You may see an "unexpected delegate call" warning on transactions that could have harmful consequences when executed from your Safe Multisig.
Background
In a previous incident, attackers used phishing techniques to trick users into signing transactions that appeared legitimate but included malicious instructions. These instructions allowed attackers to swap the Safe Multisig implementation for a malicious address that later exploited the Safe Multisig.
While multiple factors contributed to the exploit, one key issue was that Safe Multisig members didn't recognize the harmful transaction.
Our Protection Mechanism
To mitigate this, we added a check in our interfaces that triggers when a transaction interacts with an unknown contract that could modify Safe Multisig properties such as implementation address, owner structure, or confirmation threshold.
A transaction that can modify a safe structure executes with a special permission level called a "delegate operation." In such transactions, the Safe Multisig calls a contract that delegates access to its internal properties to another contract receiving the transaction call.
Understanding False Positives
Not all contracts interacting via delegate call operations are malicious. The Safe Multisig interface isn't aware of all such contracts, so you may encounter false positive warnings even when a specific contract interaction is safe.
Recommended Action
If you're unsure, we recommend not immediately signing or executing a transaction with a delegate call warning. Instead:
- Review the transaction's technical details with a technical expert
- Verify the transaction doesn't have unintended consequences
- Simulate the transaction using tools like Tenderly