Gnosis Safe Analysis: Blockchain Investigation Guide

by Anika Shah - Technology
0 comments

Gnosis Safe Inquiry Guide: A Summary for Investigators

This document summarizes key details for blockchain investigators dealing with Gnosis Safes (also known as safe Smart Account), a multi-signature smart contract wallet. Here’s a breakdown of the important points:

I.What is a Gnosis Safe?

* Multi-signature: Requires multiple approvals (signers) to authorize transactions, enhancing security.
* Smart Contract wallet: Operates based on code deployed on the blockchain.
* Openness & Control: Offers a clear audit trail of transactions and signer activity.

II. Why are Gnosis Safes relevant to investigations?

* Used by Threat Actors: Increasingly employed to manage stolen funds, obscure ownership, and simulate legitimacy.
* Obfuscation: Multisig structure can complicate tracing, but also provides a detailed trail for investigators.

III. Identifying Gnosis Safes On-Chain:

* Contract Names: Look for GnosisSafeProxy.
* Creation Method: Created via the Safe Proxy Factory.
* Zero-Value Deployments: Often deployed with zero initial value.
* Tools: Utilize TRM Forensics and block explorers like Etherscan to identify patterns and signer interactions.

IV. Key Features & Investigative Considerations:

* Signers & Thresholds:

* signer addresses are stored on-chain (Etherscan, app.safe.global, TRM Forensics).
* Thresholds (number of signers needed) are visible on-chain.
* Focus on Active Signers: map control to the three most active wallets,as thresholds define required approvals.
* Modules:

* Optional additions that add custom logic (e.g., auto-splitting funds, automated transfers).
* Risk: Can be used to pre-program exits, bypassing normal multisig protections.
* Nested Safes:

* One Safe owning another, adding layers of indirection.
* Investigation: Trace the entire ownership chain to reveal operational intent and control.

V. Using app.safe.global for Intelligence:

* Detailed view: input a Safe address to view signer addresses, thresholds, and transaction metadata.
* Human-Readable Interface: Supplements blockchain explorer data.
* Discrepancy Detection: Identify inconsistencies between signer activity and expected behavior.

VI. Key Questions for Investigators:

* Who are the real operators behind the Safe?
* What is the Safe’s configuration, and has it changed?
* Are there signs of obfuscation (nested wallets, modules, signer overlap)?
* Can signer activity be linked to prior incidents or infrastructure?

VII. FAQs – Quick Reference:

* Signer List: Etherscan, app.safe.global, TRM Forensics.
* Nested Safe Risks: Masked ownership, delayed attribution.
* Module Risks: Stealth exits,rapid fund distribution,bypassing security.
* Threshold Impact: Helps focus on the most relevant signers.
* Legitimacy Simulation: Fraudulent actors may use Safes to appear legitimate.

In essence, investigating a Gnosis Safe requires analyzing not just the wallet itself, but the people, permissions, and activity surrounding it to effectively trace illicit flows and strengthen attribution.

Related Posts

Leave a Comment