Operational security has emerged as Web3's biggest vulnerability. Among security incidents in 2024, damages from operational security issues such as privilege takeover were more than 3 times larger than those from smart contract vulnerabilities. Web2-level security problems including DNS hijacking, poor multi-sig management, and employee device hacking have become major causes of large-scale incidents.
SEAL Certificates is the first system to certify Web3 projects' operational security in a standardized manner. By evaluating multiple operational security domains including DNS/registry security, workspace security, multi-sig operations, fund management, and incident response planning, it verifies projects' actual operational safety that could not be assessed through smart contract audits alone.
SEAL certification has the potential to become critical infrastructure for institutional investor entry. As it becomes utilized for realizing Ethereum's Trillion Dollar Security (1TS) initiative, on-chain insurance premium calculations, and exchange listing requirements, a clear market premium is expected to form between certified and non-certified projects.
Source: @_SEAL_Org
Yesterday (November 19), SEAL, a Web3 security consortium, officially announced its Request for Comments (RFC) for the SEAL Certificates initiative, a certification system for operational security in Web3 projects. Through SEAL certification, each project is expected to demonstrate its protocol's Operational Security (OpSec) maturity in a standardized manner, beyond just smart contract audits.
SEAL Certifications is currently in its pilot phase, with over 15 protocols including a16z, Dragonfly, Ethena, Lido, ZKsync, Uniswap, and Pendle validating the framework. After receiving community feedback until December 31, 2025, formal certification is scheduled to begin in Q1 2026.
Source: SEAL
SEAL (Security Alliance) is a non-profit organization that contributes to web3 ecosystem security in various ways, founded by samczsun, one of the most well-known whitehat hacker in the web3 security industry and former Paradigm security advisor / current Tempo security lead.
The direct trigger for SEAL's founding was the Nomad bridge hack incident in August 2022, which caused $190 million in damages. This incident created chaos as hundreds of malicious actors freely exploited a publicly disclosed vulnerability in the bridge to steal funds. However, whitehats hesitated to intervene due to legal risks, leading samczsun to realize the necessity of introducing the Safe Harbor concept for ethical hacking in web3 and establishing an alliance to implement it.
Officially launched in February 2024, SEAL has grown into an alliance with participation from over 50 web3 and cybersecurity organizations. Currently, SEAL consists of security audit firms such as OtterSec, Hexagate, Hypernative, and OpenZeppelin, along with white hat hackers and security researchers from various ecosystem projects.
What criteria should we use when evaluating the safety of Web3 projects? Most investors and users merely check security audit reports at best, but this alone cannot assess a project's true safety.
In the early Web3 ecosystem, most damages were caused by source code-level incidents (both node and contract) due to the immaturity of the development ecosystem and security awareness. However, as of 2025, security for Web3 components has reached a much more mature trajectory compared to before, and operational security has emerged as the primary risk.
The particular problem is that the scale of damage from attacks caused by operational security issues is overwhelmingly large. According to ChainLight's 2024 Web3 Hacking Post-mortem Report, among the total 204 security incidents in 2024, 57 cases of privilege takeover attacks occurred due to Web2-level problems. While this is only half the number compared to attacks from contract vulnerabilities (120 cases), the total damage from privilege takeover attacks ($1.19B) was more than three times larger than that from contract vulnerabilities ($390M).
However, despite the significant potential risks of Web2 security elements, most projects either do not receive Web2 security certification or audits, or do not disclose such information. Web2 operational security status is currently the most asymmetrically provided information to users when measuring project security.
SEAL certification defines five core domains to ensure the safety of the actual operating environment of projects, going beyond simple smart contract code audits. SEAL explains that each domain was designed to defend against vulnerabilities that were major causes of large-scale hacking incidents in recent years. Since there are no specific examples provided, I will illustrate the necessity by citing security incident cases caused by each element.
DNS/BGP hijacking attacks were among the most frequent types of attacks against crypto projects in 2023-2024. Simply put, DNS can be thought of as website addresses. When attackers compromise domain registrar accounts through social engineering, they can redirect users attempting to access legitimate addresses to phishing sites. These attacks are difficult for victims to suspect until just before signing, as initial access attempts are made through legitimate addresses and the phishing sites displayed to users are implemented identically to the original.
