Grant Application: Safe EIP-1271 Watch Tower

CoW Grants Program
1

Grant Title: Safe EIP-1271 Watch Tower

Author: @bleu @yvesfracari @ribeirojose @mendesfabio

About You:

bleu collaborates with companies and DAOs as a web3 technology and user experience partner. We’re passionate about bridging the experience gap we see in blockchain and web3. We have completed 10+ grants for CoW Protocol, including Hook dApps, Framework-agnostic SDK, Python SDK, and various Safe apps.

Additional Links:

Our work for CoW Protocol includes:

  • [CoW] AMM Deployer: Safe app to deploy new CoW AMM pools from a Safe Wallet.
  • [CoW] Stop Loss: Safe App to create stop loss orders. During this grant we developed an API that tracks the creation of composable CoW and decodes the stop loss ones.
  • [CoW] Programmatic Orders API: Unified indexing infrastructure for all programmatic order types (Composable CoW, flash loan orders, CoWShed).
  • Proof of Concept: cow-safe-messages-watch-tower — Working prototype demonstrating the core watch tower flow. A demo of the PoC flow is here.

Grant Category:

Core Infrastructure & Developer Tooling

Grant Description:

CoW Protocol’s EIP-1271 signing scheme enables smart contract wallets like Safe to place gasless orders. However, multisig wallets face a fundamental UX challenge: the CoW Protocol backend API will only accept the EIP-1271 orders where isValidSignature returns the magic value. For a multisig, this means an order can only be submitted after all required signers have signed — but there is no infrastructure to coordinate this process and automatically submit the order once the signing threshold is reached.

Consider a 3-of-5 Safe multisig wanting to place a gasless swap on CoW Swap:

  1. The first signer creates the order and signs it as a Safe message
  2. The second signer confirms the message
  3. The third signer reaches the threshold — but nothing happens automatically
  4. Someone must manually detect the threshold was met and submit the order to the CoW API

Without a dedicated service, users must either rely on PreSign authentication (which costs gas) or manually coordinate off-chain to determine when the order is ready to be submitted.

We propose building the Safe EIP-1271 Watch Tower, a service that absorbs potential future orders/cancellations and posts them to the CoW Protocol API when they mature. The service monitors Safe message confirmations in real-time and, once the signing threshold is reached, automatically aggregates the owner signatures into a valid EIP-1271 signature and submits the order to the CoW Protocol orderbook.

All Safe-specific logic (webhook subscriptions, message polling, signature aggregation) is isolated behind a modular architecture, allowing the service to support other EIP-1271 signing flows in the future — such as other multisig implementations or custom smart contract wallets. When registering an order for monitoring, the caller specifies the order type, and the Watch Tower delegates to the appropriate strategy for polling, webhook handling, and signature composition.

The Watch Tower will:

  • Monitor Safe messages via webhooks: Register with the Safe Events Service to receive real-time MESSAGE_CONFIRMATION events via webhook, with polling as a fallback mechanism
  • Track confirmation progress: Maintain a database of pending orders and their confirmation status against the Safe’s signing threshold
  • Aggregate EIP-1271 signatures: Once threshold is met, compose the final signature by concatenating individual owner signatures in the correct format
  • Submit orders to CoW Protocol: Automatically post the fully-signed order to the CoW Protocol orderbook with the EIP-1271 signing scheme.
  • Submit order cancellations to CoW Protocol: To cancel an order, the same process needs to be followed, all Safe Owners need to sign the message. We will track and submit the order cancellation on the orderbook API.
  • Delete message tracking: One of the safe owners of a message will also have the ability to flag the order to not be tracked anymore by the watch tower. This can be done by order posting and cancelation messages. It is important to note that this doesn’t mean that the order will not be posted by anyone, since all the information is public and it can still be tracked by others.
  • Provide management APIs: Expose endpoints for registering messages to monitor, querying status, and managing the order lifecycle
  • Handle order expiry: Clean up expired orders and manage webhook subscriptions efficiently

This service is analogous to the watch tower pattern used in Composable CoW orders, but operates entirely off-chain — monitoring Safe message signatures rather than on-chain events.

Reference:

Grant Goals and Impact:

This grant will unlock gasless multisig trading on CoW Protocol by providing:

  • Gasless Multisig Swaps: Safe multisig users can place orders using EIP-1271 without any on-chain transaction, eliminating gas costs for order placement
  • Automated Signature Coordination: No manual coordination needed — the watch tower handles the entire flow from first signature to order submission
  • CoW Swap Frontend Integration: Enable the CoW Swap frontend to offer EIP-1271 order flow for Safe multisigs, improving UX for one of the most common smart wallet types in DeFi
  • Open Infrastructure: Open-source service that can be self-hosted by any team or integrated into existing CoW Protocol infrastructure

Architecture:

The Watch Tower follows a webhook-driven architecture with async job processing:

image
image3304×4040 587 KB

Flow:

