safe-wallet-web icon indicating copy to clipboard operation
safe-wallet-web copied to clipboard

Published 20 hours ago verified publisher icon safe-global

Validate safeTxHash against tx data

Open katspaugh opened this issue 3 months ago • 0 comments

@Uxio0 suggested a security enhancement:

  • When displaying a transaction's details from the backend, compare a generated safe tx hash from the transaction data with the safeTxHash returned from the backend.
  • If the hashes don't match, show a warning to the user and don't allow signing this transaction.
  • Track these cases to Sentry as critical (if it ever happens)

This would detect hacking attempts on the backend.

N.B. we currently never sign a raw safe tx hash from the backend and instead always generate a new hash from transaction data, so the user always signs what they actually see. However, this enhancement would be still useful to detect txs that could have been messed with.

katspaugh avatar Apr 08 '24 07:04 katspaugh