You're a Safe Multisig user. You created your transaction via Safe Multisig. You're about to hit "sign" and confirm via MetaMask or Rabby.
This guide covers how to perform basic transaction checks in your wallet.
For a guide on verifying transaction data on your hardware wallet with a third-party tool, refer to the appropriate documentation.
If you can't verify it, don't sign it.
Security Best Practices
Use separate devices for enhanced security:
- Sign transactions using software accounts (MetaMask, Rainbow, Rabby) on a different device than where you're using Safe Multisig
- Create multi-factor authentication by combining software accounts with dedicated device accounts (Ethereum Phone, GridPlus, Hito)
- A dedicated verification device provides the strongest security
Tool Selection
Use multiple verification tools:
Transaction decoders:
- @rimeissner's decoder provides readable and detailed information
- Etherscan decoder, Dethcrypto tools
Simulators:
- Tenderly: Use "Contracts" and "Events" tabs for detailed transaction analysis
- Can run on a separate device from Safe Multisig for additional security
Hash verification:
- OpenZeppelin's Safe Utils: User-friendly UI using original code
- @pcaversaccio's safe-tx-hashes-util for command line verification
Contract Verification
Maintain a list of trusted contracts:
- Bookmark contracts you regularly interact with for quick verification
- Find official contracts on Etherscan directly from project teams
- Verify using multiple sources (team websites, CoinGecko, social channels)
- Check for social verification signals (mutual followers on X/Warpcast)
- Some apps (like CoWSwap) include contract information directly in their interface
Key principle: Always verify transaction data across multiple tools and devices before signing. If anything seems suspicious or cannot be verified, do not sign the transaction.
Step 1: Verify Transaction Data in Safe Multisig
Before hitting sign, gather the following from the Safe Multisig interface and verify it matches your expectations:
- To: Set to the recipient for Ether transfers, the ERC20 token contract for token transfers, or the smart contract for contract interactions
- Value: Usually 0 for contract interactions, greater than 0 for Ether transfers
- Data ("Raw data"): Requires technical understanding to check
- Operation: Usually you should see "call." You should only see "create" or "delegate_call" if you know what you're doing
- Nonce: Index of the next transaction you want to execute
Now hit "sign," which sends transaction data to your wallet (Rabby, MetaMask, WalletConnect, etc.).
Step 2: Verify Data in Your Wallet
Your wallet should display the following and prompt you to sign typed data. If your wallet doesn't display this data, we recommend switching to another wallet.
To: Does this match Step 1? If not, verify whether this is a contract interaction or straight transfer. For example, if the to field indicates a USDC transfer, it interacts directly with the USDC contract address. Use https://etherscan.io/ to double-check.
Value: Does this match Step 1? Is it 0 for contract interactions and the correct amount for Ether transfers?
Data ("Raw data"): Does this match Step 1?
Operation: Is this set to 0 (simple call)? A value of 1 means delegatecall, which is dangerous—consult a technical person.
Nonce: Does this match Step 1? Is this the index of the next transaction you want to execute?
safeTxGas, baseGas: Are both 0 for Safe Multisig wallets with version 1.3.0 or higher? Otherwise, this can be higher.
baseGas, gasPrice: Are both 0?
gasToken, refundReceiver: Are both 0x0000000000000000000000000000000000000000?
ONLY when ALL of the above checks out, confirm on your wallet.
If any details don't match, double-check the transaction and reach out to the support team.