• Contents

The key concept is the creation of a Safe Anonymous Mail Module (SAMM) for Safe multisig that ensures the anonymity of all its participants using Noir language and ZK Email architecture.

SAMM workflow

Brief overview about how SAMM works (a lot of details about each step in the next sections):

1. To initiate a transaction, one of the SAMM members sends an email to the relayer's email address with all transaction information (to, data, amount, deadline).
2. To approve a transaction, all SAMM members send emails to the relayer's email address with the msgHash specified in the email header. Each email includes a DKIM signature.
3. Upon receiving an email, the relayer stores the approval data in the DB.
4. When the voting threshold is reached, the relayer generates a zk proof and stores it in the DB. After that, the relayer sends the transaction data with the proof to the on-chain SAMM contract.
5. SAMM contract checks that proof is valid and threshold is reached. A transaction can only be executed once the threshold is met.

Smart contracts

SAMM smart contract serves as a module for the Safe wallet and is developed following recommendations from the Safe wallet documentation. Modules are compatible with Safe wallet version 1.3.0 and above.

Contracts are written in Solidity and utilize the Foundry development framework.

Previous version of the smart contracts can be found here (SAM contracts). This version is used as a base for the SAMM contracts.

SAMM permissions

The multisig has a standard set of EOA owners who have full control over the multisig, including managing the permissions of the SAMM module.

The SAMM module has restrictions on what actions it can perform on behalf of the multisig (security policies). These restrictions are implemented and verified in the smart contract code. For example, the SAMM module cannot change the owners of the Safe multisig or can only call specific smart contracts.

Thus, the SAMM module is used to conveniently manage routine operations, such as payroll and assigning non-critical roles, while the standard set of owners handles critically important tasks.