Multisig

How it works

A multisig requires a set threshold of independent key holders to co-sign before a transaction executes. The intent is to remove the single point of failure of one admin key: one compromised key, one coerced team member, or one lost device cannot drain a treasury or push a malicious upgrade alone.

The threshold and signer independence decide whether that intent is real. A well-designed multisig spreads signers across separate individuals, ideally across geographies and organizational affiliations, so compromising any subset below the threshold yields the attacker nothing.

How we approach it

For protocol admin powers we typically specify a 4-of-7 or 5-of-9 arrangement with independent community representatives alongside team members. The threshold scales with blast radius: mint authority and upgrade keys warrant higher thresholds and broader independence than routine parameter changes. The admin-capability matrix documents which capability sits behind which multisig and threshold, so the risk surface is explicit.

Multisigs work best paired with timelocks for non-emergency actions. The multisig approves, the timelock queues it publicly, and execution waits out the delay. For emergencies, a separate higher-threshold multisig with a shorter path keeps critical patches from being blocked by that same delay.

Common mistake

The usual failure is treating a multisig as a checkbox rather than a living control. Signers drift as team members leave, keys go stale, and the org chart changes, and the wallet ends up controlled by fewer independent parties than its config suggests. We recommend quarterly signer rotation reviews for any multisig holding material protocol powers.