Help/Other FAQ
Other FAQ

Account Recovery with Safe Multisig RecoveryHub

9 min read

How to implement decentralized recovery using account recovery modules and timelock delay contracts via Zodiac.

"One of the great challenges with making cryptocurrency and blockchain applications usable for average users is security: how do we prevent users' funds from being lost…"

>

— Vitalik, "Why we need wide adoption of social recovery wallets"

Safe Multisig RecoveryHub solves this challenge by letting users choose from various recovery options to regain access to their Safe Multisig if they lose access to one or more signer accounts.

Note: "Safe owner" and "Safe signer" refer to the same thing. You'll encounter both terms in this article and the Wallet UI.

How Users Lose Access to Safe Multisig Accounts

Access to a Safe Multisig Account is managed through signer accounts (owners), which can be either externally owned accounts (standard crypto wallets) or smart accounts (like Safe Multisig). If a user loses access to a signer wallet, they may lose access to the Account.

Why only a possibility? It depends on the signer configuration. If the Account threshold allows other signers to operate without the inaccessible signer, there's no issue—for example, if the threshold is 1/2 or 2/3. No recovery is needed, as remaining signers can remove the compromised signer. However, this isn't always possible.

If you lose access to your "regular" externally owned account—such as your computer breaking and your seed phrase being lost—there's no way to recover the funds. No central authority, no backup.

If you store funds in a Safe Multisig smart Account and lose access to your signer wallet, there's good news: you can recover your funds if you set up recovery beforehand.

Decentralized Custom Recovery

The second type involves no trusted third-party and provides significant flexibility—you can set up any blockchain account as a Recoverer. The only limitation of this trustless approach is reliance on the Recoverer account(s) and the security of their private keys. No centralized authority can help if the Recoverer's key is lost.

As of December 2023, only the decentralized Custom solution is implemented, so this article focuses on that approach.

How Custom Recovery Works

Consider this scenario: A Safe Multisig Account has 2 signers with a threshold of 2/2, meaning the Account needs signatures from both signers to execute a transaction. Then something happens and the second signer account becomes inaccessible.

What Are Recoverers?

The signers (owners) of this Safe Multisig Account had the foresight to assign a Recoverer beforehand, which now proves invaluable. A Recoverer is also a blockchain account (an EOA or Smart Account) with two key differences from Safe Multisig Account signers:

  • Recoverers can replace all current signers with one or more new signers (including themselves) and change the threshold
  • Most importantly, transactions proposed by a Recoverer are delayed. During this period, signers can reject the recovery proposal if they meet the threshold

Signers can assign any account they trust as a Recoverer. This might be a friend, family member, trusted third-party, or even their own account they're confident they won't lose access to.

Recoverers can bypass any threshold and propose ownership changes—swapping, adding, or removing signers and modifying the threshold—enabling signers to regain access to a Safe Multisig Account if, for example, they lost a signer.

Why Is Delayed Execution Required?

As mentioned, signers have a delay period during which they can reject a transaction proposed by a Recoverer. We use the fully audited and battle-tested Zodiac Delay Modifier—a Safe Multisig Account module deployed during recovery setup.

The default delay is 28 days, but this timeframe can be longer or shorter—the interface offers options like 7, 14, or 56 days.

Why Would a Signer Reject a Recovery Proposal?

Two primary scenarios:

  1. Recovery is not needed. For example, the user managed to restore access to the second signer account (they found a lost seed phrase)
  2. Recovery attempt is malicious. The Recoverer was trusted during setup but has bad intentions and wants to take over the account

The delayed execution is a critical security measure given that a Recoverer can bypass a Safe Multisig Account's threshold.

Two-Step Recovery Execution

To execute a recovery proposal, a Recoverer must complete two transactions:

  1. Recovery proposal: Outlines the new signers and initiates the countdown
  2. Recovery execution: Available after the delay period expires

Both actions occur on-chain and require gas for execution.

