diff --git a/docs/pages/config/contributors.json b/docs/pages/config/contributors.json index 30c93303..304ee024 100644 --- a/docs/pages/config/contributors.json +++ b/docs/pages/config/contributors.json @@ -190,5 +190,53 @@ "company": "SEAL", "job_title": "Frameworks Contributors", "description": "Frameworks Contributors" + }, + "isaac": { + "slug": "isaac", + "name": "Isaac Patka", + "role": "contributor", + "avatar": "https://avatars.githubusercontent.com/ipatka", + "github": "https://github.com/ipatka", + "twitter": "https://x.com/isaacpatka", + "website": "https://www.shield3.com/", + "company": "SEAL | Shield3", + "job_title": "Co-Founder", + "description": "SEAL Certs & SEAL Wargames" + }, + "geoffrey": { + "slug": "geoffrey", + "name": "Geoffrey Arone", + "role": "contributor", + "avatar": "https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSHbkVGOCK1z6wdvZ2uBu80DExL70BmS-W-gg&s", + "github": null, + "twitter": null, + "website": "https://www.shield3.com/", + "company": "Shield3", + "job_title": "Co-Founder", + "description": "Shield3 Co-Founder" + }, + "louis": { + "slug": "louis", + "name": "Louis Marquenet", + "role": "contributor", + "avatar": "https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRsvu2pjxvA4aXUQPmyZTWzRS5thvfCX8frIg&s", + "github": null, + "twitter": null, + "website": "https://www.opsek.io/", + "company": "Opsek", + "job_title": "Head of Operations", + "description": "Opsek Head of Operations" + }, + "pablo": { + "slug": "pablo", + "name": "Pablo Sabbatella", + "role": "contributor", + "avatar": "https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSrOgjCQOqU_zKjkWq9K7HbGHWUavQ5rwP8Cg&s", + "github": null, + "twitter": "https://x.com/pablosabbatella", + "website": "https://www.opsek.io/", + "company": "SEAL | Opsek", + "job_title": "Founder", + "description": "Opsek Founder" } } \ No newline at end of file diff --git a/docs/pages/incident-management/playbooks/index.mdx b/docs/pages/incident-management/playbooks/index.mdx index 54426bd3..f5c4a48e 100644 --- a/docs/pages/incident-management/playbooks/index.mdx +++ b/docs/pages/incident-management/playbooks/index.mdx @@ -13,8 +13,8 @@ title: "Playbooks" - [Decentralized Ir](/incident-management/playbooks/decentralized-ir) - [ELUSIVE COMET Attack](/incident-management/playbooks/hacked-elusive-comet) -- [Hacked Dprk](/incident-management/playbooks/hacked-dprk) - [Malware Infection](/incident-management/playbooks/malware) +- [North Korea (DPRK) Attack](/incident-management/playbooks/hacked-dprk) - [Playbooks](/incident-management/playbooks/overview) - [Seal 911 War Room Guidelines](/incident-management/playbooks/seal-911-war-room-guidelines) - [Wallet Drainer Attack](/incident-management/playbooks/hacked-drainer) diff --git a/docs/pages/multisig-for-protocols/backup-signing-and-infrastructure.mdx b/docs/pages/multisig-for-protocols/backup-signing-and-infrastructure.mdx new file mode 100644 index 00000000..cb70e449 --- /dev/null +++ b/docs/pages/multisig-for-protocols/backup-signing-and-infrastructure.mdx @@ -0,0 +1,232 @@ +--- +tags: + - Engineer/Developer + - Security Specialist + - Multisig Security +contributors: + - role: wrote + users: [isaac, geoffrey, louis, pablo, dickson] + - role: reviewed + users: [pinalikefruit, engn33r] +--- + +import { + TagList, + AttributionList, + TagProvider, + TagFilter, + ContributeFooter, +} from "../../../components"; + + + + +# Backup Signing & Infrastructure + + + + +If the default interfaces for either Safe or Squads are down or suspected of being compromised, these alternatives enable continued critical signing operations. As a signer, you should familiarize yourself with these tools and practice signing transactions with your team. + +## UI Alternatives + +### EVM Networks + +**Eternal Safe - Decentralized fork of Safe\{Wallet\}** + +- GitHub: https://github.com/eternalsafe/wallet +- Hosted (IPFS): https://eternalsafe.eth.limo (requires bring your own RPC) +- Local: Can be downloaded and run locally + +Note: Local/alternative UIs may not be actively maintained. Treat them as emergency options and perform extra verification. Please DYOR. + +### Solana + +**Squads Public Client - Open source Squads V4 interface** + +- GitHub: https://github.com/Squads-Protocol/public-v4-client +- Features: Verifiable build, self-hostable with Docker, IPFS distribution +- Local: Can be built and run locally + +### Mobile (Safe) + +**Safe Android App** + +- GitHub: https://github.com/safe-global/safe-android +- App Store: https://apps.apple.com/us/app/safe-wallet/id1515759131 +- Play Store: https://play.google.com/store/apps/details?id=io.gnosis.safe + +## RPC Backup Options + +### Basic guidance: + +- Multiple providers: Set up accounts with 2-3 different RPC services + - eg. Alchemy, Infura, Chainstack, Quicknode, Tenderly +- Avoid correlation: Choose providers that don't share infrastructure, if that information is available +- Private RPCs preferred: Public RPC URLs are typically not sufficient for reliable operation + +### Administrator responsibilities + +Ensure signer preparedness: + +- Provide access to offline UI tools listed above +- Verify signers have practiced using backup interfaces +- Test backup RPCs during non-emergency periods +- Document procedures for switching to backup infrastructure + +## Block Explorer Backup Options + +### EVM Networks + +Etherscan provides the default block explorer for nearly all EVM chains. In the event that Etherscan is compromised or goes down, it is important to have backup options that can be used for monitoring and investigating transactions. + +**Blockscout - Open source Etherscan alternative** + +- https://www.blockscout.com/ +- Available for all EVM networks +- Can also be [self-hosted](https://github.com/blockscout/blockscout), although it requires significant time to run full node and index + +More explorers: A broader list of network explorers is maintained here: https://explorer.swiss-knife.xyz/ + +### Solana Networks + +Both explorer.solana.com and Solscan are reliable options for Solana transaction exploration and decoding. + +**explorer.solana.com** - https://explorer.solana.com/ + +- Can be [self-hosted](https://github.com/solana-foundation/explorer) using open source code + +**Solscan** - https://solscan.io/ + +## Preparation + +**It is recommended to download dependencies ahead of time and store them in a secure location** so they are easily accessible during emergencies. + +## EVM Networks + +### Eternal Safe - Decentralized fork of Safe\{Wallet\} + +#### Access Options + +- **GitHub**: https://github.com/eternalsafe/wallet +- **Hosted (IPFS)**: https://eternalsafe.eth.limo (requires bring your own RPC) +- **Local**: Can be downloaded and run locally + +#### Setup + +1. Select network and enter an RPC URL +
+ Eternal Safe network selection +

+ + Eternal Safe network selection screen: choose your network and enter an + RPC URL + +

+
