Introducing FailSafe Guard™: Smart Contract Defense

FailSafe unveils the mechanics behind FailSafe Guard™, its cutting-edge module designed to protect smart contracts and mitigate attempts at crypto theft in the early stages of a cyberattack.

How Does FailSafe Guard™ Work?

FailSafe’s composable, defence-in-depth architecture is designed to reinforce the security of blockchain users against impending, imminent, and ongoing cyberattacks. The FailSafe Interceptor™ deals with attacks that have reached an advanced stage. For instance, while monitoring the mempool, FailSafe may detect an attacker’s transaction attempting to transfer assets from the victim’s EOA. The Interceptor plays a primary role in intercepting the transaction by front running it, i.e., transferring assets out from the victim’s compromised wallet to a freshly created Recovery Vault.

By contrast, the Attestation Service™ plays a complementary role by targeting attacks in their early stages and covering areas that go beyond token protection. The Attestation Service is built on an enhanced version of the Gnosis Safe infrastructure, combining the best of Web2 and Web3 security techniques. This enables protocol-level security measures such preventing the unauthorized use of privileged access to smart contract operations, or protecting blockchain-native currencies (e.g., ETH, USDT, BNB, etc.)

Protecting Privileged Smart Contract Methods

Methods on a smart contract can be classified into ‘read-only‘ and ‘write’ operations. There are two categories of ‘write’ method that can change state:

• operations callable by any address
• operations with restricted access, which can only be called by the contract owner or those with administrator-level privileges

If a malicious actor obtains access to these types of operations with restricted access, the losses may be devastating. Access control exploits were responsible for five of the most expensive cases of crypto theft in 2023, while the March 2022 hack of Ronin bridge alone cost over $600M.

A good security practice is to change the privileged address on the smart contract from an EOA to a multi-signature wallet like Gnosis Safe. The quorum triggers a transaction to invoke the smart contract operation via the privileged address, which is then relayed via the Safe Wallet contract. FailSafe is designed to enhance this method of smart contract defense.

The Attestation Service integrates with Gnosis Safe to introduce an added layer of tried-and-true operational security practices into this process. These may consist of programmable preconditions that are used to determine the legitimacy of an attempt to call privileged operations on a smart contract.

• Geo-location: Are all the signers coming from expected IP ranges?
• Threat Intelligence: Are there any anomalous transactions involving any of the addresses that form the quorum of signatures?
• Device Intelligence: Are the signers initiating transactions from a new or unrecognized device? If so, has the 2FA challenge been completed?
• Time-based Restrictions: Is the transaction being executed within the permitted time window?

Safeguarding Native Tokens and Other Assets

When an attacker submits a transaction to move the victim’s crypto assets, the Interceptor recognizes this as a late-stage attack and sweeps the targeted assets into a secure Recovery Vault.

However, the Attestation Service is a complementary security module that reduces the attacker’s chance of reaching the late stage of an attack life cycle. Using a combination of Web2 and Web3 security techniques described above (multisig ++), FailSafe uses programmable security measures to detect the risk of unauthorized transactions.

By scanning smart contract calls originating from privileged addresses for security anomalies, FailSafe Guard™ is able to effectively detect a wide range of on-chain threats to crypto assets. As a composable module in FailSafe’s security suite, it provides a sophisticated depth of smart contract defense against cyberattacks which are often equally sophisticated.

FailSafe integrates with cold wallets, while detecting on-chain and off-chain phishing attacks. Users can also use the ‘Smart Mode’ feature to enjoy maximum flexibility in wallet activity without sacrificing the integrity of their security.

Start using FailSafe to protect your wallet today and enjoy the highest level of wallet security.