Back to Blog

BlockSec Launches Safe{Wallet} Security Monitoring Solution

Phalcon
March 6, 2025

The recent Bybit incident has garnered widespread attention. According to Bybit's report conducted by third parties, the incident occurred because the hacker breached a Safe developer's machine, altered the data Bybit signers intended to sign during transaction initiation, and ultimately executed a malicious upgrade transaction. The incident resulted in nearly $1.5 billion in asset losses. In fact, similar attacks occurred twice last year, including Radiant (loss of approximately $58 million) and the Indian exchange WazirX hack (loss exceeding $200 million), both caused by signing malicious transactions via Safe wallets.

The latest data (March 4) from Dune reveals that over 39.14 million Safe wallets have been deployed in total, managing assets valued at $54.9 billion. To meet user demand and strengthen risk control throughout the lifecycle of using Safe wallets, BlockSec has launched the Safe{Wallet} Monitor. This solution offers users comprehensive visibility into transaction details, risk assessments, and transaction simulations, helping to safeguard assets and prevent potential losses.

Safe TVL over time_Dune
Safe TVL over time_Dune

Risks of Safe{Wallet} Transaction Signing

  • Prime Attack Targets: Safe wallets typically manage large assets, making them prime targets for hackers. For instance, the Bybit incident was a meticulously planned attack, with the hacker deploying and testing malicious contracts two days in advance.
  • Extended Security Chain: The security chain involved in the entire operation is very long. Users need to trust Safe's smart contracts, the official website/app, the front and back end, their own computers, browsers, and finally the wallet used for signing. However, attackers can target either Safe or individual signers. A single compromised link—such as tricking a user into signing an upgrade transaction disguised as a normal transfer—can result in devastating consequences.
  • Hardware Wallet Limitations: Most hardware wallets cannot interpret Safe transactions. If users are misled by the Safe interface, they are unable to perform cross-verification while signing with a hardware wallet. Coupled with signers' inherent trust in prior approvals, this kind of "blind signing" can easily lead to serious oversights and security incidents.

Safe{Wallet} Monitor

BlockSec's Safe{Wallet} Monitor tracks the entire transaction signing process in real-time, displays transaction details, identifies risks, simulates outcomes, and offers the following features:

  • Alerts Risks Before Execution: Our system provides continuous monitoring across all stages of Safe wallet transactions, including initiation, signing, and execution. If a risky transaction is detected, users are alerted before the signing process is completed and prior to the transaction being broadcast.
  • Detailed Transaction Insights: Our system intercepts complex transactions and translates them into clear, human-readable explanations, enabling informed decision-making and eliminating blind signing risks.
  • Risk Analysis & Execution Simulation: Our system analyzes each transaction's related risks and simulates transaction outcomes before they're executed, to prevent signing unwanted transactions.
Security Risks_Safe{Wallet} Monitor
Security Risks_Safe{Wallet} Monitor
  • Multi-Channel Verification: Alerts can be sent to both signers and non-signers for additional verification, providing an extra pair of eyes and ensuring thorough cross-checking.
  • Whitelist Mechanism: Users can restrict interactions to specific contracts. The system instantly detects configuration changes and responds.
  • Automated Response: Automatically triggers a pre-set response mechanism to block attacks upon detecting harmful transactions.

Book a Demo

Any individual or institution using a Safe wallet, especially those managing large assets such as exchanges, protocols, L1/L2 chains, investment institutions, and investors, may face the risk of funds being stolen.

We invite you to book a demo to learn how the Safe{Wallet} Monitor can help you prevent potential risks and protect your assets.

BlockSec Phalcon: Threats Monitoring and Prevention

Safe{Wallet} Monitor is an essential module of Phalcon. Phalcon is a security monitoring and blocking platform launched by BlockSec, providing comprehensive post-launch security protection for protocols, helping liquidity providers, DAOs, fund managers, etc., safeguard their assets. In addition to Safe{Wallet} Monitor, Phalcon also covers:

  • Real-time monitoring of attack transactions
  • Real-time monitoring of operational, interaction, and financial risks
  • Flexible monitoring of token amounts/price, key variables, sensitive events, and function invocation
  • Custom monitoring solutions by security experts
  • Automated responses with multi-signature wallets
  • Emergency response SOP and War Room services
  • Root cause analysis
  • Audits of fixed smart contract codes
  • ...

Conclusion

In the crypto world, security is not optional—it is foundational. BlockSec's Safe{Wallet} Monitor builds multiple defense layers to ensure every Safe{Wallet} transaction withstands unforeseen risks, safeguarding your assets.

Sign up for the latest updates
~$15.9M Lost: Trusted Volumes & More | BlockSec Weekly
Security Insights

~$15.9M Lost: Trusted Volumes & More | BlockSec Weekly

This BlockSec bi-weekly security report covers 11 notable attack incidents identified between April 27 and May 10, 2026, across Sui, Ethereum, BNB Chain, Base, Blast, and Berachain, with total estimated losses of approximately $15.9M. Three incidents are analyzed in detail: the highlighted $1.14M Aftermath Finance exploit on Sui, where a signed/unsigned semantic mismatch in the builder-fee validation allowed an attacker to inject a negative fee that was converted into positive collateral during settlement; the $5.87M Trusted Volumes RFQ authorization mismatch on Ethereum; and the $5.7M Wasabi Protocol infrastructure-to-contract-control compromise across multiple EVM chains.

Newsletter - April 2026
Security Insights

Newsletter - April 2026

In April 2026, the DeFi ecosystem experienced three major security incidents. KelpDAO lost ~$290M due to an insecure 1-of-1 DVN bridge configuration exploited via RPC infrastructure compromise, Drift Protocol suffered ~$285M from a multisig governance takeover leveraging Solana's durable nonce mechanism, and Rhea Finance incurred ~$18.4M following a business logic flaw in its margin-trading module that allowed circular swap path manipulatio

~$7.04M Lost: GiddyDefi, Volo Vault & More | BlockSec Weekly
Security Insights

~$7.04M Lost: GiddyDefi, Volo Vault & More | BlockSec Weekly

This BlockSec weekly security report covers eight attack incidents detected between April 20 and April 26, 2026, across Ethereum, Avalanche, Sui, Base, HyperLiquid, and MegaETH, with total estimated losses of approximately $7.04M. The highlighted incident is the $1.3M GiddyDefi exploit, where the attacker did not break any cryptography or use a flash loan but simply replayed an existing on-chain EIP-712 signature with the unsigned `aggregator` and `fromToken` fields swapped out for a malicious contract, demonstrating how partial signature coverage turns any historical signature into a generic permit. Other incidents include a $3.5M Volo Vault operator key compromise on Sui, a $1.5M Purrlend privileged-role takeover, a $413K SingularityFinance oracle misconfiguration, a $142.7K Scallop cross-pool index injection, a $72.35K Kipseli Router decimal mismatch, a $50.7K REVLoans (Juicebox) accounting pollution, and a $64K Custom Rebalancer arbitrary-call exploit.