Safe{Wallet} Security Monitors
Detect and prevent attacks on your Safe multisig wallet. Get alerted on dangerous configuration changes and malicious pending transactions — before they execute.
The $1.4B Bybit Hack — February 2025
The largest cryptocurrency hack in history exploited a Safe multisig wallet
In February 2025, attackers stole $1.4 billion from Bybit's Safe multisig wallet in a single transaction. The attack didn't exploit a code vulnerability — it exploited the signing process itself.
How It Happened
- UI spoofing: Attackers compromised the signing interface used by Bybit's team. The UI displayed what looked like a routine transfer transaction.
- Hidden delegate call: The actual transaction payload was a
delegatecall(operation=1) to a malicious contract — but the UI disguised it as a normal transfer. - Proxy takeover: The malicious code modified the Safe's singleton address (the proxy implementation). The wallet was now controlled by the attacker's code.
- Complete drain: With the proxy compromised, the attacker drained all $1.4B in assets from the wallet.
Why Existing Tools Failed
Bybit had industry-standard security practices. But no tool was monitoring the pending transactions in their Safe's transaction queue.
Nobody verified that the operation field matched what the UI displayed.
Nobody flagged a delegatecall to an unverified contract.
Chainitor's Safe Prevention Monitor would have detected this attack at the pending transaction stage — before a single signature was collected — by flagging the delegatecall to an unverified contract.
Two Layers of Protection
Chainitor monitors your Safe wallet at two levels: detecting attacks that already happened on-chain, and preventing attacks before they execute.
Detection Monitors
On-chain event monitoring
Monitor your Safe's on-chain events in real-time. Get alerted the moment an owner is added, a module enabled, or a guard removed.
6 monitor types available
Prevention Monitors
Pre-execution scanning
Scan pending transactions before they execute. Detect dangerous delegate calls, configuration changes, and suspicious payloads while there's still time to act.
Prevents Bybit-style attacks
Detection Monitors
These monitors watch your Safe's on-chain events and alert you the moment a configuration change is executed. Essential for detecting unauthorized changes, even if an attacker bypasses the signing interface.
Owner Added / Removed
CRITICALDetect when an owner is added to or removed from your Safe. Unauthorized owner changes are the first step in a hostile takeover — an attacker adds themselves as an owner, then uses their new privileges to drain funds.
Events: AddedOwner(address) · RemovedOwner(address)
Threshold Changed
CRITICALAlert when the signing threshold changes. A threshold reduction from 3-of-5 to 1-of-5 means a single compromised key can move all funds. This is often the final step in a multisig attack.
Event: ChangedThreshold(uint256)
Guard Changed
HIGHDetect when a transaction guard is changed or removed. Guards validate transactions before execution — removing a guard disables all your custom security rules, leaving the Safe unprotected.
Event: ChangedGuard(address) · Alert when set to 0x0 (removal)
Module Enabled / Disabled
HIGHMonitor module changes on your Safe. Modules can execute transactions without owner signatures — a malicious module is essentially a backdoor that bypasses your entire multisig security model.
Events: EnabledModule(address) · DisabledModule(address)
Prevention Monitor
Pending Transaction Security Scanner
NEWThe most advanced Safe security monitor available. Scans transactions in the Safe Transaction Service queue before they are executed, giving you time to reject dangerous transactions.
What It Detects
- ! Delegate calls to unverified contracts — the exact attack vector used in the Bybit hack
- ! Pending threshold changes — e.g. reducing from 3-of-5 to 1-of-5
- ! Pending owner changes — adding unknown addresses as owners
- ! Pending guard removal — disabling security checks
- ! Pending module injection — enabling unauthorized modules
How Prevention Works
- 1. A transaction is proposed to your Safe's transaction queue
- 2. Chainitor scans the pending transaction in real-time
- 3. If the transaction contains a dangerous operation, you get an instant alert
- 4. You reject the transaction before enough signatures are collected
- 5. Attack prevented. No funds lost.
How Chainitor Would Have Stopped the Bybit Hack
Attacker proposes malicious transaction
The attacker submits a transaction to the Safe Transaction Service. The UI shows a "routine transfer" but the payload is a delegatecall to an unverified malicious contract.
Chainitor scans the pending transaction
Within seconds, Chainitor's Prevention Monitor detects: operation=1 (delegatecall) targeting an unverified contract. This is flagged as CRITICAL.
Your team gets an instant alert
Alert sent to Slack, Telegram, Discord, or webhook: "CRITICAL: Pending delegatecall to unverified contract 0x... detected on Safe 0x.... No signatures collected yet."
Team rejects the transaction
Your team reviews the alert, confirms the transaction is malicious, and rejects it before any signer approves. $1.4B saved.
Who Needs Safe Security Monitors?
DAOs & Treasuries
Protect multi-million dollar DAO treasuries managed through Safe. Detect unauthorized governance changes and prevent hostile takeovers.
Protocol Teams
Secure protocol admin wallets that control upgrades, fee collection, and emergency functions. Prevent proxy takeover attacks.
Institutional Custody
Add an extra security layer for institutional wallets. Meet compliance requirements with real-time monitoring and audit trails.
Security Teams
Get immediate visibility into Safe configuration changes across your organization. Investigate incidents with detailed event logs.
Supported Networks
- Ethereum
- Polygon
- Binance Smart Chain
- Arbitrum
- Optimism
- Base
- And more networks being added
Getting Started
- Sign up for a Chainitor account
- Enter your Safe wallet address
- Select which monitors to enable (detection, prevention, or both)
- Configure your alert thresholds and notification channels
- Start monitoring — alerts are active within seconds
Protect Your Safe Wallet Today
Don't wait for an attack to happen. Set up Safe security monitors and get alerted the moment something suspicious occurs.
Simple, Transparent Pricing
Start monitoring your blockchain infrastructure today
- 10 monitors
- 5-minute checks
- Email & Discord alerts
- 30-day data retention
- Community support
7-day free trial, cancel anytime before you're charged.
- 30 monitors
- 1-minute checks
- All alert channels (Slack, Telegram)
- 1-year data retention
- Priority support
- Advanced filtering
7-day free trial, cancel anytime before you're charged.
- Unlimited monitors
- Custom SLA
- Dedicated support
- API access & webhooks
- Custom monitor code (coming soon)
7-day free trial, cancel anytime before you're charged.
All prices exclude applicable taxes. By signing up, you agree to our Terms of Service and Privacy Policy.
What counts as a monitor?
One monitor equals one specific check you want to run.
Common Use Cases
DevOps Monitoring
Keep track of balances in your Deployer, Hot Wallet, and Treasury across Dev, Staging, and Prod environments.
Whale Watching
Get alerted when specific large wallets move funds or interact with protocols.
Protocol Health
Monitor critical contract events like `EmergencyShutdown` or large `Withdraw` calls.
User Activity
Track activity on your dApp's contracts to understand usage patterns in real-time.
How many wallets, contracts, or events do you need to watch?
Time spent writing scripts, debugging, or manually checking.
Estimated internal cost for developer time.
Estimated Monthly Cost (Self-Hosted)
$0
Chainitor Monthly Cost
$0
Your Monthly Savings
$0
*Plus the value of instant alerts and peace of mind.