Safe Signing
Private keys never exist on machines that talk to the internet.
Two machines. One principle.
← signed TX
What we defend against.
Key Extraction
TX Tampering
Approval Abuse
End-to-end signing architecture.
Every field. Byte by byte.
Signed TX is decoded and compared to the original plan before broadcast. Any mismatch = halt.
to Must match target contract from plan
from Must match user wallet address
data Must match calldata byte-for-byte
chainId Must match intended chain
value Must match ETH amount (usually 0 for ERC-20)
nonce Must match expected sequence number
gasLimit Must not exceed simulation estimate by >20%
If ANY field differs → SIGNED_TX_MISMATCH
Exact differences displayed. Broadcast refused. This catches signing malware, bridge corruption, and operator error.
Supported signing devices.
Hardware Wallet
Ledger, Trezor — USB to signing device, TX decoded on screen.
Safe Multisig
Calldata proposed to Safe; multiple signers confirm.
MetaMask / Rabby
For Tier 1 Signal users on their own hot wallet.
Keystone QR
Air-gapped QR signing — no USB, no network.
Zypher
Air-gapped optocoupler signer — 3 diodes, 2 MCUs, 2 displays. Physics-enforced isolation.
Security properties.
Key Isolation
Keys on offline device only.
TX Transparency
State diff from Anvil shown before signing.
Signing Verification
Signed TX decoded + compared to plan.
Bridge Integrity
Hash verification on both ends.
Approval Hygiene
Exact-amount only; infinite approvals blocked.
No Blind Signing
TX decoder provides human-readable labels.
Deterministic Safety
Code-enforced BLOCK rules, not agent judgment.
Zypher: trust physics, not software.
The air-gap relay works, but it relies on software isolation. Zypher replaces that with physics: three optocouplers (6N137) enforce data direction at the hardware level. Light goes one direction through the diode. No firmware can reverse a photon.