Setup Gnosis Safe with MetaMask & 1Wallet

Here are our guideline for self-custody of project or DAO funds. Always use Gnosis Safe with multiple people and different wallets and separate devices (2FA with OTP) for $10K+ funds. No need for hardware wallets, but Google Authenticator.

Requirements

Minimum 3-out-of-6 multisignature setup:

three people, each with two separate wallets on different devices
non-overlapping passwords or authenticators
freshly-created passwords and brand-new addresses without history

Support Wallet Connect for Gnosis Safe

Support Two-Factor or Multi-Factor Authentication (2FA or MFA) using One-Time-Password (OTP) like Google Authenticator

Support low-fee and decentralized networks like Harmony, Polygon and Arbitrum

Gnosis Safe Setup

Three persons (A, B, C), each setups 2 wallets (1 and 2)

To diversify risks, use both 1Wallet and MetaMask
To diversify risks, use both desktop and mobile devices
For Gnosis Tx Signing on mobile, use Chrome or disable "Block Pop-ups" for Safari on iPhone's settings
For Google Authenticator, enable “Privacy Screen” with Face ID check under “Settings”
For Polygon networks, use MetaMask on desktop and use imToken on mobile devices with 2FA

Store the login password for MetaMask using 1Password manager

Use this uncommon setup to avoid the theft of the seed phrase: Do NOT backup the seed phrase. These wallets store trivial amounts of funds for gas fees only. In our 3-out-of-6 multisig Gnosis Safe here, the loss of a single MetaMask wallet has minimal impact – compared to a hacker gaining one third of access. The lost wallet can be easily replaced by a new one in the Gnosis Safe with approvals.
To surpass the "Protect Your Wallet" reminder, you may go through the backup process but destroy the copy of the seed phrase right away. Do NOT use "Back up again" or "Reveal Recovery Secret Phrase" under "Security & Privacy".
Copy addresses in Ethereum format and 1wallet's label on Authenticator to the section below
Copy URLs of Gnosis's transactions (T1-T4) and final funding tx (T5) below

Person A funds 10 ONE tokens to all 6 addresses for the gas fees of approvals

T1: Person A creates a fresh Gnosis Safe with all 6 addresses. (Note that creating a safe then adding 5 additional addresses as owners create a known backdoor. Owners are responsible for all transactions hereafter.)
T1x: A funds the new Safe with 10 ONE tokens
T2: C1 sends 1 ONE to Address A2 via approvals by A1 and B1
T3: B1 sends 1 ONE to C1 via approvals by A2 and C2
T4: A1 sends 1 ONE to B2 via approvals by A2 and B2
T5: A funds with $25K or more ONEs

If necessary, configure "New Spending Limit" for USD $1K daily in ONE tokens. Unlike Argent, Gnosis Safe has no tools for capping the total wallet spend per day.
Repeat test runs of T2 & T3 & T4 as audit every month (or every quarter for <$50K)

MetaMask Setup for Harmony (only Firefox/Brave/Edge, no Safari)

(Or, search and click "Connect Wallet" for "Harmony Mainnet Shard 0" on https://chainlist.org. Use MetaMask's builtin browser for mobile.)

Network Name: Harmony Mainnet
New RPC URL: https://api.harmony.one
Chain ID: 1666600000
Currency Symbol: ONE
Block Explorer URL: https://explorer.harmony.one/
Security & Privacy: Participate in MetaMetrics: OFF

MetaMask Setup for Polygon

Network Name: Polygon Mainnet
New RPC URL: https://polygon-rpc.com
Chain ID: 137
Currency Symbol: MATIC
Block Explorer URL: https://polygonscan.com

MetaMask & Gnosis Safe on Mobile

Open the full URL inside MetaMask's browser (NOT Safari Mobile).
Click the left top menu bar, pick "Browser" (right above "Wallet" and "Trasnaction History")
Enter Safe's URL such as https://multisig.harmony.one/#/safes/0x1cd1c10cB980E6ce4C02de3241dda037361e1dE7

imToken on Mobile

Click "Wallet" icon on the lower left corner
Click the network pulldown menu (default: Ethereum) below "Wallet" at the top middle
Click the "Setting" icon at the top on the right side of "Network switch"
Click the "Plus" icon at the top on the right side of "Ethereum Node Settings"
Select "Adding Quickly", then search under "EVM Box"
Add for "Harmony Mainnet Shard 0" mainnet

Sushi Swap via Gnosis Safe

Click “New Transaction” then “Contract Interaction”
Contract address: 0x1b02dA8Cb0d097eB8D57A175b88c7D8b47997506
Contract data in hex: 0x7ff36ab500000000000000000000000000000000000000000000000000000000014966db000000000000000000000000000000000000000000000000000000000000008000000000000000000000000044b41f1e72b2d6c7f6429724e4dde9609e3b9e1f000000000000000000000000000000000000000000000000000000006165d6dd0000000000000000000000000000000000000000000000000000000000000002000000000000000000000000cf664087a5bb0237a0bad6742852ec6c8d69a27a0000000000000000000000003c2b8be99c50593081eaa2a724f0b8285f5aba8f

Security Audit

The user should save 1wallet to home screen. When they do, the data will be retained indefinitely. Otherwise, Safari mobile will automatically wipe the storage if the user uses Safari mobile for 7 days without ever interacting with 1wallet. See primarily https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/ “7-Day Cap on All Script-Writeable Storage” and “A Note On Web Applications Added to the Home Screen” See also similar concern raised in nearwallet but left unresolved https://github.com/near/near-wallet/issues/479. See also discussions in https://news.ycombinator.com/item?id=22686602
Potential points of vulnerabilities are (1) how GnosisSafe::setup is called at the client (a backdoor fallbackHandler can be set there) (2) whether any malicious modules are activated by default (they skip owner authorization) (3) how the client interacts with ProxyFactory (a hacked singleton can be deployed there)

Sample Steps

Sushi Swap via Gnosis Safe