+2. Enter Safe address and load + ![Eternal Safe address entry](https://frameworks-static.s3.us-east-2.amazonaws.com/images/multisig-for-protocols/eternal-safe-address-entry.png) +3. Eternal Safe will automatically detect Ether balances but not ERC20 tokens. They can be added manually + ![Eternal Safe token configuration](https://frameworks-static.s3.us-east-2.amazonaws.com/images/multisig-for-protocols/eternal-safe-token-configuration.png) + +#### Transaction Verification + +**Critical**: It is still essential to verify hashes and calldata from Eternal Safe. Follow the verification steps in [Safe Multisig: Step-by-Step Verification]. + +#### Smart Link System + +Once a transaction has been signed by one signer, a **Smart Link** is created which can be forwarded to the next signer to add their signature. The transactions do not go to any centralized backend. + +**Example Smart Link:** + +``` +Please sign this Eternal Safe transaction for the Safe: base:0xA79C6968E3c75aE4eF388370d1f142720D498fEC. +Current confirmations: 1 of 2. +https://eternalsafe.eth.limo/transactions/tx/?safe=base:0xA79C6968E3c75aE4eF388370d1f142720D498fEC&tx=eyJzaWduYXR1cmVzIjp7ImRhdGFUeXBlIjoiTWFwIiwidmFsdWUiOltbIjB4NDBiYjMyZjA4NjJkMjI3ODEzYzg2ZmQ4M2E3YjNjOWRiOTA3NGUyYSIseyJzaWduZXIiOiIweDQwYkIzMkYwODYyRDIyNzgxM2M4NkZEODNBN0IzYzlkYjkwNzRFMkEiLCJkYXRhIjoiMHgwZDMxZTZjODIxZjBhMGZlM2M5NmNlZWY4ZDNhM2JhZmU3YmZmZTliODQ0ZWNkYzBkYWNmNzc0MzFkODQ0NjU4MTgwZjUwNmZlMjZiZjMzOTQwY2VhOTJiMzlhNDNjODRkMDRhNThiMGY1ODQ2NzhlNzE0YTllMWJkMzE0NTg5ZjFiIn1dXX0sImRhdGEiOnsiZGF0YSI6IjB4IiwiYmFzZUdhcyI6IjAiLCJnYXNQcmljZSI6IjAiLCJzYWZlVHhHYXMiOiIwIiwiZ2FzVG9rZW4iOiIweDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAiLCJub25jZSI6NCwicmVmdW5kUmVjZWl2ZXIiOiIweDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAiLCJ2YWx1ZSI6IjEwMDAwMDAwMDAwMDAwMDAiLCJ0byI6IjB4RTBiY2ZlNWUzMEFCYTBCNDZmMTNCMEMyNENiQzQ3MERDQTNlYjg2NSIsIm9wZXJhdGlvbiI6MH19 +``` + +#### Execution + +Once all signatures are collected, execute the transaction. **Note**: Prior to execution you can manually simulate using Tenderly by entering the transaction data, but an automatic simulation link will not be available. + +## Solana + +### Squads Public Client - Open source Squads V4 interface + +#### Access Options + +- **GitHub**: https://github.com/Squads-Protocol/public-v4-client +- **Hosted**: https://backup.app.squads.so/ +- **Features**: Verifiable build, self-hostable with Docker, IPFS distribution +- **Local**: Can be built and run locally + +#### Setup + +1. If running locally, follow setup instructions in https://github.com/Squads-Protocol/public-v4-client and access via http://localhost:8080 +2. Enter RPC URL in settings + ![Squads RPC configuration](https://frameworks-static.s3.us-east-2.amazonaws.com/images/multisig-for-protocols/squads-rpc-configuration.png) +3. Enter multisig address in the **lower** text box (Search for Multisig Config) and select the detected Multisig Config + ![Squads multisig selection](https://frameworks-static.s3.us-east-2.amazonaws.com/images/multisig-for-protocols/squads-multisig-selection.png) + +#### Transaction Operations + +4. Create, approve, or execute transactions. _Smart Links_ are not needed for Solana as all transactions are on chain and accessible via the RPC without an API + ![Squads transaction interface](https://frameworks-static.s3.us-east-2.amazonaws.com/images/multisig-for-protocols/squads-transaction-interface.png) + +## Security Considerations + +### Enhanced Verification + +When using backup systems: + +- **Extra caution required**: Be more thorough with verification procedures +- **Multiple verification methods**: Use additional tools to cross-check transaction details +- **Team confirmation**: Verify with other signers before proceeding with critical transactions +- **Documentation**: Record use of backup systems and any issues encountered + +### Risk Assessment + +- **Delay non-critical operations**: Consider postponing non-urgent transactions until primary systems recover +- **Emergency operations only**: For critical emergency responses, proceed with enhanced verification +- **Communication**: Keep team informed about system status and verification procedures + +## Testing and Preparation + +### Regular Practice + +- **Monthly testing**: Practice using backup interfaces during normal operations +- **Team coordination**: Ensure all signers can operate backup systems +- **Process documentation**: Update procedures based on practice sessions + +### Emergency Drills + +- **Simulated outages**: Practice coordinating with backup systems during drills +- **Communication testing**: Verify backup communication channels work with backup UIs +- **Time measurement**: Track how long backup system activation takes + +## Troubleshooting + +### Common Issues + +- **RPC connectivity**: Switch to alternative RPC providers if connection fails +- **Transaction loading**: Refresh or try different network endpoints +- **Signature verification**: Use multiple verification tools when in doubt + +### Support Resources + +- **GitHub documentation**: Refer to project documentation for technical issues +- **Team assistance**: Coordinate with other signers for problem-solving +- **Alternative tools**: Have multiple backup options available + +## Related Documents + +- [Safe Multisig: Step-by-Step Verification] - Verification procedures +- [Emergency Procedures](/multisig-for-protocols/emergency-procedures) - General emergency response +- [Communication Setup](/multisig-for-protocols/communication-setup) - Backup communication during outages + + + diff --git a/docs/pages/multisig-for-protocols/communication-setup.mdx b/docs/pages/multisig-for-protocols/communication-setup.mdx new file mode 100644 index 00000000..69f41676 --- /dev/null +++ b/docs/pages/multisig-for-protocols/communication-setup.mdx @@ -0,0 +1,47 @@ +--- +tags: + - Engineer/Developer + - Security Specialist + - Multisig Security +contributors: + - role: wrote + users: [isaac, geoffrey, louis, pablo, dickson] + - role: reviewed + users: [pinalikefruit, engn33r] +--- + +import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' + + + + +# Communication Setup + + + + +## Primary channel + +Set up dedicated communication channel for multisig operations: +- **Platform**: Signal recommended (end-to-end encryption) +- **Membership**: Multisig signers + authorized management only +- **Configuration**: Notifications enabled, disappearing messages for sensitive discussions +- **Naming**: Clear channel naming convention (e.g., "X-Treasury-Multisig") + +## Backup channels + +Configure backup communication on different platform: +- **Platform**: Different from primary (if Signal primary, use Telegram/Discord/Slack) +- **Same membership restrictions** as primary +- **Document access procedures** for all signers + +## Paging system (Critical/Emergency Multisigs) + +For multisigs requiring rapid response: +- Configure alerts that can reach signers 24/7 +- Include essential info in page: multisig name, urgency level, primary action needed +- Link to emergency runbooks in notification message +- Test quarterly to ensure reliability + + + \ No newline at end of file diff --git a/docs/pages/multisig-for-protocols/emergency-procedures.mdx b/docs/pages/multisig-for-protocols/emergency-procedures.mdx new file mode 100644 index 00000000..f0c024b1 --- /dev/null +++ b/docs/pages/multisig-for-protocols/emergency-procedures.mdx @@ -0,0 +1,237 @@ +--- +tags: + - Engineer/Developer + - Security Specialist + - Multisig Security +contributors: + - role: wrote + users: [isaac, geoffrey, louis, pablo, dickson] + - role: