[SEP 25] [OBRA] Palmera Module: Hierarchical Structure


The Palmera Module enables organizations, DAOs, and developers, using multiple Safes, to enhance their on-chain operations by facilitating the creation of customizable and flexible hierarchical structures. It democratizes access to on-chain decisions through a delegation structure, wherein upper Safes have configurable rights over subordinate Safes. This proposal is for funding an audit competition for Palmera Module smart contracts by Hats Finance based on their 100% payment by results mechanism.

Aligned strategy

Which pre-approved strategy is this initiative driving forward?

[Strategy 2] Foster module ecosystem

Funding request

What resources are being requested from SafeDAO in USDC?

Palmera asks for $30k funding to conduct an audit competition on Hats Finance protocol to ensure the safety and security of the Palmera on-chain module by using a crowd audit competition. We are allocating $5k to compensate two lead auditors, with each receiving $2.5k. Their task will be to meticulously review every line of our smart contract code to ensure its robustness and security. The remaining $25k will be used as the total bounty for the public audit competition, which might attract up to 800 independent security researchers.

Upfront funding

Indicate if upfront funding is needed. Refer to 'Payout’ under Get funding from SafeDAO for lump sum payment options.

Not applicable.

Relation to budget

State the requested funding as a percentage of the total initiative budget (e.g. if you ask for 50k for Strategy 1: 25%)

$30k constitutes 10% of the total initiative budget.

Metrics and KPIs

Which metrics and KPIs will the initiative be measured against?

  1. Increase the number of Super Safes created.
  2. Improve the management of multi-Safe smart accounts.
  3. Attract more organizations with complex treasury management systems to the Safe ecosystem.
  4. Increase module adoption.

Initiative description

What is the initiative about?

The Palmera Module has been developed as a common good, contributing to the Safe ecosystem. Palmera Module introduces customizable and flexible hierarchical structures for on-chain operations, enhancing governance and operational efficiency through delegated access and compartmentalized control. This delegation structure allows upper Safes configurable rights over subSafes, streamlining decision-making processes across managing multiple Safes smart wallets.

Traditional fund management often suffers from a flat account hierarchy leading to complex management systems that are not on-chain. The Palmera Module addresses this point by enabling an on-chain structured and layered approach to account management, which is key for a better organization that requires a clear delineation of authority and responsibilities of each Safe.

Current Safe Module

Safe Modules are smart contracts that introduce additional functionalities to Safe contracts, offering features like daily spending allowances and social recovery options. They operate by separating module logic from Safe’s core contracts, requiring owner confirmations for modifications.

Key Advantages for the Safe Ecosystem

  • Customizable Hierarchical Safes Structures: It facilitates the creation of customized governance models adapted to the organization’s needs, promoting efficiency and scalability.
  • Decentralized Decision-Making: Democratizes on-chain decisions by empowering subordinate Safes with specific delegated rights, enhancing operational flexibility.
  • Security Enhancements: Introduces a secure, compartmentalized approach to Safe management, reducing the risk of unauthorized transactions and enhancing overall ecosystem security.

Roles Within the Palmera Module

  • Root Safe: Acts as the top-level authority with comprehensive control over the entire hierarchy, capable of adding or removing any entity and modifying the structure as needed.
  • Super Safes and Subsafes: Define a parent-child relationship, where Super Safes have administrative rights over their direct Subsafes, allowing for layered access and control.
  • Optional Roles: Provide flexibility to assign specific capabilities such as transaction execution or owner management without granting full administrative rights, tailored to organizational requirements.

Contribution to the Growth of the Safe Ecosystem

  • Compatibility: Introduces new functionalities while maintaining compatibility with existing Safe standards, encouraging broader adoption.
  • Community Engagement: Offers new tools for developers and organizations; the Palmera Module stimulates community engagement and developer activity within the Safe ecosystem.
  • Market Competitiveness: Enhances the Safe ecosystem for existing and prospective users by providing advanced and flexible solutions for on-chain governance and operations.

