Gnosis Safe Inquiry Guide: A Summary for Investigators
This document summarizes key details for blockchain investigators dealing with Gnosis Safes (also known as safe Smart Account), a multi-signature smart contract wallet. Here’s a breakdown of the important points:
I.What is a Gnosis Safe?
* Multi-signature: Requires multiple approvals (signers) to authorize transactions, enhancing security.
* Smart Contract wallet: Operates based on code deployed on the blockchain.
* Openness & Control: Offers a clear audit trail of transactions and signer activity.
II. Why are Gnosis Safes relevant to investigations?
* Used by Threat Actors: Increasingly employed to manage stolen funds, obscure ownership, and simulate legitimacy.
* Obfuscation: Multisig structure can complicate tracing, but also provides a detailed trail for investigators.
III. Identifying Gnosis Safes On-Chain:
* Contract Names: Look for GnosisSafeProxy.
* Creation Method: Created via the Safe Proxy Factory.
* Zero-Value Deployments: Often deployed with zero initial value.
* Tools: Utilize TRM Forensics and block explorers like Etherscan to identify patterns and signer interactions.
IV. Key Features & Investigative Considerations:
* Signers & Thresholds:
* signer addresses are stored on-chain (Etherscan, app.safe.global, TRM Forensics).
* Thresholds (number of signers needed) are visible on-chain.
* Focus on Active Signers: map control to the three most active wallets,as thresholds define required approvals.
* Modules:
* Optional additions that add custom logic (e.g., auto-splitting funds, automated transfers).
* Risk: Can be used to pre-program exits, bypassing normal multisig protections.
* Nested Safes:
* One Safe owning another, adding layers of indirection.
* Investigation: Trace the entire ownership chain to reveal operational intent and control.
V. Using app.safe.global for Intelligence:
* Detailed view: input a Safe address to view signer addresses, thresholds, and transaction metadata.
* Human-Readable Interface: Supplements blockchain explorer data.
* Discrepancy Detection: Identify inconsistencies between signer activity and expected behavior.
VI. Key Questions for Investigators:
* Who are the real operators behind the Safe?
* What is the Safe’s configuration, and has it changed?
* Are there signs of obfuscation (nested wallets, modules, signer overlap)?
* Can signer activity be linked to prior incidents or infrastructure?
VII. FAQs – Quick Reference:
* Signer List: Etherscan, app.safe.global, TRM Forensics.
* Nested Safe Risks: Masked ownership, delayed attribution.
* Module Risks: Stealth exits,rapid fund distribution,bypassing security.
* Threshold Impact: Helps focus on the most relevant signers.
* Legitimacy Simulation: Fraudulent actors may use Safes to appear legitimate.
In essence, investigating a Gnosis Safe requires analyzing not just the wallet itself, but the people, permissions, and activity surrounding it to effectively trace illicit flows and strengthen attribution.
Worth a look