Skip to content

Add a Safe Guard that implements a timelock for the upgrade Safe #253

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 85 commits into
base: master
Choose a base branch
from
Open

Add a Safe Guard that implements a timelock for the upgrade Safe #253

wants to merge 85 commits into from

Conversation

duncancmt
Copy link
Collaborator

No description provided.

@duncancmt duncancmt requested review from dekz and abandeali1 October 18, 2024 11:29
@duncancmt duncancmt self-assigned this Oct 18, 2024
@duncancmt duncancmt force-pushed the dcmt/upgrade-timelock branch from 36e9419 to 0751f8c Compare October 18, 2024 15:11
@duncancmt
Simplify guard design by storing only a single txHash and expiry in…
963b396 
…stead of mapping from the hash to the expiry
@duncancmt
Typo
58ef97b
@duncancmt
Comment
bb5288d
@duncancmt
Make initial delay a constructor argument
844a064
@duncancmt
Bug! Prevent smuggling calls to unlock through enqueue => multica…
b7f9224 
…ll => `unlock`
@duncancmt
Remove assumption about the relationship between `encodeTransactionDa…
df0160c 
…ta` and `getTransactionHash`
@duncancmt
Resolve TODO
9d9e021
@duncancmt
Comment
228571b
@duncancmt
Rework Safe guard so that it only requires 1 multisig transaction; th…
0769fa8 
…is improves the UX of using the guard

It still requires 2 transactions to be submitted. There's no way around that.
@duncancmt
Remove unused
d2e5027
@duncancmt
Add some extra safety checks; realistically they should never trigger…
68deecf 
…, but we want to wear tinfoil
@duncancmt
Attempt to guard against as many footguns and bizarre scenarios as po…
1fa4378 
…ssible
@duncancmt
Golf
76ae824
@duncancmt
Add some indexed fields to SafeTransactionEnqueued event
acf46bc
@duncancmt
Explain provenance of copied code
f726ab0
@duncancmt
Golf
99514b3
@duncancmt duncancmt force-pushed the dcmt/upgrade-timelock branch from ded1b4d to 1d921f9 Compare March 17, 2025 18:10
@duncancmt duncancmt requested a review from e1Ru1o July 9, 2025 15:19
e1Ru1o
e1Ru1o reviewed Aug 5, 2025
View reviewed changes
@ElliotFriedman
Copy link

This design works and is well put together. The main issue I see is a limitation on the number of calls you can do. If you try to do more than 1 action at a time, you are going to be signing a lot of different transactions. Say you have a gov proposal that needs to:

  1. sweep tokens from a holding address to the multisig
  2. approve the tokens for trade
  3. call swap, or initiate a TWAP order

All three of these calls are going to need separate multisig transactions and separate signatures from signers, which means you'll have to manage the nonces to make sure the signed tx's are all in the right order. A much better solution would allow delegate calls from the safe, but only after the timelock passes. If your multisig only needs to do a single call, this solution works, if not, it's going to be a rough experience for your signers.

The other thing I see, the contract doesn't store the calldata or target so you can't easily introspect onchain and see what the tx does, making it easier for malicious tx's to slip through.

@duncancmt
Copy link
Collaborator Author

allow delegate calls from the safe ... it's going to be a rough experience for your signers

As I alluded to in the comments in the contract, allowing DELEGATECALL from the Safe means that it's no longer possible to ensure "reasonable" behavior on the part of the Safe by enforcing postcondition checks. Of course this is a bit defense-in-depth. You could simply rely on simulation and the cancel/lockDown game to prevent transactions from unexpectedly modifying the state of the Safe.

Allowing DELEGATECALL would mean enforcing a rather deep inspection on the calls to be performed to ensure that you don't have nested DELEGATECALLs and that none of the calls modify the Safe's own state in unsafe ways. Perhaps this is a "skill issue" and the cost of complexity in this contract is worth the improvement in the number of signatures required on behalf of the signer.

I agree that this ultimately means that the UX of the Safe is significantly degraded. Safe{Wallet} 1.5.0 makes this substantially better by allowing Guards to hook Module-originated calls.

the contract doesn't store the calldata or target

This is emitted in the event when the transaction begins the timelock cooldown.

@immunefi-magnus Immunefi Magnus
Copy link

immunefi-magnus bot commented Sep 15, 2025
edited
Loading

🛡️ Immunefi PR Reviews

This pull request is not eligible for a PR Reviews review. Please contact Immunefi support.

Reason: This PR exceeds the maximum size supported by your current plan (250 lines). Please reduce the number of lines or contact your admin for plan options.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@e1Ru1o e1Ru1o e1Ru1o approved these changes

@dekz dekz Awaiting requested review from dekz dekz is a code owner

@abandeali1 abandeali1 Awaiting requested review from abandeali1

At least 1 approving review is required to merge this pull request.

Assignees

@duncancmt duncancmt

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@duncancmt @ElliotFriedman @e1Ru1o