This post advocates for “verification diversity” > “client diversity”.
After the recent UI compromise, there are many proposals to run local Safe deployments to ensure that the correct transactions are signed.
I think there is a much simpler method for Safes with more than 1 signer (threshold >= 2):
- Let the first signer sign the transaction
- Verify the payload that has been signed via one or several externally hosted webpages. This payload cannot be faked or changed.
- Only after successful verification, make the additional signatures
Even if the Safe UI is completely compromised, this approach remains secure since an attacker cannot change what has been signed by the first owner in the UI - otherwise the signature would be invalid.
Checking what has been signed can be easily done with a static website. I quickly coded one here:
Code can be found here: GitHub - josojo/safeTxVerifier: Simple website to verify signed transactions
We could host such a website on an ENS address and only update it with governance votes. Then to compromise the system, both the ENS and Safe UI would need to be compromised.
I am fully aware that having full hardware wallet support to show the signed information would be much better, but I think this already works great! And the nice part is that the signed information can be simulated via Tenderly and other tools.
What do you think? Should we deploy something like this on ENS to make the signed transactions easy to check?