Importantly, only a Recoverer can submit the proposal, while any account can execute it after the delay period passes.

Communication Challenges

It's important to acknowledge that all communication between old signers, new signers, and Recoverers is completely abstracted from the Safe Multisig interface. As of the initial release, no notifications are sent for recovery setup, proposal, or execution.

This means if your assigned Recoverer initiates recovery, Safe Multisig will not send any communication to you. The only way to discover someone is attempting to recover your Safe Multisig is to open the application and check the status.

Real-Life Use Cases for Recovery

Use Your Own Account

You can serve as Recoverer for yourself or a shared Safe Multisig by setting up an Account. Ensure the Recoverer account's private key is properly secured.

This could be a hardware wallet not used for any on-chain activity, with its seed phrase securely stored on paper or memorized.

Use Friends and Family Accounts

You can involve other people with crypto wallets as Recoverers. We recommend gathering a small group of 2-3 people with wallets and asking them to deploy a Safe Multisig Account with at least a 2/n threshold (2/2, 2/3, etc.). This Safe Multisig Account can then be assigned as your Recoverer—yes, a Safe Multisig Account can recover another Safe Multisig Account.

Why is this better than assigning a friend with a crypto wallet as Recoverer?

  • Less trust required: If 2+ people must agree to recover, there's less chance one person can take over your Account
  • Lower unavailability risk: If the Recoverer Safe Multisig setup is 2/3, one signer can lose access and the remaining 2 can still execute recovery for your Account

Note that both addresses and ENS domains are supported in the Safe Multisig UI. As a Safe Multisig Account signer, you can deploy a Recoverer Account yourself, add your friends' addresses or ENS names, and share access with them.

How to Set Up Account Recovery

Follow this step-by-step guide to configure recovery in the Safe Multisig interface.

Recovery can be set up either from the home page (see the widget in the bottom-right corner) or from Settings > Security & Login.

You'll be prompted to choose a recovery method. As of December 2023, only Custom recovery is available, so proceed with that option.

After the introductory screen explaining how recovery works, you'll reach the configuration page where you need to specify:

  • Trusted Recoverer address: Either a wallet or Safe Multisig Account
  • Recovery delay: The timeframe during which you can reject recovery (28 days by default)
  • Transaction expiry: The timeframe during which recovery can be executed after the delay expires (infinite by default)

For example, if the delay is 28 days and expiry is 1 day, a Recoverer must:

  1. Propose a recovery
  2. Wait 28 days
  3. After 28 days, they have 1 day to execute the recovery

If they fail to execute within 1 day, the recovery transaction expires and becomes unexecutable. The Recoverer must restart the process.

After executing, the setup transaction appears in History as MultiSendCallOnly.

In Settings > Security & Login, you'll see your recovery setup, which can be edited or completely removed if you decide you no longer need recovery.

How to Initiate and Execute Account Recovery

When you connect a Recoverer account to a Safe Multisig Account, you'll immediately see a prompt to recover the Safe Multisig Account, which you can dismiss if you want to explore the Account first.

As mentioned, a recovery transaction will modify the current Safe Multisig Account signer setup and threshold.

Before execution, the Recoverer can see the delay period. Despite the recovery being a proposal, a Recoverer still pays gas and executes a transaction because they publish the proposal hash on the blockchain for enhanced security.

After the transaction executes, a Recoverer sees the confirmation screen.

The transaction remains in the Safe Multisig queue until it becomes executable.

If you connect a current signer wallet, a Cancel button becomes available. Cancellation is possible both during the delay and after it expires.

After the delay period ends, the Recoverer can execute the recovery transaction.

After execution, the recovery transaction appears in history as a standard ownership management transaction. In this case, since we swapped one owner (signer) for another, it displays as swapOwner.

At this point, the owner (signer) structure has been successfully changed and recovery is complete.

P

Palmera

Multisig infrastructure provider for EVM chains

Related articles