1---
2name: safe-wallet-management
3description: How to create and use a Safe multisig using the Safe transactions API
4---
5 
6This file has instructions on how to create and use a Safe multisig.
7 
8## Quick Navigation
9 
10| Task | Section |
11|------|---------|
12| Check if a multisig already exists | [Check if the agent has already created a multisig](#check-if-the-agent-has-already-created-a-multisig) |
13| Get the Safe address for an owner | [Get Safe address](#get-safe-address) |
14| Create a new Safe multisig | [Creating a multisig](#creating-a-multisig) |
15| Deploy smart contracts via Safe | [Deploying smart contracts using Safe multisig](#deploying-smart-contracts-using-safe-multisig) |
16| Propose a transaction to Safe | [Propose transaction to Safe Transaction Service](#3-propose-transaction-to-safe-transaction-service) |
17| Monitor and get contract address | [Monitor and Get Contract Address](#4-monitor-and-get-contract-address) |
18 
19## Network Reference
20 
21RPC URLs to be used for respective networks, make sure you know what network you are tasked to build on if you don't ask the user.
22 
23### RPC URLs
24 
25| Network | Chain ID | RPC |
26|---------|----------|-----|
27| Monad Testnet | 10143 | https://testnet-rpc.monad.xyz |
28| Monad Mainnet | 143 | https://rpc.monad.xyz |
29 
30Safe Transaction Base API URLs for respective networks, make sure you know what network you are tasked to build on.
31 
32### Safe Transaction Service (base URLs)
33 
34| Network | URL |
35| --- | --- |
36| Monad Testnet | https://api.safe.global/tx-service/monad-testnet/api/v1 |
37| Monad Mainnet | https://api.safe.global/tx-service/monad/api/v1 |
38 
39## Get Safe address
40 
41To look up Safe multisig addresses owned by a specific wallet address, query the Safe Transaction Service API.
42 
43### From local storage
44 
45Check if the agent has previously stored multisig details:
46 
47```bash
48cat ~/.monskills/multisig.json
49```
50 
51The file has `testnet` and `mainnet` properties with Safe addresses and owners for each network.
52 
53### From Safe Transaction Service API
54 
55Query the API to get all Safes owned by a given address:
56 
57**Monad testnet:**
58 
59```bash
60curl -s "https://api.safe.global/tx-service/monad-testnet/api/v1/owners/$OWNER_ADDRESS/safes/" | jq
61```
62 
63**Monad mainnet:**
64 
65```bash
66curl -s "https://api.safe.global/tx-service/monad/api/v1/owners/$OWNER_ADDRESS/safes/" | jq
67```
68 
69The response returns a `safes` array with all Safe addresses where the given address is an owner.
70 
71### Verify a Safe on-chain
72 
73To confirm a Safe exists and check its owners/threshold:
74 
75```bash
76# Get owners
77cast call $SAFE_ADDRESS "getOwners()(address[])" --rpc-url [rpc-url-respective-to-network]
78 
79# Get threshold
80cast call $SAFE_ADDRESS "getThreshold()(uint256)" --rpc-url [rpc-url-respective-to-network]
81```
82 
83## Check if the agent has already created a multisig
84 
85If the agent has created a multisig then there must be a file multisig.json in ~/.monskills/ folder. Based on the network (Monad mainnet or testnet) there might info for the same.
86 
87If multisig details are not found then create a multisig.
88 
89## Creating a multisig
90 
91**Correct flow:**
92 
931. Make sure the agent has a wallet (check for encrypted keystore in `~/.monskills/keystore/`).
942. Make sure Foundry toolkit is installed (foundryup --version)
953. Ask the user for 2 wallet address to be signers on the multisig.
964. Deploy Safe with DeploySafeCREATE2.sol (check for the script in the same folder)
97   - DeploySafeCREATE2.sol can be used for both for Monad mainnet and Monad testnet.
