Back to Blog

BlockSec Launches Safe{Wallet} Security Monitoring Solution

Phalcon
March 6, 2025

The recent Bybit incident has garnered widespread attention. According to Bybit's report conducted by third parties, the incident occurred because the hacker breached a Safe developer's machine, altered the data Bybit signers intended to sign during transaction initiation, and ultimately executed a malicious upgrade transaction. The incident resulted in nearly $1.5 billion in asset losses. In fact, similar attacks occurred twice last year, including Radiant (loss of approximately $58 million) and the Indian exchange WazirX hack (loss exceeding $200 million), both caused by signing malicious transactions via Safe wallets.

The latest data (March 4) from Dune reveals that over 39.14 million Safe wallets have been deployed in total, managing assets valued at $54.9 billion. To meet user demand and strengthen risk control throughout the lifecycle of using Safe wallets, BlockSec has launched the Safe{Wallet} Monitor. This solution offers users comprehensive visibility into transaction details, risk assessments, and transaction simulations, helping to safeguard assets and prevent potential losses.

Safe TVL over time_Dune
Safe TVL over time_Dune

Risks of Safe{Wallet} Transaction Signing

  • Prime Attack Targets: Safe wallets typically manage large assets, making them prime targets for hackers. For instance, the Bybit incident was a meticulously planned attack, with the hacker deploying and testing malicious contracts two days in advance.
  • Extended Security Chain: The security chain involved in the entire operation is very long. Users need to trust Safe's smart contracts, the official website/app, the front and back end, their own computers, browsers, and finally the wallet used for signing. However, attackers can target either Safe or individual signers. A single compromised link—such as tricking a user into signing an upgrade transaction disguised as a normal transfer—can result in devastating consequences.
  • Hardware Wallet Limitations: Most hardware wallets cannot interpret Safe transactions. If users are misled by the Safe interface, they are unable to perform cross-verification while signing with a hardware wallet. Coupled with signers' inherent trust in prior approvals, this kind of "blind signing" can easily lead to serious oversights and security incidents.

Safe{Wallet} Monitor

BlockSec's Safe{Wallet} Monitor tracks the entire transaction signing process in real-time, displays transaction details, identifies risks, simulates outcomes, and offers the following features:

  • Alerts Risks Before Execution: Our system provides continuous monitoring across all stages of Safe wallet transactions, including initiation, signing, and execution. If a risky transaction is detected, users are alerted before the signing process is completed and prior to the transaction being broadcast.
  • Detailed Transaction Insights: Our system intercepts complex transactions and translates them into clear, human-readable explanations, enabling informed decision-making and eliminating blind signing risks.
  • Risk Analysis & Execution Simulation: Our system analyzes each transaction's related risks and simulates transaction outcomes before they're executed, to prevent signing unwanted transactions.
Security Risks_Safe{Wallet} Monitor
Security Risks_Safe{Wallet} Monitor
  • Multi-Channel Verification: Alerts can be sent to both signers and non-signers for additional verification, providing an extra pair of eyes and ensuring thorough cross-checking.
  • Whitelist Mechanism: Users can restrict interactions to specific contracts. The system instantly detects configuration changes and responds.
  • Automated Response: Automatically triggers a pre-set response mechanism to block attacks upon detecting harmful transactions.

Book a Demo

Any individual or institution using a Safe wallet, especially those managing large assets such as exchanges, protocols, L1/L2 chains, investment institutions, and investors, may face the risk of funds being stolen.

We invite you to book a demo to learn how the Safe{Wallet} Monitor can help you prevent potential risks and protect your assets.

BlockSec Phalcon: Threats Monitoring and Prevention

Safe{Wallet} Monitor is an essential module of Phalcon. Phalcon is a security monitoring and blocking platform launched by BlockSec, providing comprehensive post-launch security protection for protocols, helping liquidity providers, DAOs, fund managers, etc., safeguard their assets. In addition to Safe{Wallet} Monitor, Phalcon also covers:

  • Real-time monitoring of attack transactions
  • Real-time monitoring of operational, interaction, and financial risks
  • Flexible monitoring of token amounts/price, key variables, sensitive events, and function invocation
  • Custom monitoring solutions by security experts
  • Automated responses with multi-signature wallets
  • Emergency response SOP and War Room services
  • Root cause analysis
  • Audits of fixed smart contract codes
  • ...

Conclusion

In the crypto world, security is not optional—it is foundational. BlockSec's Safe{Wallet} Monitor builds multiple defense layers to ensure every Safe{Wallet} transaction withstands unforeseen risks, safeguarding your assets.

Sign up for the latest updates
The Decentralization Dilemma: Cascading Risk and Emergency Power in the KelpDAO Crisis
Security Insights

The Decentralization Dilemma: Cascading Risk and Emergency Power in the KelpDAO Crisis

This BlockSec deep-dive analyzes the KelpDAO $290M rsETH cross-chain bridge exploit (April 18, 2026), attributed to the Lazarus Group, tracing a causal chain across three layers: how a single-point DVN dependency enabled the attack, how DeFi composability cascaded the damage through Aave V3 lending markets to freeze WETH liquidity exceeding $6.7B across Ethereum, Arbitrum, Base, Mantle, and Linea, and how the crisis forced decentralized governance to exercise centralized emergency powers. The article examines three parameters that shaped the cascade's severity (LTV, pool depth, and cross-chain deployment count) and provides an exclusive technical breakdown of Arbitrum Security Council's forced state transition, an atomic contract upgrade that moved 30,766 ETH without the holder's signature.

Weekly Web3 Security Incident Roundup | Apr 13 – Apr 19, 2026
Security Insights

Weekly Web3 Security Incident Roundup | Apr 13 – Apr 19, 2026

This BlockSec weekly security report covers four attack incidents detected between April 13 and April 19, 2026, across multiple chains such as Ethereum, Unichain, Arbitrum, and NEAR, with total estimated losses of approximately $310M. The highlighted incident is the $290M KelpDAO rsETH bridge exploit, where an attacker poisoned the RPC infrastructure of the sole LayerZero DVN to fabricate a cross-chain message, triggering a cascading WETH freeze across five chains and an Arbitrum Security Council forced state transition that raises questions about the actual trust boundaries of decentralized systems. Other incidents include a $242K MMR proof forgery on Hyperbridge, a $1.5M signed integer abuse on Dango, and an $18.4M circular swap path exploit on Rhea Finance's Burrowland protocol.

Weekly Web3 Security Incident Roundup | Apr 6 – Apr 12, 2026
Security Insights

Weekly Web3 Security Incident Roundup | Apr 6 – Apr 12, 2026

This BlockSec weekly security report covers four DeFi attack incidents detected between April 6 and April 12, 2026, across Linea, BNB Chain, Arbitrum, Optimism, Avalanche, and Base, with total estimated losses of approximately $928.6K. Notable incidents include a $517K approval-related exploit where a user mistakenly approved a permissionless SquidMulticall contract enabling arbitrary external calls, a $193K business logic flaw in the HB token's reward-settlement logic that allowed direct AMM reserve manipulation, a $165.6K exploit in Denaria's perpetual DEX caused by a rounding asymmetry compounded with an unsafe cast, and a $53K access control issue in XBITVault caused by an initialization-dependent check that failed open. The report provides detailed vulnerability analysis and attack transaction breakdowns for each incident.