reviewed + users: [pinalikefruit, engn33r] +--- + +import { + TagList, + AttributionList, + TagProvider, + TagFilter, + ContributeFooter, +} from "../../../components"; + + + + +# Emergency Procedures + + + + +When security incidents occur, quick and decisive action is critical. This page covers procedures for key compromise, lost access, and communication breaches. + +## Key Compromise + +### Immediate Actions (Within 30 Minutes) + +1. **Stop operations** - Halt all non-emergency transactions +2. **Notify team** - Alert via all communication channels using emergency notification template +3. **Assess scope** - Determine which keys may be compromised +4. **Escalate** - Contact Security team immediately +5. **Document** - Record timeline and details + +### Recovery Process + +1. **Isolate** - Quarantine potentially compromised devices +2. **New hardware setup** - Set up fresh wallet with new seed following [Hardware Wallet Setup](/multisig-for-protocols/hardware-wallet-setup) +3. **Coordinate replacement** - Plan signer replacement transaction with team +4. **Execute replacement** - Replace compromised signer on multisig, following steps for signer rotation in [Secure Multisig Best Practices] +5. **Verify security** - Confirm new setup before resuming operations + +## Lost Key Access + +### Immediate Steps + +1. **Try backup device first** if available +2. **Contact team immediately** via backup communication channels +3. **Do not panic** - Lost access doesn't mean compromised keys +4. **Document the situation** - Record what happened and when + +### Identity Verification Process + +Since you can't sign with your key, verify identity through alternative methods: + +- **Video call** with other signers +- **Authentication** via verified social media account +- **Other pre-arranged verification methods** + +### Replacement Coordination + +1. **Generate new hardware wallet** following standard setup procedures in [Hardware Wallet Setup](./hardware-wallet-setup) +2. **Verify new address** through identity verification process above +3. **Coordinate timing** with other signers for replacement transaction +4. **Execute replacement** once team confirms identity +5. **Update documentation** with new signer information + +## Communication Account Compromise + +### If Telegram/Signal/Discord Gets Taken Over + +#### Immediate Actions + +1. **Assume all recent messages are suspect** - Don't trust recent communication +2. **Use backup channels** to alert team about compromise +3. **Change passwords** and enable additional security on compromised account + +#### Team Verification Process + +**For the compromised person:** + +- Use alternative contact methods (email, phone, other platforms) +- Verify identity through video call or pre-arranged methods +- Provide proof of the compromise (screenshots, platform confirmation) + +**For other team members:** + +- Verify all recent requests from compromised account +- Cancel any pending transactions initiated via compromised communication +- Require additional verification for any future requests until resolved + +#### Recovery Steps + +1. **Regain account control** through platform recovery processes +2. **Enable maximum security** (2FA, security keys, session management) +3. **Review recent message history** for unauthorized communications +4. **Alert team** when account is secured and verified clean +5. **Resume normal operations** only after team confirms account security + +## Emergency Notification Template + +Use this template for security incidents or key compromises: + +``` +Subject: [URGENT] Multisig Security Incident - [Multisig Name] + +Immediate details: +- Multisig address: [ADDRESS] +- Classification: [Impact Level / Operational Type] +- Incident type: [Key Compromise / Communication Failure / System Issue] +- Time of discovery: [TIMESTAMP] +- Reporting signer: [NAME/HANDLE] + +Situation summary: [Brief description of what happened and current status] + +Immediate actions taken: +□ Stopped non-emergency operations +□ Isolated affected systems +□ Notified team members +□ [Other actions] + +Next steps required: +□ Security team assessment +□ Key rotation process +□ Emergency transaction execution +□ [Other actions] + +Current multisig status: +- Available signers: [X/Y] +- Communication status: [Operational/Compromised] +- Operational capability: [Full/Limited/Suspended] +``` + +## Emergency Communication Protocols + +### Multi-Channel Notification + +- **Primary channel**: Alert via main communication channel +- **Backup channels**: Simultaneously notify via backup platforms +- **Emergency contacts**: Use emergency contact procedures if established + +### Identity Verification + +- **Code words**: Use pre-established verification phrases +- **Multiple confirmations**: Verify through multiple channels +- **Video verification**: Use video calls for critical confirmations + +### Information Sharing + +- **Need-to-know basis**: Share only essential information +- **Secure channels only**: Use most secure available communication +- **Documentation**: Record all emergency communications + +## Operational Emergency Procedures + +### For Emergency Response Multisigs + +#### Rapid Response Protocol + +1. **Immediate assessment** - Determine scope and urgency +2. **Signer activation** - Contact threshold number of signers +3. **Streamlined verification** - Use minimal verification appropriate for risk level +4. **Execute response** - Implement emergency measures +5. **Post-action review** - Document and assess response effectiveness + +#### 24/7 Availability + +- **Geographic distribution** - Ensure coverage across time zones +- **Backup signers** - Have additional signers available for activation +- **Communication redundancy** - Multiple ways to reach each signer + +### Emergency Drill Procedures + +#### Regular Testing Schedule + +- **Quarterly**: Communication system tests +- **Bi-annually**: Emergency paging system tests +- **Annually**: Full emergency simulation with all signers + +#### Drill Components + +1. **Notification test** - Verify all signers receive alerts +2. **Response time measurement** - Track time to threshold signatures +3. **Process verification** - Ensure procedures work under pressure +4. **Documentation review** - Update procedures based on drill results + +## Recovery and Post-Incident + +### Immediate Recovery + +1. **Restore operations** - Resume normal operations once threat is mitigated +2. **Monitor for issues** - Watch for any residual security concerns +3. **Update security measures** - Implement additional controls if needed + +### Post-Incident Analysis + +1. **Root cause analysis** - Determine how incident occurred +2. **Process improvement** - Update procedures to prevent recurrence +3. **Team debriefing** - Gather lessons learned from all participants +4. **Documentation updates** - Revise emergency procedures based on experience + +### Communication + +1. **Team notification** - Inform team when incident is resolved +2. **Stakeholder updates** - Notify relevant parties as appropriate +3. **Documentation** - Complete incident report for future reference + +## Emergency Contact Information + +### Security Team Contact + +- **Email**: [Security team email] +- **Emergency