Use Cases of the Palmera Module

  • DAO Management: A DAO can use the Palmera Module to establish a governance framework where each group or subgroup controls its own Safe. This allows for localized decision-making while aligning with the DAO’s governance and objectives. For instance, a marketing group can manage its funds and approve related expenditures within pre-defined limits. Additionally, the clawback functionality of the module allows for the retraction of funds from these subgroups if mismanagement happens or if strategic priorities shift, ensuring more control and flexibility.
  • On-chain organization Treasury Management: organizations can leverage the Palmera Module to create a hierarchical financial structure where the central treasury Safe oversees subsidiary Safes assigned to different departments or projects. This structure enables departments to operate independently but within the constraints set by the central treasury, optimizing budget allocations and financial oversight.
  • Startup Ecosystem Support: Startups within an incubator can be structured using the Palmera Module to allow each entity to manage its operations while the parent Safe, controlled by the incubator, retains oversight and the ability to claw back funds if necessary. This setup supports autonomous growth with safeguarded risk management.
  • Educational Grant Distributions: Educational institutions can use the Palmera Module to manage and distribute grant money to different research departments. Each department’s Safe can autonomously handle day-to-day expenses while the main administrative Safe retains the authority to review and manage overall spending, ensuring funds are used appropriately and efficiently.
  • CD Pipeline Integration: Developers can use the Palmera Module to facilitate smart contract deployments. This ensures that deployments and updates are managed through controlled, traceable, and secure workflows, enhancing operational efficiency and reliability in software development processes.

Interested Parties

For the Palmera Module, we have spoken with multiple projects, like Toku and alloc8, that have demonstrated interest. These projects were looking for:

  1. A way to encapsulate risk for contract management.
  2. Use transactions on behalf of a batch call to multiple Safes (i.e., you go through the multisig process on the root Safe that is a batch call that creates transactions for multiple child safes).
  3. The possibility of a delegation structure to partition treasury for small funds.

The purpose of the proposal is to acquire funding to be used as the bounty for the audit competition to be conducted on Hats Finance in order to make sure that the on-chain module will be free of bugs and vulnerabilities.

Additional resources:

A Brief Background for Hats Finance Audit Competitions:

Hats audit competitions are revolutionizing the world of Web3 security, offering a dynamic, cost-effective, and time-efficient solution for smart contract auditing. By transforming the traditional auditing approach, they ensure enhanced security through a community-driven process. With audit competitions, projects retain full control over your budget, attract top auditing talent, and gain valuable insights from the Web3 community, all while preparing your project for a robust and secure launch. Hats audit competitions work on a simple yet powerful model — rewarding results, not efforts. The project teams allocate budgets according to the severity level of potential vulnerabilities. The budget is retained if no flaws are found. It’s a model that ensures projects pay only for value added to your project, giving you confidence in your investment.

Current status

Does the offering (product/service) already exist or is the funding used to create it?

The Palmera Module has been developed and is ready for a security audit before its official release and deployment. The only part missing before a safe and secure launch is the code audit. The requested funding will create the on-chain audit competition vault on Hats protocol. As a decentralized, on-chain, transparent security protocol, Hats Finance requires the total audit competition bounty to be deposited to the relevant audit competition vault before the competition’s launch.


What risks does the initiative entail?

The only foreseeable risks for this initiative are the smart contract risks. However, Hats Finance, having gone through 6 audits + audit competitions and ongoing bug bounty, has been live for more than 2 years and used by more than 80 projects so far. Even SafeDAO has a bug bounty of $100k (externally up to $1m) on Hats Finance. Accordingly, we assume that Hats Finance has a robust, secure and battle-tested protocol.

Timeline and milestones

Provide a detailed timeline or roadmap, include key milestones

Milestone Description Duration
1. Setting up the audit competition vault and promoting it to the security researchers Palmera will set up the audit competition vault as described in the proposal and help Hats Finance promote it the security researcher for maximum participation 1 week
2. The competition process Palmera team will review, classify and label the submissions, and answer the questions of security researchers in the process 2 weeks
3. Preliminary winners announcement and dispute period The winners with valid submissions at the audit competition will be announced and the dispute period will start 2 weeks
4. Initiating the payout and receiving the audit report The winners list be prepared and a split contract will be created on Hats dapp 1 week

Initiative lead

Who is the accountable initiative lead? (individual or organization)

Palmera is the initiative lead. Palmera was founded in June 2022 by Andy and Jose, who have been active participants in the Safe ecosystem. Palmera is a comprehensive management platform tailored to the needs of organizations, DAOs, and individuals in Web3. It enables visualization and management of multiple Safes and treasury operations from a single platform.


How many individuals in total will be working on this initiative and what role do they have? Please provide a brief background of the team members, highlighting their relevant experience and expertise

Palmera Module was developed by four members of Palmera.

  • Andy, Founder of Palmera, has already established and sold a company specializing in solving repetitive operational tasks for Web3 companies.
  • Jose, Founder of Palmera, has constructed proprietary multisig wallets for one of the largest crypto banks in Switzerland : AMINA , responsible for over 1 billion in assets.
  • Alfredo, Senior Blockchain Specialist: With over 15 years of experience in software engineering and architecture, Alfredo excels in his specialized role as a Senior Blockchain Specialist, dedicating 5 years to the development of Ethereum-based smart contracts for various startups.
  • Cristian, Blockchain Developer: Cristian brings 2 years of experience in developing and testing smart contracts, complemented by a year as a front-end developer specializing in Web3 integrations.