  1. Client registers a CoW order (as a Safe message hash) via POST /messages
  2. Service checks if message is already fully confirmed — if yes, submits order immediately
  3. If not, stores in PostgreSQL and subscribes to Safe Events webhooks for the relevant Safe
  4. When a MESSAGE_CONFIRMATION webhook arrives, event is queued via BullMQ (Redis) for async processing
  5. Worker processes the event: fetches message details and checks confirmation count against threshold
  6. Once threshold is reached, the service extracts the CoW order, aggregates owner signatures into a valid EIP-1271 signature, and submits to the CoW Protocol orderbook
  7. Marks message as posted and cleans up webhook subscriptions if no other pending messages exist

Background Jobs:

  • Token refresh (every 30 min): Refreshes Safe Events API OAuth2 credentials
  • Pending message check (every 10 min): Fallback polling for messages that may have been missed by webhooks
  • Expired message cleanup (every 5 min): Marks and removes messages whose CoW orders have expired

Milestones:

Milestone Duration Payment
Watch Tower Development 3 weeks 9k xDAI
Observability & Instrumentation 1 week 3k xDAI
Frontend Integration UX Design 2 weeks 6k xDAI
Frontend Integration Support 3 weeks 9k xDAI

Watch Tower Development (3 weeks)

  • Express/Hono HTTP server with Swagger documentation
  • PostgreSQL database schema for tracking messages, confirmations, and order status
  • Redis + BullMQ job queue for async event processing
  • REST API endpoints: register message (POST /messages), list messages (GET /messages), remove message (DELETE /messages), health check (GET /health). It is important to notice that the remove message only marks the cancellation for the watch tower, however other services watching the safe message can still post it on the API.
  • Safe Events Service OAuth2 authentication and webhook lifecycle management (create, update, delete)
  • Real-time MESSAGE_CONFIRMATION event handling with fallback polling mechanism
  • CoW order extraction from Safe message data (EIP-712 typed data decoding)
  • EIP-1271 signature aggregation: collecting and concatenating individual owner ECDSA signatures in the correct Safe format
  • Order or its cancellation submission to CoW Protocol orderbook API with SigningScheme.Eip1271
  • Background cron jobs for token refresh, pending message checks, and expired message cleanup
  • Support for all CoW Protocol-supported chains (Ethereum, Gnosis Chain, Arbitrum, Sepolia)
  • Docker Compose setup for local development
  • Configurable access control via environment variables: allowlist of Safe addresses permitted for monitoring and allowlist of valid origins
  • Unit and integration test suite

Observability & Instrumentation (2 weeks)

  • Integrate Prometheus metrics to provide real-time visibility into service health and behavior
  • Key metrics: messages registered, confirmations received, threshold reached events, orders submitted, failed submissions, expired orders, webhook delivery latency
  • Per-chain and per-order-type breakdowns for all counters and histograms
  • Expose /metrics endpoint compatible with standard Prometheus scraping

Frontend Integration UX Design (1 week)

  • UX design for the EIP-1271 multisig order flow within CoW Swap
  • Design the signature tracking interface: display confirmation progress (e.g., 1/3 signatures collected) and current order status
  • Define order lifecycle states visible to users: awaiting signatures, submitted, expired

Frontend Integration Support (3 weeks)

  • Integrate CoW Swap frontend with the watch tower server
  • Adapt Watch Tower API based on integration needs
  • End-to-end testing on Sepolia testnet with the frontend
  • Bug fixes and review cycle with CoW core team
  • Production deployment handoff documentation

Funding Request:

We propose that milestone payments be released upon each milestone’s approval.

Budget Breakdown:

We suggest a payment structure similar to our previous grants:

  • xDAI payments for each milestone completion (total: 27k xDAI)
  • 33k COW tokens vested over 12 months for ongoing maintenance and support
  • Infrastructure costs during development are minimal and will be covered by bleu during development. For production deployment, we recommend handing off to CoW Protocol infrastructure. However, this does not include Safe API costs (more details on Other information section)

Gnosis Chain Address (to receive the grant):

0x5D40015034DA6cD75411c54dd826135f725c2498 (bleubuilders.eth)

Other Information:

  • All code will be open-source from day 0 — proof of concept already available at cow-safe-messages-watch-tower
  • We’re open to feedback during PRs and happy to collaborate closely with CoW Protocol team
  • During development we’ll deploy the service for testing, but this should be handed off to the CoW team operations after the grant conclusion
  • We’re happy to answer any questions and iterate on this proposal based on feedback
  • The application will be built on top of Safe APIs. Bugs related to their API shouldn’t block this grant success (e.g. bugs related to Safe not propagating message events properly. We’ll be implementing fallbacks such as Safe API pooling, but Safe API is an upstream dependency we have no control over).
  • Safe has plans to start API monetisation soon. The costs related to the API access shouldn’t be covered by bleu. For now, we have a access that enable us to test the project.

Terms and Conditions:

By submitting this grant application, I acknowledge and agree to be bound by the CoW DAO Participation Agreement and the CoW Grant Terms and Conditions.

2 Likes