escalation**: [24/7 emergency contact if available] +- **Communication**: Use subject line format from emergency notification template + +### Internal Escalation + +- **Protocol leadership**: [Contact information] +- **Technical team**: [Emergency technical contact] +- **Legal/compliance**: [If regulatory notification required] + +## Related Documents + +- [Incident Reporting](/multisig-for-protocols/incident-reporting) - Formal incident reporting procedures +- [Communication Setup](/multisig-for-protocols/communication-setup) - Backup communication channels +- [Hardware Wallet Setup](/multisig-for-protocols/hardware-wallet-setup) - Device replacement procedures +- [Seed Phrase Management] - Key recovery procedures +- [Personal Security (OpSec)](/multisig-for-protocols/personal-security-opsec) - Account security measures + + + diff --git a/docs/pages/multisig-for-protocols/hardware-wallet-setup.mdx b/docs/pages/multisig-for-protocols/hardware-wallet-setup.mdx new file mode 100644 index 00000000..af53d899 --- /dev/null +++ b/docs/pages/multisig-for-protocols/hardware-wallet-setup.mdx @@ -0,0 +1,55 @@ +--- +tags: + - Engineer/Developer + - Security Specialist + - Multisig Security +contributors: + - role: wrote + users: [isaac, geoffrey, louis, pablo, dickson] + - role: reviewed + users: [pinalikefruit, engn33r] +--- + +import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' + + + + +# Hardware Wallet Setup + + + + +## Recommended devices + +**Ledger:** +- Ledger Stax +- Ledger Nano S Plus + +**Trezor:** +- Trezor Model One +- Trezor Safe 3 + +## Initial setup + +### Purchase & Verification +- Purchase only from manufacturer or authorized resellers +- Verify tamper-resistant packaging is untouched +- Check for authenticity indicators on packaging + +### Device configuration +- Update firmware to latest version before creating accounts +- Configure PIN - Use unique, strong PIN (different from other devices) +- Generate seed following device instructions +- Create accounts as needed + +## Backup device + +Every signer MUST maintain a backup device. If the first device fails it is better to have a second one ready to go without having to access the seed phrase. +- Second hardware wallet with same seed phrase +- Test both devices can create valid signatures +- Store backup securely +- Monthly verification that backup device functions correctly + + + \ No newline at end of file diff --git a/docs/pages/multisig-for-protocols/implementation-checklist.mdx b/docs/pages/multisig-for-protocols/implementation-checklist.mdx new file mode 100644 index 00000000..352a6993 --- /dev/null +++ b/docs/pages/multisig-for-protocols/implementation-checklist.mdx @@ -0,0 +1,234 @@ +--- +tags: + - Engineer/Developer + - Security Specialist + - Multisig Security +contributors: + - role: wrote + users: [isaac, geoffrey, louis, pablo, dickson] + - role: reviewed + users: [pinalikefruit, engn33r] +--- + +import { + TagList, + AttributionList, + TagProvider, + TagFilter, + ContributeFooter, +} from "../../../components"; + + + + +# Implementation Checklist + + + + +This checklist ensures all multisig participants have the knowledge and skills necessary for secure operations. Complete all applicable sections before beginning multisig operations. + +## For Multisig Administrators + +### Planning & Setup + +- [ ] I have classified my multisig using the impact and operational framework from [Planning & Classification](/multisig-for-protocols/planning-and-classification) +- [ ] I have selected appropriate thresholds based on the classification guidance +- [ ] I have identified and verified all signers for the multisig +- [ ] I have deployed the multisig with correct configuration +- [ ] I have set up required modules (eg. allowance module to rescue assets) + +### Documentation & Communication + +- [ ] I have classified and documented the new multisig using templates from [Registration & Documentation](/multisig-for-protocols/registration-and-documentation) +- [ ] I have set up primary and backup communication channels per [Communication Setup](/multisig-for-protocols/communication-setup) +- [ ] I have tested emergency notification procedures +- [ ] I have documented emergency contact information + +### Ongoing Management + +- [ ] I have established procedures for regular reviews and updates per [Registration & Documentation](/multisig-for-protocols/registration-and-documentation) +- [ ] I have set up backup infrastructure and tested alternative UIs per [Backup Signing & Infrastructure](/multisig-for-protocols/backup-signing-and-infrastructure) +- [ ] I have verified all signers have completed training requirements +- [ ] I understand signer rotation procedures for my multisig type + +## For Signers + +### Hardware & Security Setup + +- [ ] I have purchased recommended hardware wallet from authorized source per [Hardware Wallet Setup](/multisig-for-protocols/hardware-wallet-setup) +- [ ] I have set up my hardware wallet with proper firmware and PIN +- [ ] I have created and tested backup hardware wallet with same seed +- [ ] I have stored my seed phrase securely using approved methods from [Seed Phrase Management] +- [ ] I have created dedicated accounts for each multisig I'm signing for + +### Operational Readiness + +- [ ] I have joined multisig communication channels (primary and backup) per [Communication Setup](/multisig-for-protocols/communication-setup) +- [ ] I have verified my signer address using the required signature process from [Joining a Multisig](/multisig-for-protocols/joining-a-multisig) +- [ ] I understand my multisig's classification and response time requirements +- [ ] I have completed a test transaction with the multisig team + +### Transaction Verification + +- [ ] I can use approved verification tools (Safe CLI Utils, OpenZeppelin SafeUtils for EVM) from [Tools & Resources → Transaction Verification](/wallet-security/tools-&-resources#transaction-verification) +- [ ] I understand how to verify transaction hashes before signing +- [ ] I can decode and verify transaction details (amounts, recipients, contract calls) +- [ ] I have practiced verifying both simple transfers and complex transactions + +### Emergency Preparedness + +- [ ] I have downloaded backup UIs (Eternal Safe for EVM, Squads public client for Solana) per [Backup Signing & Infrastructure](/multisig-for-protocols/backup-signing-and-infrastructure) +- [ ] I know how to sign transactions when primary UI is down per [Backup Signing & Infrastructure](/multisig-for-protocols/backup-signing-and-infrastructure) +- [ ] I understand emergency procedures for key compromise and communication failures per [Emergency Procedures](/multisig-for-protocols/emergency-procedures) +- [ ] I have tested backup communication methods with my team +- [ ] I know who to contact for security incidents and emergencies per [Incident Reporting](/multisig-for-protocols/incident-reporting) + +### Personal Security + +- [ ] I have enabled 2FA on all accounts with approved methods (YubiKey preferred) per [Personal Security (OpSec)](/multisig-for-protocols/personal-security-opsec) +- [ ] I use dedicated devices or accounts for multisig operations when required +- [ ] I have implemented travel security procedures appropriate for my risk