🔒Safe

Non-Custodial

When you sign up as an ether.fi Member, a Turnkey signer is automatically created for your account. This Turnkey signer serves as the owner of your Safe and can only be accessed by you — never by ether.fi nor TurnKey.

We work with Turnkey to provide secure, non-custodial key management. It removes the need to rely on phishable seed phrases, employ familiar authentication methods, and are more deeply embedded into our application for a seamless user experience. Signing onchain transactions with your in-app wallets requires explicit, cryptographic authentication using your {passkey, email address, or social login}.

Turnkey uses AWS Nitro secure enclaves, a type of tamper-proof Trusted Execution Environment (TEE), for all sensitive operations. Private keys are never decrypted outside these enclaves, and only you can authorize key usage with your credentials. It has also implemented stringent protocols to prevent individual engineers from altering enclave code, ensuring a secure end-to-end deployment process.

For more details, see Turnkey’s security documentation here.

Security Architecture

Multisig Protection

ether.fi's Safe implements a multisignature (multisig) security model:

  • Your Safe could have multiple owners, each with their own unique signature

  • You've established a signature threshold—the minimum number of required owner signatures to authorize any transaction

  • For example, if your Safe has 3 owners with a threshold of 2, any transaction on the safe requires approval from at least 2 of these 3 owners

  • The owners could also authorize some users as admins to the safe who could carry out certain operations on their own.

  • Each owner is by default an admin

Managing Your Safe's Ownership Structure

As a Safe owner, you can:

  • Add new owners to your Safe

  • Remove existing owners from your Safe

  • Adjust your signature threshold to increase or decrease security requirements

  • View the current ownership structure and signature requirements

Any changes to your Safe's ownership or threshold settings require transaction approval according to your current threshold requirements.

Modularity

Your Safe can connect with modules—specialized smart contracts that extend your Safe's functionality while maintaining its security.

Your Module Options

Your Safe comes with several pre-configured modules:

  1. Default Modules (automatically available):

    • EtherFi Cash Module: Core neo-bank functionalities

    • EtherFi Stake Module: Participate in EtherFi Stake and let your funds work for you

    • EtherFi Liquid Module: Put your funds to autopilot using EtherFi Liquid vaults

    • OpenOcean Swap Module: Integration for token swapping

  2. Additional Whitelisted Modules:

    • Additional modules reviewed and whitelisted by EtherFi

    • You must explicitly authorize these modules with owners threshold signature before they can interact with your Safe

Module Security Protocols

To protect your assets:

  • EtherFi maintains a strict module whitelisting process

  • Only modules that have passed security reviews can be added to the whitelist

  • You maintain full control over which whitelisted modules can interact with your Safe

  • Only EtherFi can designate default modules that are available to all users

Configuring Your Safe's Modules

To add a whitelisted module to your Safe:

  1. Confirm the module appears on EtherFi's official whitelist

  2. Initiate a module authorization transaction

  3. Collect the required number of owner signatures according to your threshold

  4. Once authorized, the module can interact with your Safe according to its defined permissions

Recovery

Your Safe includes a sophisticated recovery system that balances security with practical recovery options.

Your Default Recovery Configuration

Your Safe is initially configured with:

  • Two designated recovery signers:

    1. An EtherFi corporate signer

    2. A trusted third-party signer selected by EtherFi

  • A recovery threshold requiring approval from both signers

Customizing Your Recovery Settings

As a Safe owner, you have complete control over your recovery system:

  • Replace Recovery Signers: Designate your own trusted contacts as recovery signers

  • Adjust Recovery Threshold: Set how many recovery signatures are required to initiate recovery

  • Expand Your Recovery Network: Add additional recovery signers for enhanced security

  • Disable Recovery: You can disable the recovery feature entirely if you prefer

All recovery setting changes require approval according to your Safe's current owner threshold.

The Recovery Process Timeline

If you need to recover your Safe:

  1. Your designated recovery signers must approve the recovery action according to your recovery threshold

  2. Upon approval, a mandatory 3-day timelock period begins

  3. During this timelock period, any of your Safe's original owners can cancel the recovery process

  4. If the recovery isn't cancelled, the new ownership configuration takes effect after the timelock expires

The Importance of Your Timelock Period

The 3-day timelock provides critical protection:

  • Gives you time to respond if unauthorized recovery is attempted

  • Allows cancellation of mistaken or malicious recovery attempts

  • Provides necessary notice to all stakeholders before ownership changes

Managing or Disabling Recovery

While recovery provides important security benefits, you may modify or disable it:

  1. Initiate a transaction to update recovery settings or disable the feature

  2. Gather the required signatures from Safe owners according to your threshold

  3. If you disable recovery, consider implementing alternative backup access methods

PreviousTechnical DocumentationNextCash Modules

Last updated