Gnosis Safe Multisig User Incident Analysis

On December 3rd, 2021, the SlowMist identified a sophisticated phishing attack on the Gnosis Safe Mutisig in the Habitat team fund. This is our brief analysis of the situation so far.

Relevant Information

Hacker’s first address: Habitat Multsig Drainer Fund Supplier 0x62a51ad133ca4a0f1591db5ae8c04851a9a4bf65

Hacker’s second address : Habitat Multsig Drainer 0x26a76f4fe7a21160274d060acb209f515f35429c

Fake Gnosis Safe Insurance contract: 0x09afae029d38b76a330a1bdee84f6e03a4979359

Fake Gnosis Safe contract:


Hackers proxy contract:


Real Gnosis Safe Insurance Contract: 0x34cfac646f301356faa8b21e94227e3583fe3f5f

Real Gnosis Safe Contract:


Transaction ID:

Our analysis

The hacker began preparing on November 23, according to our MistTrack anti-money laundering tracking system. They use Tornado.Cash and deposit 0.9384 ETH into the first address to prevent detection. They then send 0.8449 ETH to the second address to deploy the smart contract.

After the successful attack, the funds were converted to ETH using Uniswap and Sushiswap. They then transferred 56.2 ETH to Tornado.Cash To evade tracking.

Following the Transactions

The attacker created a counterfeit MultiSendCall( Fake Gnosis safe contract) 9 days before the attack and verified the contract, making it look like the real MultiSendCall(Gnosis safe contract).

After phishing for a signature from the user, the hacker can direct the calldata to the malicious contract address. The correct address should have been 0x40a2accbd92b ca938b02010e17a5b8929b49130d, but it has now been altered to 0x3cb0652856d7eabe51f1e3cceda99c93b05d7cea.

Because the attacker’s signature data is correct, it passed the multi-signature verification stage and began executing the malicious smart contract.

Looking at this contract, we discovered that it contained additional assignments; let’s take a deeper look at this code.

When the condition of payment.version <VERSION is triggered, storage[0x00] will be reassigned every time called.

When the transaction is completed, the storage[0x00] of Proxy has became 9ab0e73798 09afae029d38b76a330a1bdee84f6e03a4979359. This is the contract created by the hacker.

Since the Gnosis safe insurance address is read from storage[0x00] by the Proxy contract, now it will be changed to the hackers’ smart contract.
The hacker only needs to wait for the user to deposit enough tokens into this contract and then send a transfer function to withdraw the funds.

We discovered that the attacker was quite clever after reviewing the transaction records of the malicious smart contract.

The hacker ensured that the smart contract permitted the user to utilize other features normally to avoid detection.

When our team broke down the malicious smart contract, we discovered that it allowed the user to utilize the multisig function normally before the hacker made their move. Once the right conditions are met, it will bypass the verification and withdraw the funds.


The hacker most likely used a phishing scam to obtain a multi-signature data from a user. It then used that data to delegatecall a call to an external contract, allowing the external contract to change the data. Now it can use the slot location corresponding to the variable stored in the external contract to change the data in the current contract. Once the hacker’s contract was deployed, the Gnosis safe contract was directed to the hacker contract. By doing so, the funds can be transferred at any time without signing. The SlowMist’s security team advises that before accessing the Gnosis Safe Multisig app, make sure it is for an official website. Check the content of programs carefully so that you can identify phishing sites and malicious transaction data as soon as possible.

Additional information:




SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Apple Hall Of Fame for a Small Misconfiguration || Unauth Cache Purging

{UPDATE} Abalone® Hack Free Resources Generator

{UPDATE} Airport Time Machine Lite Hack Free Resources Generator

Data Privacy: 4 Common Issues and How to Solve Them

Your future of cybersecurity — the rules and algorithms of AI/ML

Digital Identity as we know it…

JAWS is in Trade Mining & Farm & Pool with BabySwap!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

More from Medium

Post-mortem Analysis of OneRing Incident

Revest Finance Vulnerabilities: More than Re-entrancy

Phantom Functions and the Billion-Dollar No-op

Different parsers, different results