On February 21, 2025, Bybit lost roughly 1.5 billion dollars from an Ethereum cold wallet, the largest crypto theft on record. The multisig worked exactly as designed. The threshold was met, the required owners signed and the transaction executed. What failed was legibility. The signers saw a benign transfer in their interface while the calldata underneath moved 401,000 ETH to addresses controlled by North Korea’s Lazarus Group. They approved what they could see, and what they could see had been quietly swapped for something else. This is blind signing, the practice of authorizing a transaction whose true effect you have not independently verified, and the gap between what a multisig owner reads and what they actually authorize is the single largest unsolved problem in on-chain treasury operations. It gets worse the moment AI Agents start touching the same Safes.

A multisig is supposed to remove single points of failure by requiring several humans to agree before money moves. The security model assumes each of those humans can evaluate what they are agreeing to. Strip that assumption out and a five-of-nine Safe is not five independent checks, it is one unreadable transaction signed five times.

Why multisig review collapses into trust

Reviewing a Safe transaction properly is real work. You decode the raw calldata into a human-readable action, simulate the resulting state against the current chain to confirm the action does what it claims, check the counterparty address against the team’s history of known entities and then match the whole thing to whatever invoice, spec or governance proposal authorized it in the first place. Done carefully that is fifteen to twenty minutes per transaction, and a busy treasury signs several a week across payroll, vendor payments and contract upgrades.

Nobody has that time on every transaction, so review quietly degrades into pattern-matching. A familiar Slack message, a signer you trust, a transaction that looks like last month’s, and the signature goes through in seconds. Bybit’s fatal signature cleared in well under a minute. The interface said one thing, the bytes said another and the social proof of nine colleagues all clicking approve did the rest. Trust filled the space where review was supposed to be, and trust is precisely the thing an attacker manufactures.

What blind signing actually costs

Blind signing happens because the tooling shows owners a hex string and a destination and asks them to trust that the two match the intent in their heads. It is not an edge case reserved for billion-dollar exchanges, it is the default operating mode of almost every multisig, because decoding calldata by hand on every transaction is impractical for any team moving at the speed of a real treasury.

The cost is not only catastrophic theft. It is also the slow tax of routine error, a transfer with one zero too many, a payment to a stale address, a contract upgrade pointed at the wrong implementation, a duplicate nonce that quietly competes with a legitimate transaction already in the queue. Each of these is an unreadable transaction that a human waved through because reading it correctly would have meant twenty minutes they did not have. The exploits make headlines. The fat-finger losses and misrouted payments never do, and in aggregate they cost teams more than the rare heist.

How AI Agents make legibility non-negotiable

The pressure is about to compound. Finance teams are starting to put AI Agents into the loop on treasury operations, drafting transfers, assembling contract calls and managing recurring payments at machine speed. An Agent that proposes transactions faster than humans can carefully read them does not fix blind signing, it industrializes it. Speed on the proposal side without legibility on the approval side just means more unreadable transactions arriving more often.

The way out is not to take humans off the keys. It is to put something between the proposal and the signature that does the twenty minutes of review every time, without getting tired or pattern-matching. That something has to decode every transaction into plain language, simulate it before a single owner signs, reconcile it against the invoices and history that authorized it and hold anything that does not match. It has to be wired into the systems a finance team already uses, the Safe queue, the directory of known counterparties, the folder of invoices, the team’s accumulated memory of what normal looks like. And it has to be structurally incapable of signing on its own, a reviewer and proposer that never holds a key and never counts toward the threshold, so the humans stay in control while finally getting to read what they sign.

Multisig was built so that no single person could move the money alone. The next layer has to make sure that when those people do sign, they can actually see what they are signing. An AI Agent that reads every transaction before the first signature, and refuses to stay quiet when the calldata and the invoice disagree, is what turns a multisig back into the safeguard it was always supposed to be.

This post is exploratory and does not represent a specific roadmap.