Research
Two Malicious Rust Crates Impersonate Popular Logger to Steal Wallet Keys
Socket uncovers malicious Rust crates impersonating fast_log to steal Solana and Ethereum wallet keys from source code.
By Kirill Boychenko - Sep 24, 2025
@circles/safe-contracts
Advanced tools
Gnosis Safe Contracts
Install
Install requirements with npm:
npm install
Run all tests (requires Node version >=7 for async/await):
npx truffle compile
npx truffle test
Deploy
Some contracts require that the Solidity compile target is at least petersburg (e.g. ProxyFactory and MultiSend). This is default since Solidity 0.5.5.
Note: The formal verification was performed using the contract compiled with solcjs 0.5.0.
Preparation:
- Set
INFURA_TOKENin.env - Set
NETWORKin.env - Run
npx truffle compile
OpenZeppelin SDK:
- Make sure that @openzeppelin/cli is version 2.5 (
npx oz --version) - Make sure that all dependencies use solcjs >0.5.0
- Set correct version in
package.json - Set
MNEMONICin.envto current oz package owner (last deployer normally) - Optional: if a new deployer account is used
- Check that a gloabl versionb of truffle 5 is installed (
truffle version) - Run
truffle exec scripts/change_oz_owner.js --network=<network> --newOwner="<address>"to enable new deployer - Set
MNEMONICin.envto new oz package owner
- Check that a gloabl versionb of truffle 5 is installed (
- Run
npm run deploy-oz - Once deployed on all networks run
npx oz --freeze <network>for each network
Truffle:
- Set
MNEMONICin.env
npx truffle deploy
Verify Contracts:
- requires installed solc (>0.5.0)
virtualenv env -p python3
. env/bin/activate
pip install solidity-flattener
mkdir build/flattened_contracts
solidity_flattener contracts/GnosisSafe.sol --output build/flattened_contracts/GnosisSafe.sol
solidity_flattener contracts/libraries/CreateAndAddModules.sol --output build/flattened_contracts/CreateAndAddModules.sol --solc-paths="/=/"
solidity_flattener contracts/libraries/CreateCall.sol --output build/flattened_contracts/CreateCall.sol --solc-paths="/=/"
solidity_flattener contracts/libraries/MultiSend.sol --output build/flattened_contracts/MultiSend.sol --solc-paths="/=/"
solidity_flattener contracts/handler/DefaultCallbackHandler.sol --output build/flattened_contracts/DefaultCallbackHandler.sol --solc-paths="/=/"
solidity_flattener contracts/modules/DailyLimitModule.sol --output build/flattened_contracts/DailyLimitModule.sol --solc-paths="/=/"
solidity_flattener contracts/modules/SocialRecoveryModule.sol --output build/flattened_contracts/SocialRecoveryModule.sol --solc-paths="/=/"
solidity_flattener contracts/modules/StateChannelModule.sol --output build/flattened_contracts/StateChannelModule.sol --solc-paths="/=/"
solidity_flattener contracts/modules/WhitelistModule.sol --output build/flattened_contracts/WhitelistModule.sol --solc-paths="/=/"
solidity_flattener contracts/proxies/ProxyFactory.sol --output build/flattened_contracts/ProxyFactory.sol
find build/flattened_contracts -name '*.sol' -exec sed -i '' 's/pragma solidity ^0.4.13;/pragma solidity >=0.5.0 <0.7.0;/g' {} \;
Using with OpenZeppelin SDK
You can create a gnosis safe upgradeable instance using OpenZeppelin SDK by linking to the provided EVM package. This will use the master copy already deployed to mainnet, kovan, or rinkeby, reducing gas deployment costs.
To create an instance using OpenZeppelin SDK:
$ npm install -g @openzeppelin/sdk
$ oz init YourProject
$ oz link @gnosis.pm/safe-contracts
$ oz push --network rinkeby
> Connecting to dependency @gnosis.pm/safe-contracts 1.0.0
$ oz create @gnosis.pm//GnosisSafe --init setup --args "[$ADDRESS1,$ADDRESS2,$ADDRESS3],2,0x0000000000000000000000000000000000000000,\"\"" --network rinkeby --from $SENDER
> Instance created at SAFE_ADDRESS
It is suggested to use a non-default address as $SENDER.
Note: When using the contracts via ZeppelinOS make sure to choose an appropriate Proxy admin. An upgradable proxy enables the user to update the master copy (aka implementation). The default upgradable proxy is managed by an admin address. This admin address is independent from the owners of the Safe. Therefore it would be possible for the admin to change the master copy without the approval of any owner, thus allowing him to gain full access to the Safe.
Documentation
Audits/ Formal Verification
- for Version 1.1.1 by G0 Group
- for Version 1.0.0 by Runtime Verification
- for Version 0.2.0 by Alexey Akhunov
Security and Liability
All contracts are WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
License
All smart contracts are released under LGPL v.3.
Contributors
- Stefan George (Georgi87)
- Richard Meissner (rmeissner)
- Christian Lundkvist (christianlundkvist)
- Nick Dodson (SilentCicero)
- Gonçalo Sá (GNSPS)
FAQs
Circles UBI fork of Gnosis Safe Ethereum multisig contract
We found that @circles/safe-contracts demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 5 open source maintainers collaborating on the project.
Package last updated on 11 Nov 2022
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
Malicious fezbox npm Package Steals Browser Passwords from Cookies via Innovative QR Code Steganographic Technique
A malicious package uses a QR code as steganography in an innovative technique.
By Olivia Brown - Sep 22, 2025
Research
/Security News
Identifying and Preventing Fraudulent Engineering Candidates: An Investigation into 80 Confirmed Cases
Socket identified 80 fake candidates targeting engineering roles, including suspected North Korean operators, exposing the new reality of hiring as a security function.
By Lauren Valencia, Kirill Boychenko - Sep 17, 2025