SEAL Certification Framework
SEAL Certifications is a certification framework developed by SEAL to provide standardized guidelines and evaluation criteria for assessing the security of DeFi protocols. SEAL Certifications provides targeted modular certifications (e.g., Incident Response, Treasury Ops) that can independently validate specific aspects of a protocol's security posture.
Using SEAL Certifications will help ensure that protocols follow best practices for their security operations, and provides a standard set of criteria for comparing the security of different protocols.
SEAL Certifications is fully open-source and freely available for any protocol to use.
How it Works
Unlike broad certifications like SOC 2 or ISO 27001, SEAL Certifications focus on specific focus areas based on the highest impact needs of protocols, based on what SEAL has observed throughout the industry and in interviews with pilot protocols. Each certification focuses on a specific area of security and includes controls relevant to that area. Protocols can use certifications independently to evaluate their security posture through self-assessment, or protocols can pursue formal certification through a third-party audit by a SEAL-partnered auditor. After completing a certification with a third-party auditor, protocols can publicly display their certification status and are issued an on-chain badge to demonstrate their completion of the certification.
Available Certifications
- DNS Security - Domain management, DNS configurations, registrar protection
- Incident Response - Detection, response procedures, team coordination, emergency operations
- Multisig Ops - Governance, signer security, transaction verification
- Treasury Ops - Treasury architecture, transaction security, DeFi risk management
- Workspace Security - Device security, account management, credential handling
FAQ
When will Certifications start being issued?
SEAL is currently working with several auditors and protocols to finalize the certification process. We expect to begin issuing certifications in Q1 2026.
In the meantime, protocols are welcome to begin using the SEAL Certifications framework for self-assessments and internal evaluations.
What's the difference between self-assessments and certified audits?
Self-assessments are completed by the protocol team themselves, using the SEAL Certifications framework as a guide. They are useful for protocols to internally evaluate their own security posture and identify areas for improvement. Self-assessments are not verified by a third party and do not result in a formal certification or an endorsed badge.
Certified audits are completed by a third-party vendor through SEAL's partner program. They involve a thorough and independent evaluation of the protocol's security controls against the SEAL Certifications framework. Upon successful completion of a certified audit, protocols receive a formal attestation on-chain.
What is an attestation?
Attestations are certificates issued on-chain through the Ethereum Attestation Service (EAS) by SEAL to protocols that successfully complete a certified audit. Attestations serve as verifiable proof that a protocol has met the requirements of a given SEAL Certifications certification.
Attestations do not indicate that a protocol is completely secure or free from issues. Blockchain security is always evolving and novel vulnerabilities arise regularly. Instead, attestations demonstrate that a protocol has implemented a set of standardized best-practices to manage and mitigate security risks.
What if a protocol doesn't meet all the certification requirements?
Protocols going through a certified audit that don't meet all the certification requirements will receive a report from the auditor detailing the gaps in their security posture. If the protocol decides to address the gaps, they can work with the auditor to complete a re-assessment of the controls.
What kind of evidence is required?
Evidence requirements vary by certification and control. Generally, protocols need to provide documentation, screenshots, or other artifacts demonstrating the implementation of each control. This might mean a list of signer addresses for a multisig, incident response playbooks, or screenshots of DNS configurations.
Who can see our attestation?
Attestations are publicly accessible on-chain through the EAS. The detailed audit reports and evidence provided during the audit process are confidential between the protocol and the auditor.
Can we use the SEAL logo / badge?
Protocols that successfully complete a certified audit will receive a badge from SEAL. Protocols are welcome to display this badge on their website or documentation to demonstrate their certification.
Is there a list of certified protocols?
SEAL will maintain a list of protocols that have successfully completed certified audits after the certification program is fully launched.
How can auditors become certified?
SEAL works with a group of third-party auditing firms to provide certification audits. For more information on the process or now to become certified, see our Certified Auditors page.
Can a project lose their certification?
Yes, certifications can be revoked if a protocol is found to be non-compliant with the certification requirements for an extended period of time. Certifications are also time-limited and require periodic re-assessment to maintain.