Cosigners: Safety Nets for Self-Custody

Self-custody of digital assets on Ethereum offers unparalleled sovereignty, but it comes with significant responsibilities like safeguarding your private keys and verifying correctness of data that is being signed. While hardware wallets and multi-signature setups are foundational, the current landscape of self-custody often harbors subtle vulnerabilities. This is where the concept of "Cosigners" for smart accounts, particularly within the Safe ecosystem, emerges as a crucial safety net.

The Problem with Current Setups: Blind Spots and Lack of Diversity

Many users today rely on a common signer setup. It typically involves a single hardware wallet type (like Ledger or Trezor), combined with popular browser wallets (such as MetaMask or Rabby) for dapp interaction, and familiar web applications as their primary interface. Unfortunately this setup introduces subtle vulnerabilities.

This widespread homogeneity in tooling creates an attractive and efficient target for attackers. Instead of needing to develop diverse exploits, they can optimize their attacks for these widely adopted tools and interfaces. For instance, if an attacker discovers a vulnerability in a specific browser extension or a commonly used dapp's front-end, they can craft an exploit that potentially impacts a large segment of the user base who rely on that exact combination.

Beyond the technical setup, a deeper issue persists: blind signing. Users often approve transactions without fully understanding what they’re actually signing, since the transaction data and payload are rarely human-readable. This lack of "background checks" for transactions means malicious approvals can go unnoticed until it's too late. The current lack of signer diversity and the prevalence of unverified transaction execution leave users exposed.

The Limitations of Offchain Transaction Checks

Many wallets and dapps have begun to offer offchain checks and simulations to help users understand what they are signing. Services like Tenderly, Blowfish, and Blockaid provide valuable tools that analyze transactions before they are submitted to the blockchain. These services can simulate transaction outcomes, flag suspicious activities, and provide human-readable summaries of complex smart contract interactions.

However, a critical limitation of these offchain checks is that they are primarily UI-level safeguards. This means they operate within the user's interface and can potentially be circumvented by sophisticated malicious parties who can bypass or manipulate the UI. In the worst case, users might not even execute these checks or could unknowingly skip them, leaving them vulnerable to exploits that these services are designed to prevent. While helpful, these offchain solutions don't offer ironclad security, as they’re rarely combined with on-chain enforcement.

Enter Cosigners: Verified Checks for Every Transaction

Cosigners introduce an essential layer of verified checks to every transaction. Imagine an additional, independent signer whose approval is required before any transaction can be executed. This is the core principle of cosigners. The strongest guarantee of this enforcement comes when it's built directly onchain, for instance, via a Safe smart account guard (also called hooks by other smart accounts standards).

How it works:

The Safe smart account natively supports the use of Guards, which are powerful onchain components that can enforce custom logic on every transaction. As detailed in the Safe documentation on smart account guards, these guards are invoked for each transaction executed by the Safe, allowing for a range of checks to be performed before the transaction is ultimately processed.

In the context of cosigners:

• Cosigners typically run offchain checks and analysis on a proposed transaction. These checks can be simple, such as verifying the recipient address against a whitelist, or highly complex, involving detailed simulations or even offchain data.

• Once the cosigner's offchain checks are complete and the transaction is deemed secure, the cosigner provides their cryptographic signature.

• The Safe's onchain Guard then verifies this signature. In its simplest form, the Guard just checks for the presence and validity of the cosigner's signature. However, this mechanism can be extended. For instance, the Guard could verify more complex proofs provided by the cosigner, such as

  Zero-Knowledge Proofs that attest to the transaction's adherence to certain conditions without revealing the underlying sensitive data and allowing checks which would be too expensive to verify onchain.

• Crucially, without this cosigner's valid signature (or the required proof verified by the Guard), the transaction cannot be executed by the Safe smart account.

The cosigner acts as an intelligent filter, performing "background checks" on the transaction's intent and parameters, with the onchain Guard enforcing the confirmation of the cosigner on the pre-conditions for execution.

Centralized Cosigners: A Step Towards Enhanced Security

Recognizing the need for more robust transaction verification, some centralized parties have begun to offer cosigner services where they host the cosigner for the user. Examples include Failsafe, Blockaid's cosigner and Hypernative Guardian. In these setups, the centralized provider's cosigner provides a signature that can be verified onchain, adding an extra layer of security.

While these services offer a significant improvement over purely offchain checks, they come with a crucial trade-off: trust in their setup is required. Users must implicitly trust the centralized party to operate their cosigner honestly and correctly. Furthermore, most of the time, these centralized solutions provide little to no onchain guarantee of correctness regarding the checks they perform. This means that while their signature is verified onchain, the underlying logic and integrity of their verification process often remain opaque.

Therefore, while these services offer a convenient path to enhanced security, the ultimate goal for self-custody remains empowering users with greater control and transparency over their security mechanisms. This is why we want to show a way how you can get started setting up your own cosigner.

