What happened
Attackers compromised the Safe{Wallet} infrastructure and injected malicious JavaScript that altered a signing transaction in the UI, draining ~$1.5B from a Bybit cold wallet — the largest crypto theft to date.
The honest answer
Honestly: no tool of ours could secure a third party’s wallet front-end, and we won’t pretend otherwise. The transferable lesson is the attack class. The same vector — malicious JavaScript pushed through a build pipeline or a poisoned dependency — is precisely what Stateward’s CI/CD and supply-chain engines are built to catch in your repository, before a compromised build ever reaches your users.
Stateward’s CI/CD engine inspects GitHub Actions and GitLab CI for script injection, mutable refs, over-broad permissions and secret-in-run, on every change to your pipeline files.
Built to be trusted with your code
Read-only & ephemeral
Stateward can comment, but never pushes, merges or stores your keys.
EU-sovereign hosting
Code and security data stay EU-hosted via Citadea — built for NIS2, DORA and the CRA.
Whole-codebase aware
Reasons over your call graph and trust boundaries, not just the diff.
Stateward is in beta and onboarding design partners. Built by Yggdrasil Digital.