If you watch on-chain forensics for any length of time, a pattern shows up: most retail rug pulls and approval drains are repeated patterns of small mistakes. The whale drains are different. They're rarer, larger, and almost always the result of one signing event that should have been clear and wasn't.

This post is about how experienced holders, treasuries, and on-chain whales structure their signing flows to keep that one event from happening. The patterns aren't exclusive to large balances. They're useful for anyone with enough at stake to slow down.

The whale signing problem

A few characteristics make whale signing different:

• The transactions are larger, so any mistake is more expensive
• Multiple parties (treasurers, partners, signers) often participate
• The transactions are more diverse: governance, treasury moves, DAO votes, complex DeFi positions
• Attackers know the size and target accordingly

The controls that work in this environment look less like "don't click bad links" and more like "the signing flow itself can't produce a wrong answer."

The playbook

Four patterns show up across nearly every well-run treasury or large self-custody setup.

1. Multisig as the default. Treasury and operational wallets aren't single-key. A standard pattern is a Safe (formerly Gnosis Safe) or Asigna, with a small set of signers and a quorum requirement. No single signer can move funds. This isn't unique to whales, but it's universal among them.

2. Clear signing on every signer device. Each signer has a hardware wallet that renders transaction details on its own screen. The display shows the same proposal data, but verification happens on each independent device. If one signer's laptop is compromised, the others' screens still tell the truth.

3. Out-of-band review. Before a multisig transaction reaches the signers, the proposal is reviewed somewhere the attacker doesn't control: a Slack channel with verified members, a meeting, a code-review tool. The signature follows agreement, not the other way around.

4. Simulation before signature. Tools like Tenderly, Stxer, or Defender simulate what a transaction will do on a fork of the chain. The output (token transfers, state changes, balance differences) is reviewed against expectations before anyone signs.

None of these is exotic. The combination is what makes the difference.

What goes wrong without these controls

The failure mode looks the same almost every time. A treasurer or signer is presented with a routine-looking transaction. The transaction is structurally not what it appears: a permission change disguised as a token approval, a malicious contract address swapped into a familiar-looking proposal, a multisig signer rotation that hands control to an attacker's address. The signer signs without verifying on a trusted display, and the funds move.

Last year's wave of large losses traced back to this pattern more often than to outright key theft. The keys were fine. The signing flow wasn't.

The role of the device screen

For a whale or a treasury, the hardware wallet's screen does double duty:

• It's the truth source for the signer
• It's the audit point if something goes wrong

The second part matters more than people realize. After a high-value mistake, the question isn't just "what did the dapp show?" It's "what did the device show, and would a careful signer have caught it?" Clear signing gives a yes-or-no answer. Blind signing gives a shrug.

A signer who confirms a transaction whose effect they couldn't read on the device has, technically, done their job. They've also given up the only independent verification step in the chain. That's an answerable error in retrospect, but it's better not to be in the position of needing the answer.

What this looks like in practice

A real workflow for a treasury approving a large move:

1. The proposal is drafted in the multisig UI and shared with signers via a verified channel
2. Each signer simulates the transaction in Tenderly and confirms the expected effect
3. The proposal is queued in the multisig contract
4. Signers connect their hardware wallets, each on their own device
5. Each signer verifies the rendered summary on their hardware wallet's screen against the simulation output
6. Each signer confirms; once quorum is reached, the transaction executes

The whole flow takes longer than "connect, sign, done." That's the point. The rate at which an attack can pass through this flow is much lower.

Where Ryder One fits

Ryder One is built around this assumption. The screen is large enough to show structured EIP-712 payloads without scrolling away from key fields. NFC-only signing means there's no USB attack surface during the signing event. EAL6+ secure-element protection raises the cost of a physical attack on a known-large signer.

For multisig participants, clear signing isn't a nice-to-have. It's the part of the flow that makes the rest of the controls meaningful.

What smaller holders can take from this

Not everyone needs a four-of-six Safe. The smaller version of this playbook still helps:

• Use a hardware wallet whose screen is your truth source for every transaction
• Insist on clear-signed flows. Treat blind signing as the exception, not the default.
• For large or unfamiliar transactions, simulate on Tenderly before you sign
• Slow down. The attacker is counting on the opposite.

A holder with $10,000 at risk and a holder with $10 million at risk are looking at the same signing screen. The discipline that scales is treating that screen as the place where everything is decided.

FAQ

What's the easiest control to add right now?

Make "is this clear-signed on my hardware wallet's screen?" a yes-or-no question you ask before every signature. That single habit catches most of the failures whales spend a lot of money to avoid.

Is clear signing slower?

It takes a few extra seconds to read a screen. The losses it prevents are worth orders of magnitude more than the time.

Bottom line

Large holders aren't smarter about crypto. They're more disciplined about signing. The good news is that the discipline is mostly free, and the tools have caught up. If you're holding meaningfully, the playbook above is a reasonable place to start.