Simple Arrangement for Funding Upload (SAFU)
The Simple Arrangement for Funding Upload (the "SAFU") outlines the post-exploit policy for active vulnerabilities in the Evmos blockchain. The SAFU is intended for white hat hackers and outlines the process for returning funds and calculating rewards for vulnerabilities found in the network. In summary, the SAFU states the following:
- Hackers are not at risk of legal action if they act in accordance with the SAFU.
- Hackers have a Grace Period to return any exploited funds to a specified dropbox address and can claim a reward of a Bounty Percent of the total funds secured up to the Bounty Cap.
- The rewards are distributed during the next upgrade of the network.
- If the reward is valued above a specified threshold amount, white hat hackers should go through a Know Your Clients/Know Your Business (KYC/KYB) process.
- Exploiting vulnerabilities for malicious purposes will make a hacker ineligible for any rewards.
- White hat hackers are not entitled to any rewards from the team or network for funds from "Out of Scope Projects" (other projects that were exploited by hackers but do not have their own SAFU program).
For more information, visit the SAFU agreement.
The Dropbox Address is an address to which funds are taken from the protocol should be deposited. In the event of a bounty distribution, the bounty for white hat hackers will be paid out from the account balance of this address.
The dropbox address is not controlled by the team or any individual, it is controlled by the Evmos protocol.
The following dropbox address is available on the Evmos blockchain:
Dropbox Address in Bech32 Format:
Dropbox Address in Hex Format:
The dropbox address provided above is derived cryptographically from the
first 20 bytes of the SHA256 sum for the
using the following algorithm:
address = shaSum256(byte("safu"))[:20])
How To Secure Vulnerable Funds
Within the Grace Period of a hack, white hats should secure the funds by transferring them to the dropbox address.
How To Claim The Reward
Rewards distribution will be done manually on the next chain upgrade. If the reward is valued above a certain threshold amount, white hat hackers should go through a Know Your Clients/Know Your Business (KYC/KYB) process.
Security recommendations for dApps
As previously stated, rewards for secured funds from hacked dApps are not included in the protocol's SAFU. For such a case, we encourage all dApps on Evmos to have their own SAFU implementation. We recommend taking the SAFU.sol contract implementation from Jump Crypto as a reference.