I’ve been a Safe user for a long time, and I use a mix of hardware and software wallets when I interact with Safe.
One thing has bothered me for some time:
Initializing a transaction with a hardware wallet feels like a shot in the dark. The UI will show a safeTxHash, which I can verify against my hardware wallet which is nice, but if the Safe UI is compromised (or, my computer is compromised, and the UI shows what they want to show me) I’m sort of out of luck.
Decoding the calldata through a browser wallet like Metamask is pretty straightforward, so that’s cool, but it seems odd that I would want to use my hardware wallet through my metamask to initialize safe transactions.
I feel like the Radiant hack will probably keep happening if verifying the data keeps staying difficult.
For example, this article tells how to verify transactions on a hardware wallet.
Which is great, but initializing is like a shot in the dark.
Hey Patrick, really appreciate your thoughts on this topic and we (the wallet team) also want to improve signing transparency. Directly after the Radiant incident, we started working on clear signing support (released here Feat: natively support clear signing with Ledger by iamacook · Pull Request #4416 · safe-global/safe-wallet-monorepo · GitHub) but are waiting for full Ledger support on all devices from their team, which hopefully comes in February. But ofc the situation is a it more complicated depending on who/what you want to trust but also what your technical capabilities are (decoding and understanding clear signing data is not straight forward for everyone out there). Especially when you do not trust your machine the issue becomes much much harder to solve. We would be happy to brainstorm with you on different solutions and setups. Some people in the ecosystem already developed tools to make this easier like https://www.safehashpreview.com/ allowing you to externally verify once the transaction is in the queue. Multi-device, multi-signer and using the web and mobile app is definitely still the best practice to get securely from initialization to execution when you want to be very risk averse.