragon Voting contract to ensure that all Agreement parameters are governed directly by Lido DAO via Aragon voting.
-
Dissolve the Safe Harbor Management Committee by posting a message on the Research Forum. As this committee is no longer needed, all parameters of the Agreement Contract will be managed directly by Lido DAO from this moment.
-
Register Agreement on-chain on Ethereum Mainnet under Aragon Voting in the Safe Harbor Registry at address 0x1eaCD100B0546E433fbf4d773109cAD482c34686.
Future updates to scope
As the protocol evolves, new contracts will be reviewed and added to the Safe Harbor Agreement scope via Lido DAO governance votes, ensuring continued protection for all new contracts and functionalities.
Important Disclaimers
-
The Safe Harbor Agreement is a legal framework published by the Security Alliance (SEAL). Lido DAO is proposed to adopt the standard SEAL Agreement without modifying its core legal language and to configure only protocol-specific parameters such as bounty terms, scope, and diligence requirements.
-
Safe Harbor does not provide immunity from criminal liability, regulatory enforcement, or third-party claims. It is a civil contract that sets out the rights and obligations of the parties.
-
The Agreement may not be enforceable in all jurisdictions, and Whitehats remain responsible for compliance with all applicable laws.
-
Whitehats remain responsible for their own tax obligations and for ensuring that their use of Lido protocol and participation in Safe Harbor does not violate any obligations owed to employers or other third parties.
Conclusion
Adopting the SEAL Whitehat Safe Harbor Agreement equips Lido DAO with a rapid response mechanism for active exploits, enabling Whitehats to step in effectively when needed most. The Agreement provides clear guidelines for action, increasing the protection of user funds and demonstrating Lido DAO’s commitment to proactive security.
This proposal does not request any funds from Lido DAO and does not involve any budget allocation. It solely seeks governance approval for Lido DAO to adopt the SEAL Whitehat Safe Harbor Agreement.
References
Please share your thoughts and feedback in the discussion below before the proposal moves to a Lido DAO vote.
Winning option: Approve