What type of Safe approval account is exposed to more risk in a “multifactor approval account” perspective, the account that creates a Safe transaction or the account that signs the final onchain confirmation?

Projects like nestwallet.xyz have promoted secure and convenient use of Safe accounts using multi-factor authentication/two-factor authentication approaches with multiple approval accounts. For example, is there an advantage to having more secure hardware accounts, e.g. Ledger and Trezor, sign either the transaction creation or the final onchain confirmation transaction? This is compared to potentially less secure software approval accounts, e.g. MetaMask and Rainbow.

• The account that creates the Safe transaction seems that it is higher risk since it defines the values around an action.
  • The first account to create a transaction could have increased risk if it is compromised and creates a transaction that is different from what is shown in the UX.
• Whereas with the account that signs the final onchain confirmation, in a worst case scenario where the account is compromised, the account can only create a new transaction.
  • It can not alter the existing Safe transaction (Assuming the existing transaction was created legitimately).

Much appreciated!

Feedback on the above from a CTO of an app powered by Safe:

Aside from key compromise - If it is the same machine used throughout then the UX could be altered for all signing actions and the user would sign regardless of which wallet type. However, some wallets are better at displaying a human-readable decoded Safe tx.

So the best practice would be to use different machines for each action, and use the wallet that best decodes the transaction for every signing action, then whether the first|second|both keys being on hw is arbitrary.

Fleshing out a key compromise scenario based around the MFA use case you described where P1 account is regularly proposing transactions and P2 is regularly approving/executing transactions. Both P1 & P2 keys are controlled by the same individual. The individual’s computer has been compromised by malware or rouge browser extension.

The private key of P1 is known to the attacker; the attacker doesn’t want to cause alarm by prematurely triggering a transaction; when P1 goes to make a spend transaction the attacker employs a MITM on the Safe API; the attacker has the intended tx payload and can discard the signature of P1; the attacker crafts a similar spend transaction and signs it with the compromised P1 key; because the individual just signed the proposed transaction they are less cautious in approving/executing with P2.

This doesn’t require a malicious UX to succeed. A human readable decoded Safe tx may help alert the individual when signing with P2 but this isn’t foolproof. In this scenario you could consider that a hw wallet could be preferable first for P1, or both P1 & P2.

A takeaway from discussing Safe multi-factor authentication (MFA) is to use ≥ 2 devices to view and confirm Safe UX for approvals, e.g. Safe web app + Safe mobile app.

(This is in addition to using multiple types of approval accounts of course, e.g. Trezor, MetaMask, etc.)

A big opportunity to improve MFA with Safe is to “Connect external signer key” on Safe Android using software accounts like MetaMask.

Are there plans to expand this for Android (Currently iOS beta only)?

If not, this is a great feature for other Safe apps to improve MFA by connecting to software approval accounts, e.g. Approve on web with hardware account (Trezor) and on mobile with software account (MetaMask).

Currently, with the Safe Android app it is only possible to approve on mobile with a hardware account (Ledger or Keystore), without importing the private keys.

Why connecting an account improves security compared to “Importing existing owner key”

• Separates concerns between the Safe UX on web + mobile and the approval account private key
• Reduces exposure of approval account, e.g. MetaMask private key being shared across multiple apps

Is it technically possible to approve (“execute”) fully confirmed actions on Safe’s mobile app?

This is another opportunity to improve multi-factor authentication (MFA) security by enabling the full transaction confirmation process to occur on multiple device types.

I estimate because it is possible to confirm actions on Safe mobile it is also technically possible to implement the approve (“execute”) feature.

signal-2023-12-05-1143351536×2048 277 KB

Also, the “Import owner key” support view needs to be updated for “iOS only availability”

The support view Import owner key > Connect key using WalletConnect, section shows the ability to connect the Safe mobile app to any account using WalletConnect. However, this is not available in the Android app v3.90. The Safe support team has confirmed through chat on help.safe.global that is support view should be updated to communicate this is an iOS only feature.

Much appreciated!

