This guide explains why cancellation transactions require confirmations and incur gas fees.
How Cancellation Works
Consider a Safe Multisig with 3 owners and a threshold of 2. You initiate a transaction and sign it, but immediately decide you want to cancel it. You click "cancel" and sign the cancellation.
You may notice the transaction still appears in the Safe Multisig interface, showing that you have both "confirmed" and "rejected" it. Other owners can still confirm or reject it.
Even if all actions were performed off-chain, the transaction remains visible.
Why Cancellation Requires On-Chain Action
Signatures cannot be revoked. Once a signature is published, you can request others to delete it, but you can never be completely certain it's gone.
This is similar to signing a physical document and mailing it to someone. You can ask them to destroy it, but you can never be 100% sure they actually did.
Safe Multisig supports off-chain confirmations stored on backend services. While a confirmation could theoretically be deleted from the backend to "take back" a signature, there's no way to verify this actually occurred.
The only way to guarantee your signature cannot be used by someone else is to "consume" the nonce of that transaction. Every Safe Multisig transaction has a nonce, which increments by 1 with each executed transaction. Each nonce value can only be used once.
Therefore, to ensure your signature for a transaction with nonce X cannot be exploited, you must sign and execute another transaction with the same nonce.