985. After the Safe is created make sure to store the multisig address with owners in multisig.json file in ~/.monskills/ folder, absolutely make sure that you have "testnet" and "mainnet" properties in the json file and are storing the multisig details respective to the network.
99 
100### Commands to create Safe on Monad testnet (strictly for Monad testnet only)
101 
102```bash
103# Fund agent's wallet from faucet, since it is testnet, funds can be claimed from faucet.
104FAUCET_RESPONSE=$(curl -s -X POST https://agents.devnads.com/v1/faucet \
105  -H "Content-Type: application/json" \
106  -d "{\"chainId\": 10143, \"address\": \"$AGENT_WALLET_ADDRESS\"}")
107 
108# Wait for funds
109while [ "$(cast balance $AGENT_WALLET_ADDRESS --rpc-url https://testnet-rpc.monad.xyz)" = "0" ]; do
110  sleep 2
111done
112 
113# Deploy Safe with CREATE2 (standard SafeProxyFactory)
114# Decrypt private key on-the-fly from encrypted keystore.
115# `cast wallet decrypt-keystore` prints "<uuid>'s private key is: 0x...";
116# awk '{print $NF}' strips everything except the hex key.
117OWNER_1=$OWNER_1 OWNER_2=$OWNER_2 OWNER_3=$CLAUDE_ADDRESS \
118  forge script DeploySafeCREATE2.sol:DeploySafeCREATE2 \
119    --private-key $(cast wallet decrypt-keystore --keystore-dir ~/.monskills/keystore $KEYSTORE_FILENAME --unsafe-password "" | awk '{print $NF}') \
120    --rpc-url https://testnet-rpc.monad.xyz \
121    --broadcast
122 
123echo "✅ Safe deployed: $SAFE_ADDRESS"
124echo "🌐 https://app.safe.global/home?safe=monad-testnet:$SAFE_ADDRESS"
125```
126 
127### Commands to create Safe on Monad mainnet (strictly for Monad mainnet only)
128 
129```bash
130# Check if the wallet has balance on Monad mainnet, if no balance ask the user to fund the address on Monad mainnet.
131cast balance $AGENT_WALLET_ADDRESS --rpc-url https://rpc.monad.xyz
132 
133# Deploy Safe with CREATE2 (standard SafeProxyFactory)
134# Decrypt private key on-the-fly from encrypted keystore (awk strips the
135# "<uuid>'s private key is:" prefix that cast prints).
136OWNER_1=$OWNER_1 OWNER_2=$OWNER_2 OWNER_3=$CLAUDE_ADDRESS \
137  forge script DeploySafeCREATE2.sol:DeploySafeCREATE2 \
138    --private-key $(cast wallet decrypt-keystore --keystore-dir ~/.monskills/keystore $KEYSTORE_FILENAME --unsafe-password "" | awk '{print $NF}') \
139    --rpc-url https://rpc.monad.xyz \
140    --broadcast
141 
142echo "✅ Safe deployed: $SAFE_ADDRESS"
143echo "🌐 https://app.safe.global/home?safe=monad:$SAFE_ADDRESS"
144```
145 
146Once Safe is created save the multisig address with owners in multisig.json file in ~/.monskills/ folder, absolutely make sure that you have "testnet" and "mainnet" properties in the multisig.json file and are storing the multisig details respective to the network.
147 
148## Proposing transactions via Safe multisig
149 
150A Safe multisig must be already deployed in order to deploy smart contracts or perform onchain actions.
151 
152**IMPORTANT**: This workflow uses Safe multisig for ALL transactions — deployments, contract calls, token transfers, withdrawals, etc. Direct transactions with --private-key or --broadcast are NOT allowed.
