In its current implementation, Umbra, a protocol designed to generate and operate stealth addresses, is not compatible with Safe multisigs. This proposed implementation enables Safe smart accounts to generate stealth Safes that fully inherit the properties of the master Safe (owners, approval threshold, etc.).

Stealth addresses with Umbra

Background

In most cases, Safes are themselves owned by accounts that do have private keys (i.e. EOAs, see caveat in Considerations below). For a Safe transaction to be approved and executed, it requires signatures from t accounts out of n owners, where t is an arbitrary approval threshold set by the owners.

The technical overview of the Umbra protocol is a recommended read to better understand the proposed implementation below. We use the same naming conventions in this document.

Proposed Implementation

Proposed stealth Safe implementation

Set-up

1. Create personal stealth keypairs for all Safe owners:

   All n owners of the Safe generate personal public/private keypairs (P_view_personal / p_view_personal and P_spend_personal / p_spend_personal) by signing the same arbitrary message M_personal. They store P_view_personal and P_spend_personal in the Umbra Stealth Key Registry contract.

2. Create a shared view key for the Safe:

   The last owner to generate personal keypairs in (1) signs another message, M_safe, to generate public and private view keys P_view_safe and p_view_safe linked to the Safe. This is a shared view keypair necessary to enable all owners of the Safe to scan for new stealth transfers, the same way an individual would use P_view_personal and p_view_personal. The keypair is added to a Safe Viewkey Registry contract. This is a new registry, not currently part of the Umbra protocol. It contains:

   1. The address of the Safe
   2. The public view key of the Safe, P_view_safe
   3. An array containing n encrypted instances of p_view_safe, each instance encrypted with one of the n P_view_personal keys of each Safe owner

   This way, each owner has access to the same private view key to scan for stealth transfer events.

Use

1. Send a stealth transfer to the Safe:
   1. Look up the owners and parameters of the Safe in question (threshold, etc.)
   2. Query the Umbra stealth registry to generate a stealth address, a_stealth_personal, for each of the owners based on their P_spend_personal
   3. Deploy the stealth Safe, at a_stealth_safe, based on the n a_stealth_personal owner addresses and parameters of the original Safe
   4. Send the payment to a_stealth_safe via the Umbra Core Contract, which emits an event using P_view_safe that can be scanned by the Safe owners
2. Detect a stealth transfer:
   1. Scan for a transfer event using p_view_safe
   2. Withdraw the payment to any address by signing a Safe transaction with t p_spend_personal keys. Gas can be paid for by the stealth Safe itself using a relayer such as Gelato SyncFee.

This flow would ensure no direct link can be established between the master Safe and the stealth Safe by an outsider.

Considerations

• Gas: deploying a Safe is costly (~$20 on Ethereum, ~$0.05-$1 on L2s), this solution would therefore only be viable on L2s or for sizable transfers
• ERC-5564: Umbra currently doesn’t support ERC-5564, an ERC focused on a standard for stealth addresses on Ethereum, but intends to become compatible in the future. As Umbra seems to be the only production-ready solution for stealth addresses at this stage, it would make sense to build on top of Umbra’s libraries and move towards ERC-5564 compatibility with these libraries.
• What happens if the parameters of the original Safe change?
  • A stealth Safe is not directly linked to the master Safe, meaning that a change in owners or thresholds of the master Safe would not impact the parameters of the stealth Safe
  • To avoid loss of access to the stealth Safe, the solution should therefore:
    1. On set-up: clearly highlight that a change in parameters without first redeeming all transfers from stealth Safes can lead to a loss of funds
    2. On send: ensure queried parameters are not stale at the time of predicting the Safe address
    3. On receival: encourage Safe owners to redeem the transfer as soon as possible
• Smart account owners: it is technically possible for Safes to be owned by other contracts via ERC-1271 signatures. When that’s the case, it is impossible to compute stealth addresses for this owner. The solution would therefore not work in this case.