Guard Contract
The Guard is what prevents your Safe from removing its own security measures. Think of it as a lock on the lock.
What Problem Does It Solve?
Without the Guard, someone who compromises your Safe could just disable the timelock and steal everything instantly. They'd do something like:
- Get control of enough signers to meet the threshold
- Remove the timelock module from the Safe
- Transfer all funds immediately
The Guard makes this impossible.
What the Guard Does
The Guard sits between your Safe and every transaction it tries to execute. Before anything happens, the Guard checks: "Is this allowed?"
Here's what it blocks:
Can't Remove the Guard
The Safe cannot disable the Guard contract. This would be like a bank vault being able to remove its own lock. Not allowed.
The Guard can only be removed through a timelocked transaction, which gives you time to notice and cancel.
Can't Change Owners Without Timelock
Want to add a new signer? Remove an old one? Change the threshold?
All of these have to go through the timelock. The Safe can't make these changes directly.
This means even if an attacker gets your keys, they can't immediately add their own address as a signer and lock you out.
Can't Add or Remove Modules
Modules are powerful contracts that have special access to your Safe. The timelock itself is a module.
The Guard requires any module changes to go through... you guessed it, the timelock.
No Delegate Calls
Delegate calls let a contract run code from another contract with full access to its own storage. This is powerful but dangerous.
The Guard blocks all delegate calls from your Safe. No exceptions.
Why? An attacker could use a delegate call to bypass all the other restrictions. The Guard closes this loophole.
No Self-Calls
The Safe can't call functions on itself. This prevents sneaky workarounds to the other restrictions.
How It Works
When your Safe tries to execute a transaction, here's what happens:
- Safe prepares a transaction
- Guard intercepts it and checks all the restrictions
- If anything violates a rule, the transaction fails
- If everything's fine, the transaction proceeds
[Diagram would go here showing Safe → Guard → Check → Execute/Reject flow]
The Guard is set up during deployment and automatically checks every transaction. You don't have to do anything.
What You Can Still Do
The Guard doesn't block normal operations. You can:
- Send ETH or tokens
- Interact with smart contracts
- Call DeFi protocols
- Do basically anything except change the Safe's security settings
Those security settings (signers, modules, guard) can still be changed, but they have to go through the timelock.
Why This Matters
Let's walk through a realistic attack scenario:
Without the Guard:
- Attacker steals your signer keys
- They immediately remove the timelock module
- They transfer all your funds
- You lose everything
With the Guard:
- Attacker steals your signer keys
- They try to remove the timelock module
- Guard blocks it
- They try to remove the Guard itself
- Guard blocks it (requires going through the timelock)
- They schedule a transaction through the timelock
- You have days or weeks to notice and cancel it
The Guard is what makes the timelock security model actually work. Without it, the whole system falls apart.
Technical Details (Optional)
For those who want to understand the implementation:
The Guard implements the checkTransaction and checkAfterExecution hooks from the Safe Guard interface. Every Safe transaction calls these before and after execution.
The restrictions are enforced by checking:
- Transaction operation type (no delegate calls)
- Transaction target (no self-calls or guard changes)
- Calldata (parsed to detect unauthorized owner/module changes)
All code is immutable and has been audited. You can review it on GitHub.
Common Questions
Can I remove the Guard?
Only through a timelocked transaction. You'd schedule the removal, wait through your delay period, then execute it.
We strongly recommend against this. Removing the Guard makes your wallet much less secure.
Does the Guard slow things down?
Barely. The checks are simple and gas-efficient. You probably won't notice any difference in gas costs.
What if the Guard has a bug?
The Guard has been:
- Audited by Code4rena (0 high-severity issues)
- Formally verified with Certora
- Reviewed by security experts
- Battle-tested with Gnosis Safe patterns
It's as safe as we can make it. But like any smart contract, use at your own risk.
Can the Guard be upgraded?
No. It's immutable. If a bug is found, you'd need to deploy a new Guard and switch to it (through the timelock, of course).
Related Concepts
- Timelock - The delay mechanism the Guard protects
- Architecture - How all the pieces fit together
- Security Model - The overall security design