The Audit will be provided by Hats Finance, consisting of ETH and security OGs.

Additional support/resources

Are there any resources (non-financial) requested from the Safe Ecosystem Foundation or the core contributors?


Implementation dependencies

Does the implementation of this initiative require any prior changes in the current governance processes, e.g., updates to the governance framework, or have any other dependency? If yes, please specify these. Note that the funding of the initiative will be dependent on the approval and (if needed) successful implementation of such necessary governance modifications or any other dependency.

No changes in the current governance structure and processes are required.

Link to stage 0 (discussion): [Discussion] [OBRA] Palmera Module: Hierarchical Structure


Audit competition

  • Bringing more options to users and organizations for easy account permissioning through supporting audits seems like a practical and good use of SafeDAO funds. Safe account permissioning is a large opportunity expand Safe accounts for managing assets and non-financial uses like identity, social, messaging, data, etc.
  • What are the advantages and disadvantages of the audit competition approach compared to hiring 1 well known Safe auditing firm?

Hierarchical Safes

  • An advantage of hierarchical Safes is this structure is easy for non-technical and technical Safe users to understand and set up.
  • Are there any strategies in-mind for privacy?
    • Privacy is a big opportunity for hierarchical Safes because if the root or super Safe is the most secure and holds the majority of assets users may not want that account to be linked to sub Safes used for other use cases like social accounts, identity, messaging, data, etc.

Hey @adamhurwitz.eth! Fav from Hats Finance, the most cost-efficient audit competition protocol in the space. These are awesome questions and tanks a lot for taking the time to reflect with such good questions.

The most obvious disadvantage of hiring 1 well known auditing firm is the fact that auditors of the well-known auditing firms are also humans and they miss some vulnerabilities more often than thought. This is the reason why all security minded projects go through multiple rounds of audits and not surprisingly new vulnerabilities are unearthed in each round. Secondly, it is getting harder and harder for projects to book well known auditing firms cost effectively because of favorable market conditions. The demand for good auditors has increased significantly and therefore the costs have increased.

Hats Finance presents a unique offering for both projects (100% payment by results model) and +800 independent security researchers in our ecosystem (first come first rewarded / no payment for duplicates). The projects are enabled to reach a pool of experienced and skillful security researchers and pay only for the vulnerabilities unearthed in the competition. On the other hand, seasoned security researchers, whose time is more expensive, are provided an opportunity to test their skills and earn significant rewards (since the reward for the unearthed vulnerability will not be deluted by the other submissions for the same issue).

Hats audit competitions have beeen so instrumental to unearth many vulnerabilities in the same codebase, previously audited by many well-known auditing firms. You can find some stats on the past audit competitions in the chart given below but bear in mind that the chart is not up to date and you can get more info about the recent audit competitions on our dapp (Web3 Audit Competitions and Bug Bounties | HatsFinance).

Feel free to let me know if you have any other questions :slight_smile:


In the future, we would love to develop a privacy-preserving module that ensures no information regarding safe interconnections is disclosed. However, the module must be secure, fully functional across all EVM-compatible chains, and rely only on well-established mechanisms with a proven track record (i.e., demonstrating a Lindy effect).

Although we have some preliminary ideas for maintaining privacy, there is nothing that we can share yet. We think that by releasing the current version of the module, we can collaborate more effectively with various groups to enhance its capabilities and plan future improvements.


It’s good to hear the team is thinking about future ways to build Subsafes. The multinetwork specifications you outline above is a great fit for the keystore contract strategy being used for building multinetwork Safes.

I agree on the plan to launch the current version and improving incrementally.


Hey Andy and team, I extend my support to this proposal as a delegate, modular permission management is much needed to scale Orgs, and we need to ensure that we have secure and reliable modules powering it.

safe now has a collection of modules, but as a user it’s a real headache for us to manage or integrate them, would be cool if it’s directly available on the safe apps.

@andyp is it possible for token-holders (a governer contract) to control the supersafe, like how pods.xyz used to do?


I am a Safe Guardian with sufficient voting power and I believe this proposal is ready to move to a vote.


Yup, this is a great idea!

You could certainly connect a governor contract to the root Safe or other useful modules from Zodiac.

We really appreciate the support @0xBaer !


I am a Safe Guardian with sufficient voting power and I believe this proposal is ready to move to a vote.


We really appreciate the support @adamhurwitz.eth :handshake:


We are extending our support to move this proposal to vote with the voting power we represent .