The Role of Safenet: Expanding Guarantees

The vision for cosigners extends beyond simple transaction approval. Initiatives like Safenet aim to leverage co-processors to provide stronger, more nuanced guarantees. These co-processors can implement "negative control" to utilize cross-chain guarantees, ensuring that a transaction adheres to specific conditions even across different blockchain environments.

Furthermore, Safenet explores challenge flows for guarantees, where the correctness of a co-processor's guarantee is economically incentivized by requiring the co-processor to front funds. This creates a powerful economic alignment for honest and accurate co-signing.

Steps Towards Safer Self-Custody

The journey towards truly safe self-custody with cosigners is a gradual one, starting with foundational steps and expanding capabilities:

1. Start with limited guarantees and economic backing:

   Begin by implementing cosigners with clear, concise checks and perhaps smaller economic incentives to build trust and demonstrate value.

2. "Self-trust" and "bring your own custody/cosigner":

   Empower users to set up and manage their own cosigners, fostering greater decentralization and personal control. A great starting point is the Safe Research GitHub repository for a cosigner implementation: https://github.com/safe-research/varangian.

3. Increase signer diversity:

   Beyond cosigners, users should actively diversify their primary signer methods. This includes using mobile apps, a variety of hardware wallets, and even emerging technologies like Passkeys. This multi-faceted approach significantly reduces the impact of a single point of failure.

Setting Up a Safe cosigner via GitHub

For those looking to get hands-on and implement a cosigner for their Safe themselves, a straightforward approach involves utilizing the provided GitHub template. This allows you to set up a "Varangian Guard" which will act as your cosigner.

Here's a step-by-step guide:

1. Create a Copy of the Repository:

   Start by creating a new repository from the Varangian Guard GitHub Template. You can choose to make this repository private if you wish to keep your cosigner's operational details confidential.

2. Configure Repository Secrets: Within your new GitHub repository, navigate to Settings > Secrets and variables > Actions and add the following repository secrets:

1. SAFE_ADDRESS: The address of the Safe smart account that this cosigner will monitor and protect. For example:

   0x779720809250AF7931935a192FCD007479C41299.

2. SERVICE_URL: The base URL of the Safe Transaction Service for the network your Safe is on. For instance,

   https://safe-transaction-gnosis-chain.safe.global/ for Gnosis Chain. (Check here for more networks.)

3. COSIGNER_MATERIAL: This is a crucial secret used to derive your cosigner's private key. It should be a long, random string. One way to create a random string is do use /dev/random (open a terminal and execute

   cat /dev/random | tr -cd A-Za-z0-9 | head -c 64) or generate a random password in a password manager of your choice.

3. Activate GitHub Actions: For the GitHub Actions workflows to begin operating, you need to trigger the initial run manually.

• Go to the Actions tab in your repository.

• In the left sidebar, click on Varangian Guard.

• On the right side, click Run workflow and confirm.

• To obtain the cosigner's address, open the CheckTx step within the fetch-check-relay action in the workflow run logs. The cosigner's address will be printed here.

4. Configure Your Safe: Finally, you need to link your newly set up cosigner to your Safe.

• Open your Safe in a web browser and add https://www.safe.dev/varangian as a Safe App.

• Within the Safe App interface, paste the cosigner address you obtained from the GitHub Actions logs.

• Click "Setup Varangian Guard" and execute the transaction to enable the Guard on your Safe.

After the guard has been setup, the Safe is protected by a cosigner. This means that only Safe transaction approved by the cosigner can be executed. Also the GitHub Action will relay the Safes transactions automatically once it has been approved by all signers and the cosigner. In case that the guard has to be removed without the consent of the cosigner, it can be removed after a time delay, to avoid that the guard can completely lock the account.

For more detailed instructions and troubleshooting, refer to the Varangian Guard template's README.

Where Do We Go From Here?

To fully realize the potential of Safe cosigners, several key areas require focus:

• Make usage of public cosigners easier:

  • Standardization of transaction checks:

    Defining common standards for what constitutes a "secure" transaction check will allow for greater interoperability and trust across different cosigner services.

  • Reputation for cosigners:

    Establishing transparent reputation systems for public cosigners will enable users to choose services they trust, based on their track record of accurate and reliable checks.

  • Managed set of cosigners:

    For users who prefer a more curated experience, a managed set of vetted cosigners could provide a higher level of assurance and ease of use.

• Increase the guarantees provided by cosigners:

  This involves exploring what happens if a cosigner goes rogue or fails. Mechanisms for recourse, dispute resolution, and potentially insurance-like features could further strengthen the security offered by cosigners.

By continuing to innovate in these areas, Safe cosigners can truly become the safety net for self-custody, empowering users with greater control, enhanced security, and peace of mind in the ever-evolving Ethereum ecosystem.

About Safe Research

Safe Research is the applied R&D arm of Safe, dedicated to advancing the self custody stack. Our work is grounded in the cypherpunk principles of security, censorship resistance, and privacy, and we focus on building trustless, user centric infrastructure for smart accounts and wallets.

• Discuss about cosigners in our forum

• Learn more about Safe Research

• Read our manifesto

Let’s make Ethereum’s original cypherpunk vision real, one commit at a time.