Table of Contents
Picture this: You’re the treasurer of a major crypto exchange. Your phone buzzes with a notification – another routine transaction needs approval. You glance at your screen, see familiar addresses, and click “approve” without a second thought. Within minutes, millions of dollars vanish into thin air.
This isn’t fiction. This exact scenario played out when Bybit, one of the world’s largest cryptocurrency exchanges, fell victim to a sophisticated hack executed by North Korean cybercriminals. The culprit? A signer who didn’t fully verify a transaction, leading to a critical Safe UI vulnerability that drained millions from their multi-signature wallet.
The harsh reality is that even the most secure wallet setups can crumble with one careless click. But here’s the good news: these disasters are completely preventable when you know what to look for.
Don’t want to be the next victim?
Let’s walk through how to verify calldata, use multi-sig safely, and pick the right wallet for your level.
The Wallet Hierarchy: Choosing Your Guardian
Before diving into verification techniques, let’s address the elephant in the room: which wallet should you even use?
Total Beginner with Small Amounts: Start with custodial wallets or keep funds on reputable exchanges. Yes, “not your keys, not your crypto” is true, but losing $100 to exchange risk beats losing $100 to your own mistakes.
Beginner with Small Money: Browser wallets like MetaMask or Phantom work well. They’re user-friendly and perfect for learning the ropes with amounts you can afford to lose.
Intermediate Users with Medium Amounts: Hardware wallets like Ledger or Trezor become essential. They keep your private keys offline and away from internet threats.
Intermediate Users with Large Amounts: Combine multi-signature wallets with hardware wallets. This creates multiple checkpoints that hackers must breach simultaneously.
Advanced Users with Significant Holdings: Multi-signature wallets with social recovery, or custom solutions. At this level, you’re building Fort Knox for your digital assets.
For wallet comparisons and security audits, check out walletscrutiny.com – it’s like a Consumer Reports for crypto wallets.
Hot vs Cold Wallets
Hot wallets stay connected to the internet (MetaMask, Phantom, and mobile apps). They’re convenient for daily transactions but vulnerable to online attacks.
Cold wallets remain offline (Ledger, Trezor hardware devices). They’re like keeping cash in a physical safe, much harder to steal remotely.
Important:
Even a cold wallet becomes hot if you connect it to a Safe multi-sig UI!
Always be aware of when you’re online vs offline
Verifying Simple Transactions: Your First Line of Defense
When using MetaMask or similar wallets, you’ll sometimes see transaction details that look like gibberish. Don’t panic, here’s how to decode them:
Check These Three Things:
- Estimated changes – What’s actually moving in and out of your wallet
- The “to” address – Where your money is going
- Hash data – The first 4 bytes reveal the function being called
For example, if you see “0xa9059cbb” in your transaction data, you can decode it using Cast (a developer tool):
cast sig “transfer(address,uint256)”
This returns the function selector you can compare against your transaction. If they match, you’re calling a transfer function. If they don’t match, stop immediately.
To verify the specific parameters of a transfer:
cast calldata-decode “transfer(address,uint256)”
This shows exactly where your tokens are going and how many.
Multi-Sig Transactions: Where Things Get Complicated
Multi-signature wallets require multiple people to approve transactions before they execute. Think of it like a shared bank account where both you and your spouse need to sign checks for large purchases
Critical Point: A signature request is NOT the same as a transaction request. You’re not sending money yet, you’re just adding your approval to a pending transaction.
How to Verify a Multi-Sig Transaction
Step 1: Install the Right Tools Get Cyfrin’s Safe_hashes tool from GitHub
https://github.com/Cyfrin/safe-tx-hashes?tab=readme-ov-file#curl
This tool decodes Safe transactions into a human readable format.
Step 2: Run the Verification Command
safe_hashes –address –network –nonce
If no transaction appears, use –untrusted mode in above command
Step 3: Manual Verification (Advanced) For complete independence from APIs, use Cast:
cast calldata “approve(address,uint256)”
Then verify with Safe hashes:
safe_hashes –address –network –nonce 2 –data –offline –to
The Golden Rules That Could Save Millions
Never sign and execute simultaneously. Some wallets try to streamline this process, but convenience is the enemy of security.
Watch for operation codes. If you see “operation = 1” in your transaction, you’re looking at a DELEGATECALL – essentially giving another contract permission to act with your wallet’s full authority. This is extremely dangerous and should only be used in very specific circumstances.
Always verify these three elements before any signature:
- The destination address (where is this going?)
- The function selector (what action is being performed?)
- The value or amount (how much is involved?)
Why This Matters More Than Ever
The Bybit hack wasn’t an isolated incident. Similar attacks happen regularly because people skip verification steps. The difference between a secure transaction and a devastating hack often comes down to spending 30 seconds to verify what you’re actually signing.
Remember: in the world of cryptocurrency, there’s no “undo” button. Once a transaction is confirmed on the blockchain, it’s permanent. The few minutes you spend verifying could be the difference between protecting your assets and reading about your loss in tomorrow’s crypto news.
The tools and techniques outlined here aren’t just for crypto professionals – they’re for anyone who values their digital assets enough to protect them properly. Start with the basics, build good habits, and gradually level up your security practices as your holdings grow.
TL;DR
- Pick the right wallet for your level
- Always verify the transaction before signing, especially calldata
- Never trust the UI blindly
- Use Safe_hashes or Cast for decoding
- Multi-sig ≠ automatic safety
One wrong click can empty your wallet. Take 30 seconds and verify, your future self will thank you.
Leave a Reply