TL;DR

Before signing any transaction:

• Understand and Verify the Payload: Confirm you have all information needed (simulations, support sheets, screenshots), decode and cross-check it using trusted frontends (e.g., EternalSafe, Safe Mobile App, or direct on-chain inspection).
• Verify Hashes Match: Independently confirm SafeTX, Domain, and Message hashes using the OpenZeppelin Safe Utilities tool.
• Follow Best Practices: Use a dedicated hardware wallet address, maintain good laptop hygiene, and protect your signing environment.
• Report to Committee: If any unusual or suspicious app behaviour is observed on the device you connect your signer, report it, discuss it in the TG group as soon as possible. There is no better accountability and disclosure of any supposed breach! (Early disclosure = faster mitigation + peer support.)

1. Payload Understanding

It is paramount that any signer fully comprehends the payload they are authorizing. Therefore, I recommend:

• Clear display and breakdown of transaction payloads in a human-readable form.
• Where feasible, contextual cues and metadata summaries to accompany raw payloads.

2. Payload and Signature Validation

A crucial risk arises when the signer is tricked into signing something other than the intended payload. To counteract this:

• Strict use of trusted frontends and interfaces vetted by Threshold Network.
• Mandatory validation steps: signers should verify the address, contract methods, and key parameters manually.
• Signers must not treat signing requests as routine approvals; each payload must be critically assessed.

Detailed Verification Process

Enhanced Verification Process