TL;DR: We’ve built a Safe module that lets you sign once for operations across multiple chains using Merkle proofs. Enables atomic cross-chain operations via EIL integration (L1-anchored security). Feature-complete, seeking technical feedback and early adopters before audit. Live on docs.
The Problem
We’ve been working with neobanks and fintech teams building on Safe, and they keep hitting the same problem: their users need Safe accounts across multiple L2s, but every configuration change requires separate signing ceremonies per chain.
Need to rotate a compromised key? Sign on Base, then Optimism, then Arbitrum, then Polygon… Adding a recovery guardian? Same process. Updating a multisig threshold? More rounds of signatures.
This creates operational overhead for end users, security risks from inconsistent configurations (easy to miss a chain), and UX friction that compounds as L2 adoption grows.
There’s been great work on chain abstraction via resource locks (Cometh/Gnosis Guild, Rhinestone, Uniswap Compact). We’ve been exploring a different layer: the signature layer.
Safe Unified Account
Safe Unified Account extends Safe’s 4337 module with a dual-mode signature scheme:
How It Works
Single-chain mode: Sign individual UserOperation hashes (normal behavior)
Multichain mode:
- Construct UserOperations for each target chain
- Arrange them in a Merkle tree
- Sign the Merkle root once (using chain-agnostic domain separator)
- Submit each operation with its Merkle proof to respective chain bundlers
- Each chain independently verifies the signature cryptographically
No bridges. No centralized relayers. Pure cryptographic verification.
What This Enables
1. Atomic cross-chain operations via EIL
By combining Unified Account with EIL (Ethereum Interoperability Layer), you get trustless atomic swaps without account-level modifications. You create a simpleSend style contract that encodes calldata on destination chains, sign once via Unified Account (Merkle root of all operations), and let EIL’s voucher system provide economic guarantees through XLP staking and slashing. L1 serves as source of truth via optimistic rollup security.
The same signed voucher that claims funds on the source chain releases funds on destination. Atomic swap guaranteed by L1, not by trust.
2. Non-atomic use cases (where atomicity isn’t needed)
Beyond atomic swaps, this works for account configuration (rotate keys, update thresholds, manage modules), recovery flows (add/remove guardians consistently across all chains), modules addition (add/remove modules across all chains) and governance (vote on proposals across chains in one signature).
Design Tradeoffs
We optimized for trustlessness (cryptographic verification, no relayer dependency), modularity (no Safe core changes, no validator modifications), and sovereignty (you control timing and execution per chain, even in atomic mode). This uses L1-anchored security rather than account-native enforcement.
The tradeoffs: EIL integration is currently limited to chains with L1 messaging like OP Stack and Arbitrum. You still need separate transactions per chain (but only one signature). And it’s a newer approach, so less battle-tested.
Current Status & What We’re Looking For
Status: Feature-complete module implementation. Security audit pending before mainnet.
We’re seeking technical validation from Safe builders and researchers. Does the Merkle proof approach make sense for Safe’s architecture? What edge cases should we consider before audit?
We’re also looking for early partners, especially teams building on Safes across multiple L2s. We can help with integration.
Not seeking mainnet adoption yet, audit first.
Resources
- Full technical spec: Safe Unified Account | Candide
- EIL under the hood (how atomic guarantees work): EIL under the hood - the gory details - HackMD
- Module implementation: Feature complete (can share smart contract repo)
- Integration: Getting Started
We’re sharing this pre-audit specifically to gather feedback that could improve the design before we lock it down. We think the Merkle proof approach is solid, but we’re genuinely uncertain about edge cases we might be missing, especially around the EIL integration and real-world use cases.
All input appreciated, especially critical takes.
Built by Candide - Smart Wallet infrastructure for neobanks and fintech products on Safe.