I’m interested in developing a social recovery guard + module for Gnosis Safe and was wondering if the community is interested and/or if something like I’m proposing already exists? Besides recovering ones own wallet this should also aid family members in inheriting digital assets from users who become incapacitated or somehow other are unable to access their assets.
- Safes can assign a list of recovery agents and their respective delays
- Recovery agents can only recover the safe after it has been inactive for the duration of their delay
- Each recovery agent can have a custom delay (allows expressing recovery priority preferences)
- Safe inactivity is tracked via the last authorized transaction
- Upon recovery the recovery agent will replace the owners of the safe
For each safe the recovery contract will keep track of the following data:
recoveryAgentRoot: Merkle tree of approved recovery addresses and their recovery delay
ping: timestamp when safe last executed an authorized transaction
recoveryAgent: Currently active recovery agent,
address(0) if none
Logic - Pinging
As a safe’s guard the recovery contract will update the safe’s ping when it’s triggered with either the
Logic - Recovery
To initiate recovery the calling account will pass the merkle proof along with a new set of owners to replace the old.
Having recovery agents keep track of and store the merkle proofs associated with a safe could be complex and not very user friendly. Instead it may be better to keep track of the recovery agents in an array directly in the contract, while this comes at a higher cost it could be worth it considering the low amount of addresses that are likely to be recovery agents for a given safe.
Thoughts & Feedback
I’ve really been looking to make my setup more secure and convenient with social recovery but haven’t really found a good solution so far. I’ve started using Safes a bit more and looking into them and I really like the existing UX and feature set (especially the mobile app) so I thought this would be a great extension considering the nice module + guard system Safes have.
Let me know what you think about the idea and design and to what extent it’d be useful for you.
This is a massive long-term opportunity for individuals and organizations/businesses. The core functionality provided above is a great v1/proof-of-concept.
- Other multisig products offer a form of social recovery.
- They are more centralized than Safe, less customizable, and often don’t allow the user to maintain complete ownership of the backup process through seed phrases if they wish in addition to the social recovery aspect.
Core functionality feedback
- Custom delays are great
- Defining the agent ownership threshold is important to maintain the same level of security as the original multisig Safe under the original ownership structure.
What do you mean by this? That recovery agents shouldn’t be able to initiate recovery on their own?
By defining the agent ownership threshold I mean that the original Safe owner should be able to decide the ownership quorum after a recovery has been completed.
- I’d like Bob or Alice to be able to recover my Safe with a delay of 56 weeks.
- Once a recovery has been completed all transactions require a 3 of 5 approval from Bob, Alice, Chip, Dale, and Ellina.
I’m already working on this as a pet project. You can read about the article that I wrote and motivation for this here: Safe recovery module - DEV Community 👩💻👨💻
You can test this module on Goerli testnet.
Make sure your Safe is deployed on Goerli, go to apps → add custom app.
First, you need to enable the module, and your Goerli Safe needs to have a small amount of ETH if you want to use ‘subscription mode’.
Smart contract is written in a way that safe ownership can’t be ‘stolen’ by me or anybody else, and can only be transferred to a user defined address after a certain time period.
This module has a time lock of 10 minutes, which means that if you initiate ‘Inactive for’ recovery in 2 minutes (120 seconds). The recovery will finish in ~12 minutes.
After 2 minutes a script it will initiate recovery, and after additional 10 minutes it will finalise it.
In the end the recovery address will have 1/1 Safe ownership.
This is just a test version, so please don’t get mad if you encounter
I’m interested in the community opinion.
In real scenario that recovery time lock would be longer. so that the owner can cancel the recovery upon receiving multiple email notifications. ‘Farewell’ email msg and email address would be encrypted, and the UX/UI would be better.
Do you have a link to the contracts?