Add FailSafe App

[aamirethlas]

Entry type

• New addition

App info

URL: app.getfailsafe.com

Name: FailSafe

Description: FailSafe is designed to deal with game-over scenarios: where an attacker learns the victim wallet's private key or seed phrase, or gains an unlimited token allowance via phishing or smart contract compromise.

FailSafe works with Safe to add an extra layer of protection. It keeps an eye on all transactions that try to move money out of the wallet. If it sees something suspicious, it steps in quickly to move the money to a safe vault (FailSafe Recovery Vault).

Icon (PNG, 180x180):

Homepage: www.getfailsafe.com Twitter: https://twitter.com/protectmywallet GitHub: Private

App supports batching multiple transactions via Safe: no

Supported networks

- Ethereum Mainnet
- Binance Smart Chain
- Polygon

Revision checks

• [x] Used smart contracts were audited.
  • [x] You have implemented the app using the Safe Apps SDK
  • [x] Your Safe App includes a manifest.json file at the root with the required data – please paste the link to manifest.json here – apps without a manifset WILL NOT be accepted.
  • [x] The app can be loaded as a custom Safe App in the Apps section of https://app.safe.global.
  • [x] The app auto-connects to the Safe.
  • [x] You are able to trigger and execute one transaction with a Safe.
  • [x] RPC requests are optimized (not triggering many requests in a very short time period).

Audit document

Link to smart contracts audit.

Code for review

Private

Team information

Company: FailSafe

Official website: www.getfailsafe.com

Email: aamir@ethlas.com

Telegram: aamirorbit

Twitter: https://twitter.com/protectmywallet

[katspaugh]

The app doesn't seem to have a manifest.json

Nvm, figured out the right URL is https://app.getfailsafe.com

[katspaugh]

It's not autoconnecting to the Safe.

[aamirethlas]

@katspaugh Its do the auto connect with the safe, this "connect wallet" button is used to communicate with the owner wallet, so that they can authenticate within FailSafe on behalf of MultiSig Safe Wallet

[katspaugh]

It's not how we expect Safe Apps to work. If you need to verify a login signature, the app should request a EIP-1271 signature from the Safe itself.

[kirkkonen]

Approved from the product perspective.

[aamirethlas]

@katspaugh Initially, we implemented the login process as you suggested.

However, after getting feedback from our Enterprise customers, this approach faced many challenges. Based on their input, we transitioned to a single-owner signature verification method, to perform the actions within FailSafe.

But all the onChains transactions, go with Safe Standard, like approval or token transfer, which requires multiple owner verification.

[katspaugh]

Why does "protecting" DAI involve giving an unlimited approval to an EOA?

[arimed4000]

@katspaugh in order to front run the attacker (in case the attacker learned the user's seed phrase/priv key or other compromises) the user grants permission to a predicted address (via create2) - that is the address of a dedicated FailSafe wallet contract that will be deployed as part of the front run (if this is the first time its happening). You can see the implementation code here of the failsafe orchestrator on polygon is this case of how is happens: failsafe orch impl

The Failsafe wallet contract (code for the address that allowance is being granted to): can be seen here:FailSafe wallet impl the allowance enables the defend method to work (i.e., move the funds to the failsafe wallet contract where the user is afterward able to withdraw/recover funds.
The Failsafe interceptor product is part of the defense in depth arch for web3 that we published here:failSafe Paper

[katspaugh]

I see, thanks for the detailed response, it makes sense. I guess there's no way for Redefine to tell a create2 address from an EoA w/o knowing the input parameters.

We'll discuss the implications with the team and I'll get back to you.

[katspaugh]

After discussing with the team, we unfortunately decided not to include your app in the official list.

Reasons are:

• The wallet connection flow is not compliant with what we expect from Safe Apps.
• High risk warnings from Redefine. We informed Redefine that the EOA message is not entirely correct though.
• Overall, your asset protection scheme gives up a lot of security/self-custody by delegating it from a Safe account to your contracts.

Especially given the last point, we're not comfortable endorsing your app in our official UI at this time. You can still onboard Safe users via WalletConnect or as a custom app.

Thanks for taking the time to develop and submit the app, we appreciate your commitment to the ecosystem!