I am a Safe Guardian with sufficient voting power and I believe this proposal is ready to move to a vote.


Thank you for the support @0xBaer ! :bowing_man:


Thank you for the support, @BraveNewDeFi ! :bowing_man:


This proposal has reached sufficient signaling and has moved to Phase 2: Voting on Snapshot (Link to Snapshot) Voting starts tomorrow, May 1.


Hey, folks. Dara from Decent DAO here. We are the team behind Fractal, a DAO governance tool built on Safe. We love this idea. But it’s already built and available on Fractal today. You can create a subDAO hierarchy which sets up a Safe-child to the Safe-parent w/ hierarchical permissions, freeze, and clawback. No $30K investment needed from the DAO.

Bit more detail for those interested:
The subDAO can create its own governance and permissions once established. The parent account can set freeze parameters for the subDAO during setup. Adding a subDAO does not alter the original Safe treasury. The child has Fractal governance smart contract modules attached to its Safe to customize the Parent’s permissions.

Fractal is built on Safe and the Zodiac Protocol, originally created by Gnosis Guild. We are live on Ethereum mainnet, Base, Optimism, and Polygon and support DAOs like Shutter and Sarcophagus.

We wanted to let the community know because this functionality exists on Decent’s application and we’re mindful of the Safe community and initiative budget, of which $30K constitutes 10% of the total initiative budget according to the proposal.

To learn how to implement this feature for your DAO please let me (dara.khan@decentdao.org) or Thomas Stuart, our product and governance lead (thomas.stuart@decentdao.org) know. We’d love to help.

Github: GitHub - decentdao/fractal-contracts: Your Safe, Superpowered
Docs: Create | Fractal Documentation
Blog: How to easily add modular sub-teams and governance to a Safe Mul… — Fractal
Audit: https://app.fractalframework.xyz/docs/fractal_audit.pdf


Hello everyone, Spencer here from Hats Protocol (not to be confused with our friends at Hats Finance).

As context, we are currently working with SafeDAO to bring the SAFE Guardian role onchain with Hats Protocol, following the approval of our recent OBRA grant

As a follow up to the message above, I wanted to add two notes to give delegates the relevant information they need to make a decision about this proposal in the context of the landscape of connected smart accounts. To be clear, we support a diversity of open source projects and don’t necessarily intend to or suggest blocking this particular proposal.

First, one of the core properties of Hats Protocol is to create a tree-like structure where roles (“hats”) are nested under other hats. This structure enables a wide variety of hierarchies to be created, including roles to be filled by individuals as well as nested Safes. The key benefit is that all of these can be used at the same time, creating a rich multipurpose organizational graph that connects up an org’s many disparate roles, resources, tools, and permissions so those connections can be managed programmatically (eg based on election results, wallet holdings, allowlists, staking requirements, etc.).

One relevant example is Hats Signer Gate, a Zodiac module we built which grants Safe signing rights to addresses wearing a given hat. Safes with Hats Signer Gate can be composed together to create a hierarchy of accounts following the structure of the respective hats. Here are some current examples: RareDAO, Treasure, and Questbook.

Another example is the Fractal application that @SpookyActionBTC described above. Fractal is integrating Hats Protocol into their nested account platform so that their users can tap into that broader organizational graph.

I’d be happy to share more details if desired.


Hey everyone, thanks Dara and Spencer for your insights and for sharing the functionalities of your protocols. It’s encouraging to see diverse approaches to enhancing governance within the DAO ecosystems.

Here’s Jose from Palmera. Both your solutions offer valuable features, and we appreciate the opportunity to discuss how the Palmera Module complements these existing tools.

The Palmera Module is designed to be a common good module for the Safe ecosystem. The Palmera Module aims to streamline hierarchical management directly within Safe environments. Our approach with the Palmera Module incorporates predefined roles and permissions that simplify setup and reduce operational overhead. This built-in simplicity is crucial for any on-chain organizations, particularly those new to Web3 or those seeking to implement efficient administrative operation structures without the complexity of multiple transactional setups.

The Palmera Module also focuses on reducing the complexity inherent in deploying and managing difficult configurations, offering a more streamlined, user-friendly interface that can be simpler for non-technical users.


Thanks, @jozer_eth. Congrats on the proposal passing. Totally agree there should be options in the market.

Ultimately this isn’t really about Decent/Fractal, or even Palmera or other options available in the market. It’s about requesting funding to build and audit something that already exists as a public good and is audited. $30K/10% of the budget is a lot to build a feature that is not novel. We’re all stewards of these funds and how they’re used, so it’s critical to fund and build capabilities that push the ecosystem forward.

1 Like

As of May 13, 2024, this proposal has been ratified .