I’m happy to learn that nestwallet.xyz, a part of the Safe grants program (SGP) wave 1, is building multi-factor authentication (MFA) for Safe accounts across web and mobile!

This means that you can view and verify your transaction details on a mobile device
Approve and make final confirmation of actions on mobile
These are important upgrades because mobile adds another layer of protection by having multiple devices to fully interact with Safe, rather than relying on 1 source of truth from the web.

I tested the latest Safe transaction tx verification tools this weekend which are a great addition to multi factor auth Safe account approvals

• It would be good to add to “use a software account SA like MetaMask to sign txs on a separate device than where you’re using the Safe app for more security” in How to perform basic transactions checks on Safe{Wallet}
• Same for How to verify Safe{Wallet} transactions on a hardware wallet when using the tx data decoder and the Safe tx hash util app
• It’s useful to include OpenZeppelin’s Safe Util app that is user friendly with a UI and uses the original code currently in the help post
• It looks like Tenderly can run the tx simulation, data decoding, and hash generation with a free account in their standalone app. This can also be run on a separate device than Safe for improved security.
• Lastly bookmarking contracts to quickly identify unexpected txs could be another item included in both Safe posts above

It’s great to see the security updates above that most people can do on their own included in Safe’s articles!

• How to perform basic transactions checks on Safe{Wallet}
• How to verify Safe{Wallet} transactions on a hardware wallet

I’m working to see if it’s possible to verify a Safe transaction tx on a separate device than where it was created with Tenderly

• I’ve created a Safe tx on 1 device and I’m attempting to enter the tx details on a 2nd device with Tenderly to simulate the tx outside of the Safe app
• I’m receiving an error because I’m not providing a Safe signature
• Is there a UI friendly way to create the signature?

I’ve shared the tx details on StackExchange

image1920×1221 139 KB

The best way for most users to multi factor verify MFV their Safe transactions txs on multiple devices outside of a device account DA (Keycard, Ethereum Phone, GridPlus, Hito, etc.) showing the full tx details, is to copy the Tenderly simulation link to a 2nd device than where the tx is created.

• I’m looking forward to full DA readability with Safes hopefully later this year.
• Candide Labs is also working on a Safe multi factor verification MFV tool across devices that is promising.
• Another option that could work for users with a medium level of technical knowledge is if Safe was to extend the generatePreValidatedSignature from the Protocol Kit to the command line interface CLI to quickly generate signatures and simulate transactions on multiple devices.

Including a reminder of the risk of sharing the Tenderly tx link using an encrypted app to pass the tx data adds potential vulnerability by relying the security of that app.

This is why a dedicated device account is a better long term solution.

I discovered a few weeks ago for Rainbow accounts on Android you cannot copy|paste transaction tx info. I submitted the details to support then. Hopefully the team reprioritizes this fix based on the Farcaster conversation with the team today.

MetaMask has copy|paste for Android. I will see if Rabby works as well for this.

Update 2025-05-08

Their support team informed me it’s a low priority fix so there’s no time estimate.

It might be best to migrate to MetaMask, Rabby, etc. accounts in the meantime as Safe signer accounts. Also, I’ll see if I can replicate the intermittent case where it does copy and paste successfully.

7ddeb7dc-36d1-4b7e-b32b-dc177d60a5f71080×2400 193 KB

Following up on the OpenZeppelin Safe Util’s side of multi factor verification MFV for Safe transactions txs.

Generating the tx hashes with Safe Utils on both the device|UI where the tx is created and on separate devices|UIs signing the tx is essential. This way the tx hashes created between devices|UIs can be compared.

Otherwise using Safe Utils with data from only 1 source would not detect if that source is showing bad info while displaying a correct tx hash.

E.g.

1. Create tx on 1st device with Safe UI
2. Create tx hashes with Safe Utils and Safe UI data
3. 3. Sign on 2nd device with software account, E.g. MetaMask
4. Create tx hashes with Safe Utils and MetaMask data
5. Compare tx hashes created from both Safe UI and MetaMask to make sure they’re the same