153 
154**CRITICAL: Always use `propose.mjs`** — NEVER write a new/custom script to propose Safe transactions. The `propose.mjs` file in the utils folder handles EIP-712 signing, the Transaction Service API, and QR code generation. After running `propose.mjs`, do NOT summarize, truncate, or reformat its output — the script prints a QR code that the user needs to scan. Let the terminal output speak for itself. It supports two modes:
155 
156| Mode | Env vars | Use case |
157|------|----------|----------|
158| Deploy | `DEPLOYMENT_BYTECODE` | Smart contract deployment via CreateCall delegatecall |
159| Call | `TX_TO` + `TX_DATA` (+ optional `TX_VALUE`) | Any contract call: withdraw, swap, transfer, approve, etc. |
160 
161Common env vars for both modes: `CHAIN_ID`, `SAFE_ADDRESS`, `PRIVATE_KEY`.
162 
163Approach:
164 
165✅ Prepare calldata (deployment bytecode OR encoded function call)
166✅ Post to Transaction Service API with Agent's EIP-712 signature via `propose.mjs`
167✅ User sees transaction in Safe UI queue, signs (2/2), executes
168✅ QR code printed in terminal for mobile approval
169 
170---
171 
172### Deploying smart contracts
173 
174**CRITICAL**: Safe wallets cannot directly CREATE contracts from a normal CALL. To deploy through a Safe, delegatecall into Safe's CreateCall helper smart contract so the CREATE happens in the Safe's context (Safe becomes the deployer).
175 
176CreateCall: 0x9b35Af71d77eaf8d7e40252370304687390A1A52 (same address on both Monad mainnet and Monad testnet)
177 
178Why it's needed:
179 
180- Safe executes transactions via CALL/DELEGATECALL (not CREATE)
181- Delegate calling CreateCall runs CREATE inside the Safe's context
182- Safe becomes the deployer (no factory-ownership footgun)
183- Matches Foundry simulations using --sender <SAFE_ADDRESS>
184 
185```sol
186interface ICreateCall {
187    function performCreate(uint256 value, bytes memory deploymentData) external returns (address);
188    function performCreate2(uint256 value, bytes memory deploymentData, bytes32 salt) external returns (address);
189}
190```
191 
192#### 1. Prepare deployment bytecode
193 
194Use forge script with --sender set to the Safe address:
195 
196```bash
197forge script script/Deploy.s.sol:DeployScript \
198  --rpc-url [rpc-url-respective-to-network] \
199  --sender <SAFE_ADDRESS>
200```
201 
202This simulates the deployment from the Safe wallet without broadcasting.
203 
204#### 2. Extract Deployment Bytecode
205 
206```bash
207# Extract deployment bytecode
208DEPLOYMENT_BYTECODE=$(jq -r '.transactions[0].transaction.input' \
209  broadcast/Deploy.s.sol/[chain-id-respective-to-network]/dry-run/run-latest.json)
210 
211# Ensure Safe address is checksummed
212SAFE_ADDRESS=$(cast to-check-sum-address "<SAFE_ADDRESS>")
213```
214 
215#### 3. Propose deployment to Safe Transaction Service
216 
217Invoke the `propose.sh` wrapper alongside `propose.mjs` in this folder — it
218bootstraps a dependency cache at `~/.monskills/propose-deps/` the first time it
219runs (one-time `npm install` of `viem` + `qrcode-terminal`), then executes the
220proposer. Do NOT copy `propose.mjs` into the project dir or run
221`npm install --no-save viem` — Node will fail to resolve viem against the
222script's own directory.
223 
224```bash
225# Run proposal — set CHAIN_ID to 143 (mainnet) or 10143 (testnet).
226# SCRIPT_DIR is the absolute path to this `utils/` folder inside the monskills
227# plugin (the one containing propose.sh and propose.mjs).
228# awk '{print $NF}' strips cast's "<uuid>'s private key is:" prefix.
229CHAIN_ID=$CHAIN_ID \
230  SAFE_ADDRESS=$SAFE_ADDRESS \
231  PRIVATE_KEY=$(cast wallet decrypt-keystore --keystore-dir ~/.monskills/keystore $KEYSTORE_FILENAME --unsafe-password "" | awk '{print $NF}') \
232  DEPLOYMENT_BYTECODE=$(jq -r '.transactions[0].transaction.input' \
233    broadcast/Deploy.s.sol/$CHAIN_ID/dry-run/run-latest.json) \
234  bash "$SCRIPT_DIR/propose.sh"
235```
236 
237---
238 
239### Calling contracts (withdraw, swap, transfer, approve, etc.)