Source: Curve Finance
Notable examples include DNS hijacking attacks on Curve Finance and Balancer in 2023, where victims were exposed to phishing sites installed with wallet drainers like Angel Drainer and had their assets stolen. In 2024, Compound Finance, Celer Network, and dYdX suffered from the same type of attacks.
These attacks are clearly problems arising from operational negligence regarding domain registrar accounts or dependence on third parties, and can be sufficiently prevented through continuous monitoring system establishment and operational security enhancement.
SEAL Certificates aims to fundamentally prevent domain hijacking by setting certification requirements such as strong access control for registrar accounts (hardware key-based 2FA, etc.), registrar lock settings, and privilege separation.
Workspace security means protecting team members' personal devices (laptops, mobile devices, etc.) and development/operational environments from external threats. With remote work being common in Web3 projects and team members distributed worldwide, there's a significant risk of multi-sig keys or admin privileges being leaked if just one device is compromised. Fatal privilege takeover problems can also occur when privileges for ex-employees are not properly revoked due to operational negligence.
Source: Ledger
A representative example is the 2023 supply chain attack where malicious code was inserted into Ledger's Connect Kit. The attack originated from compromising a former employee's GitHub account through social engineering, resulting in contamination of dozens of protocols' frontends including dYdX and ZKsync, leading to millions of dollars in wallet draining.
This type of problem, where an individual's device affects the company's entire infrastructure, can be easily found in recent attacks. The biggest incident was the Bybit hack. According to the post-mortem report, the cause was that a Safe{Wallet} developer's device was compromised through social engineering, allowing access to the AWS S3 bucket serving the frontend. This ultimately led to massive damage with approximately $1.5B in Ethereum being stolen by replacing Bybit's signatures with the attacker's.
Additionally, cases where the North Korean hacker group Lazarus installs remote control tools like AnyDesk on developers' laptops through phishing via LinkedIn and plants keyloggers to steal seed phrases are commonly reported across both Web2 and Web3.
Most of these attacks stem from inadequate endpoint security, lack of phishing training, or cloud synchronization. SEAL Certificates seeks to fundamentally block personal device-level infiltration by requiring certification criteria such as hardware-based MFA (YubiKey, etc.), mandatory EDR (Endpoint Detection and Response) solutions, regular device scanning, use of dedicated work devices, and phishing simulation training.
While multi-sig is core to asset management in Web3 projects, it often becomes a Single Point of Failure due to poor design or operational negligence. Key holder concentration, insufficient quorum settings, or vulnerabilities in key holders' own work environments are major causes.
Source: Rekt News
During the 2022 Ronin Network hack, the bridge had a multi-sig structure requiring 5 out of 9 keys for fund withdrawals. However, validators responsible for 4 signatures were compromised simultaneously due to security attacks, demonstrating fatal operational security negligence. This ultimately led to the entire bridge funds being stolen when the remaining key became unrestricted due to a Ronin Network gas fee reduction update.
In 2024, Milady co-founder Charlotte Fang's password manager account was compromised, resulting in numerous Milady NFTs worth a total of one million dollars from the Milady project treasury being dumped on the market. While the treasury wallet was managed with multi-sig, the problem was that the seed phrases for the signing wallets were stored in a single password manager.
SEAL certification requires minimum 5-of-8 key distribution, geographic/organizational separation of key holders, mandatory hardware wallet usage, regular key rotation and offline backups, signature session simulation and two-person review processes, aiming to prevent structures where "if one person is compromised, it's over."
Treasuries holding on-chain assets (DAO treasury, operational funds, etc.) are mostly managed with multi-sig, but poor signing processes and monitoring often lead to massive outflows.
In 2024, multiple centralized exchanges experienced incidents due to poor fund management security, with DMM Bitcoin and WazirX being representative victims. They either stored treasury keys in a single cloud HSM or lacked real-time anomaly detection monitoring systems, allowing attackers to freely drain funds for hours.
SEAL presents certification conditions including treasury-specific multi-sig design with time delays and multi-level approvals, use of on-chain transaction simulation tools like Fortress and Tenderly, real-time anomaly detection alerts, and regular internal treasury audits linked with external audits.
Lack of incident response capability exponentially increases initial damage. Most projects don't even have organized information on "who to contact when something happens." However, once a security incident occurs, projects face great confusion as there are many measures to handle both internally and legally.