level +- [ ] I understand incident reporting procedures for security concerns + +### Compliance + +- [ ] I have read and understand all sections of this security framework +- [ ] I understand my specific role requirements based on multisig classification +- [ ] I know how to properly offboard when leaving a multisig role per [Offboarding](/multisig-for-protocols/offboarding) +- [ ] I commit to following these security procedures and reporting any deviations + +## Specialized Training by Use Case + +### Emergency Response Multisigs + +Additional requirements from [Use Case Specific Requirements](/multisig-for-protocols/use-case-specific-requirements): + +- [ ] I understand 24/7 availability requirements +- [ ] I have participated in emergency simulation drills +- [ ] I know how to respond to emergency paging +- [ ] I understand streamlined verification procedures for emergencies + +### Treasury Multisigs + +- [ ] I understand allowance module configuration and purpose +- [ ] I know governance rescue procedures +- [ ] I understand financial reporting requirements + +### Smart Contract Control Multisigs + +- [ ] I understand timelock configuration per [Use Case Specific Requirements → Timelock Configuration](/multisig-for-protocols/use-case-specific-requirements#timelock-configuration) +- [ ] I know how to verify staged transactions +- [ ] I understand higher threshold requirements for upgrades + +## Practical Skills Assessment + +### Transaction Verification (EVM) + +- [ ] I can successfully verify a Safe transaction hash using CLI tools +- [ ] I can decode transaction calldata and identify recipients and amounts +- [ ] I can identify risky transaction types and warnings +- [ ] I can verify nested Safe transactions if applicable + +### Transaction Verification (Solana) + +- [ ] I can analyze Solana transaction instruction data +- [ ] I can convert hex values to decimal for amount verification +- [ ] I can identify different transaction types (SOL transfer, token transfer, config changes) + +### Emergency Procedures + +- [ ] I can access backup UIs and complete a transaction +- [ ] I can contact team via backup communication channels +- [ ] I know how to report key compromise immediately +- [ ] I can execute identity verification procedures if needed + +### Tool Proficiency + +- [ ] I am comfortable using my hardware wallet for signing +- [ ] I can navigate backup block explorers +- [ ] I can use alternative RPC endpoints +- [ ] I understand how to manually simulate transactions + +## Documentation Review + +### Required Reading Completed + +- [ ] [Secure Multisig Best Practices] - Core requirements for all multisigs +- [ ] [Hardware Wallet Setup](/multisig-for-protocols/hardware-wallet-setup) - Device security requirements +- [ ] [Seed Phrase Management] Key protection procedures +- [ ] [Safe Multisig: Step-by-Step Verification] - Signing procedures +- [ ] [Emergency Procedures](/multisig-for-protocols/emergency-procedures) - Crisis response protocols +- [ ] [Personal Security (OpSec)](/multisig-for-protocols/personal-security-opsec) - Account and device security + +### Role-Specific Documentation + +**For Administrators:** + +- [ ] [Planning & Classification](/multisig-for-protocols/planning-and-classification) +- [ ] [Setup & Configuration](/multisig-for-protocols/setup-and-configuration) +- [ ] [Registration & Documentation](/multisig-for-protocols/registration-and-documentation) +- [ ] [Communication Setup](/multisig-for-protocols/communication-setup) +- [ ] [Registration & Documentation](/multisig-for-protocols/registration-and-documentation) + +**For Specialized Use Cases:** + +- [ ] [Use Case Specific Requirements](/multisig-for-protocols/use-case-specific-requirements) +- [ ] [Backup Signing & Infrastructure](/multisig-for-protocols/backup-signing-and-infrastructure) +- [ ] [Use Case Specific Requirements → Timelock Configuration](/multisig-for-protocols/use-case-specific-requirements#timelock-configuration) (if applicable) + +## Certification and Acknowledgment + +### Training Completion + +- [ ] I have completed all applicable training requirements +- [ ] I have successfully demonstrated practical skills +- [ ] I understand the security implications of my role +- [ ] I acknowledge my responsibilities as a multisig participant + +### Ongoing Commitment + +- [ ] I commit to following all security procedures outlined in this framework +- [ ] I will report any security incidents or concerns promptly +- [ ] I will participate in regular training updates and refreshers +- [ ] I will maintain the required level of security for my role + +### Trainer Verification (if applicable) + +**For organizations requiring formal training:** + +Trainer: ********\_******** Date: ********\_******** + +Trainee has demonstrated competency in: + +- [ ] Transaction verification procedures +- [ ] Emergency response protocols +- [ ] Security best practices +- [ ] Role-specific requirements + +**Signature:** ********\_******** + +## Refresher Training Schedule + +### Regular Updates + +- **Monthly**: Review emergency procedures and contact information +- **Quarterly**: Practice backup system usage and emergency drills +- **Annually**: Complete full framework review and updates +- **As needed**: Training on new tools, procedures, or threats + +### Trigger Events + +Additional training required after: + +- Framework updates or changes +- Security incidents affecting the team +- New tool adoption +- Role changes or additional responsibilities + +## Related Documents + +All documents in this framework serve as training materials. Refer to individual documents for detailed procedures and requirements specific to your role. + + + diff --git a/docs/pages/multisig-for-protocols/incident-reporting.mdx b/docs/pages/multisig-for-protocols/incident-reporting.mdx new file mode 100644 index 00000000..cfc651c2 --- /dev/null +++ b/docs/pages/multisig-for-protocols/incident-reporting.mdx @@ -0,0 +1,131 @@ +--- +tags: + - Engineer/Developer + - Security Specialist + - Multisig Security +contributors: + - role: wrote + users: [isaac, geoffrey, louis, pablo, dickson] + - role: reviewed + users: [pinalikefruit, engn33r] +--- + +import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' + + + + +# Incident Reporting + + + + +## What to Report + +### Security incidents (report immediately) +- Key compromise or suspected compromise +- Account takeovers (email, communication platforms, etc.) +- Device theft or loss +- Suspicious activity on multisig accounts +- Phishing attempts targeting multisig operations +- Communication channel infiltration + +### Operational issues (Report Within 24 Hours) +- Lost access to signing keys or devices +- Failed hardware wallets or backup devices +- Communication channel failures +- Verification tool malfunctions +- Difficulty following security procedures + +### Near misses (report when convenient) +- Social engineering attempts +- Suspicious emails or messages +- Security procedure confusion or errors +- Training gaps or unclear documentation + +## How to report + +### Immediate security incidents +1. Secure the situation first (disconnect devices, change passwords, etc.) +2. Notify your multisig team via secure channels +3. Email Protocol Security +4. Use subject line: "URGENT: Security Incident - [Your Handle/Multisig Name]" + +### Standard reporting +- Email Protocol Security +- Use clear subject line: "Incident Report - [Brief Description]" +- Include required documentation (see below) +- Follow up if you don't receive acknowledgment within 48 hours + +### Emergency contact +For critical security incidents requiring immediate response: Email: security team + +## Emergency notification template + +Use this template for security incidents or key compromises: + +``` +Subject: [URGENT] Multisig Security Incident - [Multisig Name] + +Immediate details: +- Multisig address: [ADDRESS] +- Classification: [Impact Level / Operational Type] +- Incident type: [Key Compromise / Communication Failure / System Issue] +- Time of discovery: [TIMESTAMP] +- Reporting signer: [NAME/HANDLE] + +Situation summary: [Brief description of what happened and current status] + +Immediate actions taken: +□ Stopped non-emergency operations +□ Isolated affected systems +□ Notified team members +□ [Other actions] + +Next steps required: +□ Security team assessment +□ Key rotation process +□ Emergency transaction execution +□ [Other actions] + +Current multisig status: +- Available signers: [X/Y] +- Communication status: [Operational/Compromised] +- Operational capability: [Full/Limited/Suspended] +``` + +## Documentation + +Simple incident report template: + +``` +Incident report + +Date/Time: [When incident occurred] +Reported by: [Your handle] +Multisig(s) affected: [Names/addresses] + +What happened: +[Brief description of the incident] + +When discovered: +[How and when you became aware] + +Actions taken: +- [Step 1] +- [Step 2] +- [Step 3] + +Current status: +[Resolved/Ongoing/Assistance needed] + +Impact: +[None/Limited/Significant - brief explanation] + +Additional notes: +[Any other relevant information] +``` + + + + \ No newline at end of file diff --git a/docs/pages/multisig-for-protocols/index.mdx b/docs/pages/multisig-for-protocols/index.mdx new file mode 100644 index 00000000..5c061755 --- /dev/null +++ b/docs/pages/multisig-for-protocols/index.mdx @@ -0,0 +1,27 @@ +--- +title: "Multisig For Protocols" +--- + +{/* AUTOGENERATED: This file is generated by utils/generate-folder-indexes.js */} + +# Multisig For Protocols + +> _Note:_ This page is auto-generated. Please use the sidebar to explore the docs instead of +> navigating directory paths directly. + +## Pages + +- [Backup Signing And Infrastructure](/multisig-for-protocols/backup-signing-and-infrastructure) +- [Communication Setup](/multisig-for-protocols/communication-setup) +- [Emergency Procedures](/multisig-for-protocols/emergency-procedures) +- [Hardware Wallet Setup](/multisig-for-protocols/hardware-wallet-setup) +- [Implementation Checklist](/multisig-for-protocols/implementation-checklist) +- [Incident Reporting](/multisig-for-protocols/incident-reporting) +- [Joining A Multisig](/multisig-for-protocols/joining-a-multisig) +- [Offboarding](/multisig-for-protocols/offboarding) +- [Overview](/multisig-for-protocols/overview) +- [Personal Security Opsec](/multisig-for-protocols/personal-security-opsec) +- [Planning And Classification](/multisig-for-protocols/planning-and-classification) +- [Registration And Documentation](/multisig-for-protocols/registration-and-documentation) +- [Setup And Configuration](/multisig-for-protocols/setup-and-configuration) +- [Use Case Specific Requirements](/multisig-for-protocols/use-case-specific-requirements) diff --git a/docs/pages/multisig-for-protocols/joining-a-multisig.mdx b/docs/pages/multisig-for-protocols/joining-a-multisig.mdx new file mode 100644 index 00000000..618070b5 --- /dev/null +++ b/docs/pages/multisig-for-protocols/joining-a-multisig.mdx @@ -0,0 +1,68 @@ +--- +tags: + - Engineer/Developer + - Security Specialist + - Multisig Security +contributors: + - role: wrote + users: [isaac, geoffrey, louis, pablo, dickson] + - role: reviewed + users: [pinalikefruit, engn33r] +--- + +import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' + + + + +# Joining a Multisig + + + + +It is recommended to always create a fresh address on a hardware wallet for each new multisig. + +## Verifying address ownership + +Creating a proof of address ownership provides important documentation and security assurances to the protocol for all multisig signers. Entity affiliations are acceptable - the goal is accountability, not doxxing. + +### Preparing and sharing address & Signature + +Sign the message like [@social_handle | name | entity] is looking to join [Multisig Name] X DAO multisig with address 0x... with the private key you intend to use as a signer. One of the options is going using MyCrypto web UI: +1. Connect your wallet to https://app.mycrypto.com/sign-message +2. Enter the message, click "sign" and sign the message on the wallet. +3. The sig field in the result json is the signature hash. + +Share the message: +- **Option 1** - Publish the message along with the signature hash on twitter or other easily accessible social media. +- **Option 2** - Share the message privately with multisig admin so it can be stored with multisig documentation + +## Ethereum signature verification + +### Etherscan UI +1. Go to https://etherscan.io/verifiedSignatures. +2. Click the Verify Signature button. +3. Input address, message & signature hash data & click Continue. +4. See whether the signature provided is valid. +5. To publish: choose "Verify & publish" and click "Continue". +6. After the signature is verified, you'll get the link for sharing. + +Note: Enter plain text message (not the hex version MyEtherWallet will give!) and ensure the signature includes the 0x prefix. + +### MyCrypto +1. Go to https://app.mycrypto.com/verify-message +2. Enter json & click Verify: + +```json +{ + "address": "0x...", + "msg": "0x...", + "sig": "signature_hash" +} +``` + +Note that "msg" is hex text starting with 0x (add 0x before the hex encoded string if necessary). 4. See whether the signature provided is valid. + + + + \ No newline at end of file diff --git a/docs/pages/multisig-for-protocols/offboarding.mdx b/docs/pages/multisig-for-protocols/offboarding.mdx new file mode 100644 index 00000000..fadc8303 --- /dev/null +++ b/docs/pages/multisig-for-protocols/offboarding.mdx @@ -0,0 +1,50 @@ +--- +tags: + - Engineer/Developer + - Security Specialist + - Multisig Security +contributors: + - role: wrote + users: [isaac, geoffrey, louis, pablo, dickson] + - role: reviewed + users: [pinalikefruit, engn33r] +--- + +import { + TagList, + AttributionList, + TagProvider, + TagFilter, + ContributeFooter, +} from "../../../components"; + + + + +# Offboarding + + + + +When leaving a multisig, follow these steps: + +## Signer removal + +1. **Coordinate with team** - Notify other signers and schedule the removal transaction +2. **Execute removal** - Follow standard signer rotation procedures ([Signer Rotation]) +3. **Verify removal** - Confirm your address has been removed from the multisig +4. **Update documentation** - Ensure documentation reflects the change + +## Clean up access + +- Leave all multisig communication channels (Signal, Telegram, etc.) +- Remove access to any sensitive shared documents or resources +- Delete any locally stored sensitive