You may see an “unexpected delegate call” warning on transactions that might have harmful consequences when executed from your Safe.

In the past, we encountered an incident where an attacker used phishing techniques to trick users. Users signed a transaction that looked like a legitimate one but included a malicious instruction. With this instruction, the attacker was able to swap the Safe implementation for a malicious address that exploited the Safe later.

There were multiple factors leading to the exploit, but one of them was that the members of the Safe haven’t recognized a harmful transaction.

To mitigate that, we have added a check in our interfaces that is triggered when a transaction interacts with a contract that the Safe is not aware of, and that the transaction can modify the properties of a Safe, such as its implementation address, owner structure, or confirmations threshold.

A transaction that can possibly modify a safe structure is executed with a special permission level, and is called a “delegate operation”. In such a transaction, the Safe is calling a contract that delegates access to its internal properties to another contract that receives the transaction call.

Now, not all contracts that interact via delegate call operations are malicious. And of course, the Safe interface is not aware of all of such contracts. Thus, you may encounter a false positive warning from the interface even though that specific contract interaction is safe.

However, we recommend that you do not sign or execute a transaction with a delegate call warning right away if you are not sure. Instead, check the transaction’s technical details with a technical expert and verify that the transaction in question does not have unintended consequences. We also recommend that in such cases you simulate the transaction using tools like Tenderly.