Source: Security Alliance
SEAL has conducted many programs to help projects and security researchers respond effectively and quickly to security incidents, which can be briefly described as follows:
Safe Harbor Program: One of the biggest inefficiencies in Web3 security is that white hat hackers hesitate to report vulnerabilities due to legal risks (e.g., violation of CFAA in the US). SEAL enables projects to adopt standardized white hat indemnification clauses in advance, promising not to pursue legal liability even if white hat hackers immediately intervene and perform hacks before malicious hackers when vulnerabilities are discovered.
SEAL 911: SEAL operates SEAL 911, a Telegram hotline that publicly receives and responds to reports for rapid response when hacks occur. About 80 verified volunteer white hat hackers respond to reports, and they have made significant contributions to preventing and recovering stolen funds during exploits such as Dolomite, Morpho, and Ronin Bridge.
SEAL Wargame: A program that provides stress tests for projects to train their processes when actual security incidents occur.
SEAL Intelligence: SEAL is building datasets in collaboration with the intelligence platform OpenCTI to collect and share information about attackers in Web3.
SEAL Certifications requires pre-written IR Playbook possession, 24/7 standby operations, pre-registration of external expert contacts such as SEAL 911, regular tabletop/red team training, and on-chain emergency pause function testing for incident response planning. Projects will be able to recognize processes in advance and respond quickly when security incidents occur through SEAL's various programs mentioned above.
Source: Ethereum Foundation
In May 2025, the Ethereum Foundation announced the 'Trillion Dollar Security (1TS)' initiative. The goal of 1TS is to make Ethereum secure enough for billions of individuals to comfortably store at least $1,000 each on-chain, and for companies or governments to store over $1 trillion in value in a single contract or application. This also reflected that Web3's current security level does not meet institutional investors' expectations.
SEAL Certificate can be a key tool in realizing this 1TS vision. The Ethereum Foundation is strengthening security in various areas including wallet security, smart contract tools, infrastructure, and protocol security as part of 1TS. SEAL's operational security certification can provide operational-level safeguards that complement these technical security measures.
Currently, SEAL founder samczsun is one of the three leaders of the 1TS initiative, so SEAL Certificates is likely to play a crucial role in security standardization for the Ethereum ecosystem.
Institutional investors necessarily require externally verified security standards due to regulatory compliance and risk management policies. However, currently there's an absence of reliable indicators for operational security beyond smart contract audit reports, resulting in excessive costs and time during due diligence processes. SEAL Certificate will provide a means for institutional investors to assess projects' operational security maturity at very low cost, and I expect a clear market premium will form between certified and non-certified projects as a result.
While a few DeFi insurance protocols are currently in service, led by Nexus Mutual, their evaluation criteria are subjective and non-standardized, making insurance underwriting complex and premiums excessively high. I expect SEAL Certificates will enable various designs through direct integration with on-chain insurance protocols, such as structures where discounted premiums or higher coverage limits are automatically applied based on certification grades. In fact, Nexus Mutual is one of the 15 protocols currently participating in the SEAL Certificates pilot program.
Centralized exchanges (CEX) act as practical gatekeepers of the market, and their listing review criteria are powerful leverage determining resource allocation and security levels across the entire industry. I believe major exchanges are likely to adopt SEAL Certificates as a factor for reducing due diligence costs and practical reflection in the listing process for the following reasons:
Due Diligence Cost Reduction and Efficiency Enhancement: Exchanges must review hundreds of listing application projects annually, but operational security due diligence requires significant specialized personnel and time. SEAL Certificates can perform a primary filtering role by providing standardized checklists and audit results, allowing exchanges to focus on analyzing key factors such as business/circulation volume.
Legal and Reputational Risk Hedging: When hacking incidents occur after listing, exchanges are exposed to investor protection lawsuits. By specifying SEAL Certificates possession as a mandatory listing requirement or bonus factor, exchanges can secure objective evidence that they fulfilled their fiduciary duties.
The blockchain industry aspires to "trustless trust," but ironically, at the end-user and institutional investor level, "institutional-grade trust verification" beyond traditional finance is required. While anyone can verify code, there was no means to verify the processes and response capabilities of entities operating that code. SEAL Certificates, as the first standardized solution to fill this gap, will open the essential gateway for Web3 to truly leap forward as institutional financial infrastructure.
Dive into 'Narratives' that will be important in the next year
Solana
Bitcoin
Arch
Sui
Hyperliquid
Monad
Rialo