240 
241For any transaction that calls an existing contract function, encode the calldata and use `propose.mjs` in Call mode.
242 
243#### 1. Encode calldata with `cast`
244 
245```bash
246# Example: withdraw(uint256 amount)
247TX_DATA=$(cast calldata "withdraw(uint256)" 1000000000000000000)
248 
249# Example: transfer(address to, uint256 amount)
250TX_DATA=$(cast calldata "transfer(address,uint256)" 0xRecipient 1000000000000000000)
251 
252# Example: approve(address spender, uint256 amount)
253TX_DATA=$(cast calldata "approve(address,uint256)" 0xSpender 1000000000000000000)
254```
255 
256#### 2. Propose contract call to Safe Transaction Service
257 
258Use `propose.sh` (same wrapper as above). `SCRIPT_DIR` is the absolute path to
259this `utils/` folder.
260 
261```bash
262CHAIN_ID=$CHAIN_ID \
263  SAFE_ADDRESS=$SAFE_ADDRESS \
264  PRIVATE_KEY=$PRIVATE_KEY \
265  TX_TO=$TARGET_CONTRACT_ADDRESS \
266  TX_DATA=$TX_DATA \
267  TX_VALUE=0 \
268  bash "$SCRIPT_DIR/propose.sh"
269```
270 
271Set `TX_VALUE` to the amount of native token (in wei) to send with the call, or omit for 0.
272 
273---
274 
275### Example output (both modes):
276 
277```
278✅ Agent's address: 0x937d...
279✅ Safe nonce: 0
280✍️  Signing with EIP-712...
281✅ Transaction hash: 0x0560...
282✅ Agent signed (1/2)
283📤 Posting to Transaction Service API...
284✅ Transaction proposed successfully!
285 
286🎉 Transaction appears in Safe UI queue!
287 
288Scan QR code to approve on mobile:
289 
290▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
291█ ▄▄▄▄▄ █ QR  █
292█ █   █ █ here █
293█ ▀▀▀▀▀ █      █
294▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
295 
296User can now:
2971. Open [safe url] (or scan QR code above)
2982. See pending transaction (agent already signed 1/2)
2993. Sign with their wallet (2/2)
3004. Execute
301```
302 
303Ask the user to approve the transaction on the multisig page and ask for the transaction hash.
304 
305### 4. Monitor and Get Contract Address
306 
307After user executes the transaction in Safe UI:
308 
309```bash
310# User provides transaction hash after execution
311cast receipt <TRANSACTION_HASH> --rpc-url https://testnet-rpc.monad.xyz
312```
313 
314**Do NOT use the `contractAddress` field — it is always `null` for Safe deployments.** The Safe didn't directly `CREATE`; it delegatecalled into CreateCall, so the receipt's top-level `contractAddress` stays empty. The deployed address is in the `ContractCreation(address)` log emitted by CreateCall.
315 
316Parse it from the logs:
317 
318```bash
319cast receipt <TRANSACTION_HASH> --rpc-url https://testnet-rpc.monad.xyz --json \
320  | jq -r '.logs[] | select(.address == "0x9b35Af71d77eaf8d7e40252370304687390A1A52") | "0x" + .data[26:66]'
321```
322 
323(`0x9b35Af71d77eaf8d7e40252370304687390A1A52` is the CreateCall address on Monad mainnet and testnet — see `addresses/`.)
324 
325### 5. Verify Smart Contract
326 
327**After every smart contract deployment, you MUST verify the contract.** Do not skip this step. Refer to the **Verification (All Explorers)** section in `scaffold/SKILL.md` for full instructions. Use the verification API (`https://agents.devnads.com/v1/verify`) — it verifies on all 3 explorers (MonadVision, Socialscan, Monadscan) with one call.