From Safe

We have carefully reviewed the unfortunate recent security incident mentioned in Radiant Capital’s post-mortem report and wish to clarify some key points regarding how the attack happened.The Safe{Wallet} front-end functioned as expected during the incident. The Safe{Wallet} interface remained uncompromised, and a valid transaction was created using the Transaction Builder. However, one or multiple of the devices outside of the Safe{Wallet} environment involved in the signing flow were compromised (i.e. a laptop or Chrome extension). During the signing process, a hacker intercepted the request on that compromised device and replaced the legitimate transaction data with a malicious payload. The signers signed the malicious transaction first without verifying payload on the signer device, followed by the legitimate one. With the necessary signatures collected outsidethe Safe{Wallet}interface, the hacker was able to execute the malicious transaction.This event underscores the importance of verifying transaction details during the signing process. Blind signing, where users approve transactions without fully viewing the details, is a widespread challenge, especially when using hardware wallets.Blind signing is a known industry-wide issue.Ideally, signer wallets should display the full message or even decode transaction data to offer additional context. Safe uses the EIP-712 standard to provide transaction data, but hardware wallets often hash or truncate this information due to screen limitations. This truncation forces users to approve transactions without fully understanding what they’re signing, which introduces risks, especially in complex smart contract setups like Safe’s.We recommend using multiple signing devices from different providers (e.g., a combination of Ledger and Trezor) to mitigate the risks of blind signing and improve transaction visibility, as well as connecting these devices through trusted interfaces like Ledger Live.This issue is not limited to transaction signing; it also affects message signing. Smart contracts commonly use EIP-1271 to enable message signing flows, adding another layer of complexity. As an ecosystem, we must enhance the handling of smart contract signatures to provide more transparent signing experiences. Conditional signatures, which we’ve explored with CowSwap, offer more context without sacrificing security. Learn more about these approaches here.We Need to Diversify Both Interface and Signing DevicesWe encourage all users to verify transactions to ensure that the transaction they’re signing on the device matches what’s displayed on the Safe{Wallet} interface.To enhance security, we emphasize the importance of diversifying both interface devices (laptops, mobiles) and signing devices (Ledger, Trezor, Keystone, MetaMask, mobile apps). This approach is more crucial than time locks, which can be complex and may not solve the issue if the transaction isn’t simulated before execution. Additionally, time locks require a challenge flow where key signers must respond in a timely manner. While time delays (e.g., T+1) can help, device diversification provides a more immediate and flexible layer of security.A call to action for the ecosystem to collaborate and defend against attacksIn response to this incident and the broader issue of blind signing, we’re exploring solutions to improve the user experience and help users to enhance their own security processes. One of the steps we’re considering is computing the Ledger hash directly within the Safe interface, allowing users to compare the hash shown on their hardware wallet with what’s presented in the interface. This would provide an additional verification step for users before approving any transaction.However, it’s important to acknowledge that the signing device ultimately controls what the user is signing, and that this approach is not without risks So it is important to protect transactions from the user's intent to on-chain execution. To achieve this, the hardware wallet must display all relevant information to the user, allowing them to give or withhold consent before signing a transaction.Ledger has launched its 'Clear Sign Everything' initiative to address this challenge. Safe is committed to collaborating with Ledger to drive widespread adoption of clear signing, ensuring enhanced protection for users across the ecosystem.The challenges presented by blind signing require a collaborative effort from all parties in the ecosystem. Safe is committed to working with hardware wallet providers like Ledger and Trezor, as well as the broader community, to address these concerns and improve transaction and message signing processes.Our focus remains on delivering a secure, reliable, and transparent platform for all Safe{Wallet} users. We will continue to engage with the community and provide updates on new developments as we work to help mitigate the risks associated with blind signing.