Self-Custody with Multi-Party Computation as a Safe signer

Safe Ecosystem General Discussion
5

You can use a Fireblocks MPC wallet as a Safe signer today. I just tested it out and it works flawlessly. At the end of the day, the MPC wallet is just viewed by the blockchain as an EOA. Here’s some notes I put together on it:

One of the key values of using an on-chain smart contract wallet multi-sig like Gnosis Safe is that approvals/signatures required can be reflected on-chain. This is helpful in scenarios where a Web3 project, such as a DAO, would like to give confidence to its users that they are engaging in security best practices, and that not a single person / owner has full control over the projects funds. OAs vs. Smart Contract Accounts](https://docs.gnosis-safe.io/introduction/the-programmable-account/eoas-vs.-contract-accounts)

It is a very simple process to integrate Fireblocks vaults as part of a Gnosis-Safe multi-sig where the flow would be: Fireblocks → Gnosis-Safe

Steps required:

  1. Connect your Fireblocks vault to the Gnosis-Safe dapp via WalletConnect
  2. Whitelist the Gnosis Safe proxy deployer smart contract address (current ones are listed here)
  3. Identify the m of n addresses within your Fireblocks workspace (or elsewhere) that should be a part of this multi-sig
  4. Deploy your Gnosis-Safe smart contract
  5. Within Fireblocks, whitelist the address of your Gnosis-Safe as an “external” address NOTE: tagging it as a “contract” does not allow you to use the basic transfer capability within Fireblocks. Therefore, you would be unable to fund the gnosis-safe wallet unless specifying it as an “external” whitelisted address.

What does a gnosis-safe multi-sig transaction look like in Fireblocks?

  1. EIP-712 personal message (RAW) to approve spending
  2. First Signature (CONTRACT_CALL) to Gnosis-Safe smart contract
  3. Any additional required multi-sig CONTRACT_CALL transactions identical as step #2 except initiated from their respective wallets. If both of these addresses are part of the same Fireblocks workspace, you will need to change your WalletConnect configuration to connect to vault #2 to provide approval initiation via the Gnosis-Safe dapp.
2 Likes