LogoLogo
  • Technical Architecture
  • LagomChain CLI
    • Configuration
    • Working With Docker
    • Single Node
    • Multi Node
    • Alternative Databases
    • CLI Commands
    • Drafting a proposal
  • Concepts
    • Accounts
    • EIP-155: Replay Protection
    • Chain ID
    • Encoding
    • Gas and Fees
    • IBC Relayers
    • Key Management
    • Keyring
    • State Export/Imort
    • Multisig
    • Pending State
    • Signing
    • Token
    • Transactions
  • Modules
    • epochs
    • erc20
    • evm
    • feemarket
    • inflation
    • vesting
  • Module Accounts
  • Bugs
  • IBC Channels
  • Security Overview
    • Audits
    • Simple Arrangement for Funding Upload (SAFU)
  • Metrics
  • Frequently Asked Questions
Powered by GitBook
On this page
  • Key SAFU Guidelines
  • SAFU Dropbox Address
  • Address Derivation
  • How White Hats Can Secure Vulnerable Funds
  • How to Claim a Bounty Reward
  • Security Recommendations for dApps on LagomChain
  1. Security Overview

Simple Arrangement for Funding Upload (SAFU)

The Simple Arrangement for Funding Upload (SAFU) defines LagomChain’s post-exploit policy for handling active security vulnerabilities. SAFU is designed to encourage white hat hackers to responsibly return exploited funds while offering a structured bounty system as a reward.

Key SAFU Guidelines

  • Legal Protection for White Hats

    • Hackers who follow SAFU guidelines will not face legal action.

  • Grace Period for Returning Funds

    • White hat hackers must return exploited funds to a designated dropbox address within a grace period to qualify for rewards.

  • Bounty Rewards for Secured Funds

    • A percentage of recovered funds (up to a predefined bounty cap) will be awarded.

    • Rewards are distributed during the next network upgrade.

  • KYC/KYB for High-Value Rewards

    • If a reward exceeds a certain threshold, the recipient must complete Know Your Client (KYC) / Know Your Business (KYB) verification.

  • Exclusion of Malicious Actors

    • Hackers who exploit vulnerabilities for malicious purposes are not eligible for rewards.

  • Scope of Eligible Funds

    • White hat hackers will not receive rewards for funds retrieved from "Out of Scope Projects" (i.e., projects without their own SAFU program).

For full details, visit the LagomChain SAFU Agreement.

SAFU Dropbox Address

The Dropbox Address is a secure, protocol-controlled wallet where white hat hackers should deposit recovered funds.

This address is not controlled by any individual or team—it is fully governed by the LagomChain protocol.

LagomChain SAFU Dropbox Address:

  • Bech32 Format: lagom1c6jdy4gy86s69auueqwfjs86vse7kz3grxm9h2

  • Hex Format: 0xc6A4d255043ea1A2F79CC81c9940FA6433eb0A28

Address Derivation

The Dropbox Address is cryptographically derived using the first 20 bytes of the SHA256 hash of the "safu" string, ensuring immutability and security.

goCopyEditaddress = sha256.Sum256([]byte("safu"))[:20]

How White Hats Can Secure Vulnerable Funds

  1. Identify the exploit and secure the compromised funds.

  2. Transfer the funds to the SAFU Dropbox Address within the Grace Period.

  3. Follow the SAFU guidelines to remain eligible for a bounty.

How to Claim a Bounty Reward

  • Rewards will be distributed during the next network upgrade.

  • For high-value rewards, KYC/KYB verification is required.

Security Recommendations for dApps on LagomChain

LagomChain’s SAFU program does not cover funds from individual dApps. Therefore, all dApps are encouraged to implement their own SAFU mechanisms to protect against security threats.

Recommended Implementation:

  • Use SAFU.sol from Jump Crypto as a reference for secure fund recovery.

PreviousAuditsNextMetrics

Last updated 3 months ago