multisig information + +## Handover + +- Share any relevant context or pending items with remaining signers +- Provide contact information if needed for transition questions + + + diff --git a/docs/pages/multisig-for-protocols/overview.mdx b/docs/pages/multisig-for-protocols/overview.mdx new file mode 100644 index 00000000..e7c61387 --- /dev/null +++ b/docs/pages/multisig-for-protocols/overview.mdx @@ -0,0 +1,76 @@ +--- +tags: + - Engineer/Developer + - Security Specialist + - Multisig Security +contributors: + - role: wrote + users: [isaac, geoffrey, louis, pablo, dickson] + - role: reviewed + users: [pinalikefruit, engn33r] +--- + +import { + TagList, + AttributionList, + TagProvider, + TagFilter, + ContributeFooter, +} from "../../../components"; + + + + +# Multisig Security Framework + + + + +## How to use this guide + +**Quick start**: New to multisigs? Start with the Foundation for the essentials, then jump to your role: + +- Setting up a new multisig? → Multisig Administration: [Setup & Configuration](/multisig-for-protocols/setup-and-configuration) and [Registration & Documentation](/multisig-for-protocols/registration-and-documentation) +- Joining as a signer? → [Joining a Multisig](/multisig-for-protocols/joining-a-multisig) and [Hardware Wallet Setup](/multisig-for-protocols/hardware-wallet-setup) +- Need to sign a transaction? → Signing & Verification: [Safe Multisig] and [Squads] +- Emergency situation? → [Emergency Procedures](/multisig-for-protocols/emergency-procedures) + +## Core principles + +- **Security first**: Every multisig must meet [minimum security standards] +- **Operational readiness**: Procedures that work under pressure +- **Clear accountability**: Everyone knows their role and responsibilities +- **Emergency preparedness**: Plans for when things go wrong + +## Framework Structure + +### 1. Foundation + +- [Secure Multisig Best Practices] - Core requirements for all multisigs + +### 2. Multisig Administration + +- [Planning & Classification](/multisig-for-protocols/planning-and-classification) - Assess requirements and classify risk +- [Setup & Configuration](/multisig-for-protocols/setup-and-configuration) - Deploy and configure multisigs +- [Registration & Documentation](/multisig-for-protocols/registration-and-documentation) - Document and verify setup +- [Communication Setup](/multisig-for-protocols/communication-setup) - Establish secure communication channels +- [Use Case Specific Requirements](/multisig-for-protocols/use-case-specific-requirements) - Special requirements by type + +### 3. For Signers + +- [Hardware Wallet Setup](/multisig-for-protocols/hardware-wallet-setup) - Secure device configuration +- [Seed Phrase Management] - Protect your recovery keys +- [Joining a Multisig](/multisig-for-protocols/joining-a-multisig) - Verification and onboarding process +- [Safe Multisig: Step-by-Step Verification] - Safely verify and sign transactions +- [Emergency Procedures](/multisig-for-protocols/emergency-procedures) - Handle key compromise and emergencies +- [Backup Signing & Infrastructure](/multisig-for-protocols/backup-signing-and-infrastructure) - Use backup interfaces +- [Personal Security (OpSec)](/multisig-for-protocols/personal-security-opsec) - Protect your accounts and devices +- [Incident Reporting](/multisig-for-protocols/incident-reporting) - Report security issues and incidents +- [Offboarding](/multisig-for-protocols/offboarding) - Safely leave a multisig role + +### 4. Reference + +- [Implementation Checklist](/multisig-for-protocols/implementation-checklist) - Verify readiness for multisig operations + + + diff --git a/docs/pages/multisig-for-protocols/personal-security-opsec.mdx b/docs/pages/multisig-for-protocols/personal-security-opsec.mdx new file mode 100644 index 00000000..e240269c --- /dev/null +++ b/docs/pages/multisig-for-protocols/personal-security-opsec.mdx @@ -0,0 +1,140 @@ +--- +tags: + - Engineer/Developer + - Security Specialist + - Multisig Security +contributors: + - role: wrote + users: [isaac, geoffrey, louis, pablo, dickson] + - role: reviewed + users: [pinalikefruit, engn33r] +--- + +import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' + + + + +# Personal Security (OpSec) + + + + +## Account Security + +### Basic requirements +- 2FA enabled on all accounts (authenticator apps or hardware keys) +- Password manager with unique, strong passwords for every account +- Remove phone numbers from account recovery options where possible +- Regular security checkups and removal of unused app permissions +- Backup email for account recovery (separate from primary email) + +### For extra security +**YubiKeys**: Use hardware security keys instead of authenticator apps +- Provides stronger protection against phishing and SIM swapping +- Recommended: 3 keys (primary, backup, secure storage) +- Models: YubiKey 5C NFC, YubiKey 5C Nano + +**Cold backup accounts**: Separate email/phone for sensitive account recovery +- Backup / cold accounts are tied to sensitive accounts (AppleID, Telegram, Signal, WhatsApp, Password Manager etc). Such email addresses must never be shared with anyone and kept private to remain secure and not targeted. + +Example: random44@gmail is tied to your AppleID, and you are only logged in (the email) on a separate secure device. If your main device (laptop) gets compromised, you will be able to recover your account or revoke sessions, moreover your cold account won't be affected / compromised. It prevents people from targeting your accounts by not knowing your email linked to it. +- Use different providers from primary accounts (Gmail, Proton) +- Only access from secure devices +- Never used for regular communications + +## Device Security + +### Basic requirements +- Full disk encryption enabled (FileVault/BitLocker) +- Automatic updates enabled on all devices +- Screen lock after 5 minutes inactivity on computers, 30 seconds on mobile +- Strong passcodes (6+ digits or alphanumeric on mobile) +- Endpoint protection software on computers +- No admin rights for daily use accounts (create separate admin account) + +### For extra security +**Dedicated signing device**: Clean laptop/tablet used only for multisig operations +- Minimal software installation +- Regular security updates +- Clean restart before each use +- Offline storage when not in use +- Justification: Reduces attack surface for high-value operations + +## Communication Security + +### Basic requirements + +**Signal with verified safety number verification** for multisig communications: You MUST check the codes with the person you are interacting to « verify » them. +How? Click on any chat > Contact name > View Safety Number > Call on another communication channel to verify them > Click at the bottom "Mark as Verified". +If the account connects on a new device these codes will change & you will receive a security notification. +- Screen lock enabled on mobile devices +- 2FA enabled on backup platforms (Telegram/Discord/Slack) +- Privacy settings maximized on all platforms +- Session management - remove old/unknown devices regularly + +### Signal configuration +- Registration lock enabled +- Signal PIN configured +- Hide phone number (use username only) +- Safety number verification for all contacts +- Disappearing messages for sensitive chats + +### For extra security +**Enhanced verification**: Advanced safety procedures for critical communications +- Code words for identity verification +- Multiple verification channels for important requests +- Regular communication channel security audits + +## Travel considerations + +### What to bring +- Primary hardware wallet only (leave backups secure at home) +- Essential devices only (laptop + phone) +- Emergency contact information (offline copy) +- Own chargers and cables + +### What NOT to bring +- Seed phrases (never travel with these) +- Backup hardware wallets +- USB drives with sensitive data +- Non-essential devices + +### Basic travel security +- Use device locks at all times +- Avoid public WiFi (use mobile hotspot or VPN) +- Don't leave devices unattended in hotel rooms +- Use hotel safes for device storage when out +- Have offline backup of emergency contacts + +### For extra security +**Enhanced travel procedures**: Additional precautions for high-risk situations +- Disable biometric unlock at airports/borders (use PIN only) - prevents forced unlocking +- Decline hotel housekeeping services - reduces access to devices +- Advance notification to multisig team (72 hours for critical operations) +- Use separate carrier SIM card for travel communications +- Professional security assessment of travel destinations + +## Implementation priority + +### Start with basics +Focus on fundamental security practices first +- Password manager + 2FA on all accounts +- Device encryption and screen locks +- Signal setup with safety number verification +- Basic travel security practices + +### Add extra security +Implement additional measures based on your risk level and operational needs +- YubiKeys for critical accounts +- Dedicated signing devices for high-value operations +- Enhanced travel procedures for international travel +- Professional security assessments for critical roles + +Remember: Perfect security doesn't exist - focus on practical improvements that significantly reduce your risk while remaining operationally feasible. + +For the full OpSec article, see [Operational Security](/opsec/overview). + + + + \ No newline at end of file diff --git a/docs/pages/multisig-for-protocols/planning-and-classification.mdx b/docs/pages/multisig-for-protocols/planning-and-classification.mdx new file mode 100644 index 00000000..47afb994 --- /dev/null +++ b/docs/pages/multisig-for-protocols/planning-and-classification.mdx @@ -0,0 +1,157 @@ +--- +tags: + - Engineer/Developer + - Security Specialist + - Multisig Security +contributors: + - role: wrote + users: [isaac, geoffrey, louis, pablo, dickson] + - role: reviewed + users: [pinalikefruit, engn33r] +--- + +import { + TagList, + AttributionList, + TagProvider, + TagFilter, + ContributeFooter, +} from "../../../components"; + + + + +# Planning & Classification + + + + +Before setting up a new multisig, take time to properly assess its role and requirements. This planning phase will guide all subsequent configuration decisions and help ensure appropriate security measures. + +## Before You Start + +### Define Purpose and Scope + +Document the multisig's intended use: + +- **Primary function** - What will this multisig do? +- **Asset types and amounts** - What will it control? +- **Operational frequency** - How often will it be used? +- **Decision timeline** - How quickly must it respond? +- **Integration points** - What systems will it interact with? + +### Assess Constraints and Recovery + +Consider limiting factors that affect risk: + +- **Smart contract constraints** - What technical limits reduce risk? +- **Governance recovery** - Can governance override or recover funds? +- **Operational limits** - Are there built-in spending or parameter limits? +- **Backup mechanisms** - What happens if this multisig fails? + +### Identify Stakeholders + +Determine who should be involved: + +- **Required expertise** - What knowledge is needed for decisions? +- **Geographic distribution** - Do you need global coverage? +- **External signers** - Should independent parties be involved? +- **Backup signers** - Who can step in if primary signers are unavailable? + +## Classification Process + +Use this dual classification system to determine appropriate security measures. These classifications are guidance to help you think through risk levels - they inform threshold selection, signer requirements, and operational procedures in later sections. + +### Step 1: Impact Assessment + +What happens if this multisig is compromised or fails? + +#### Financial Exposure: + +- Direct funds controlled by the multisig +- Indirect exposure through protocol impacts +- Maximum potential loss in worst-case scenario + +#### Protocol Impact: + +- Can the protocol function without this multisig? +- How difficult would recovery be? +- Are there alternative execution paths? + +#### Reputational Risk: + +- How visible is this multisig to the community? +- What would compromise mean for the protocol's reputation? +- Are there regulatory or compliance considerations? + +#### Impact Classification + +| Level | Financial Exposure | Protocol Impact | Reputational Risk | +| ------------ | ---------------------- | ----------------------------------------------------- | ----------------------------- | +| **Low** | \<$100k direct exposure | Minimal disruption, alternative paths exist | Limited scope impact | +| **Medium** | $100k - $1M exposure | Significant operational delays, workarounds available | Moderate reputational concern | +| **High** | $1M - $10M exposure | Major protocol disruption, difficult recovery | Serious reputational damage | +| **Critical** | \>$10M exposure | Protocol-wide failure, catastrophic impact | Severe reputational damage | + +### Step 2: Operational Assessment + +How quickly and under what conditions must this multisig respond? + +#### Response Time Requirements: + +- How quickly must decisions be made? +- What are the consequences of delays? +- Are there market or competitive timing factors? + +#### Decision Context: + +- Are operations routine and predictable? +- Do market conditions affect timing? +- Is this primarily for emergency response? + +#### Coordination Complexity: + +- How many parties must coordinate? +- Are signers distributed globally? +- What communication is required? + +#### Operational Classification + +| Type | Response Time | Decision Context | Verification Level | +| ------------------ | ------------- | -------------------------------------------- | -------------------------------- | +| **Routine** | 24-48 hours | Standard procedures, predictable operations | Full verification protocols | +| **Time-Sensitive** | 2-12 hours | Market conditions, protocol needs | Streamlined but thorough | +| **Emergency** | \<2 hours | Crisis response, preventing immediate damage | Minimal delays, risk-appropriate | + +### Step 3: Classification Matrix + +Combine your impact and operational assessments. Below are some example configurations. + +| Use Case | Impact | Operational | Standard Threshold | +| ------------------- | -------- | -------------- | ------------------ | +| Emergency Freeze | Critical | Emergency | 2/4 | +| Protocol Parameters | High | Routine | 4/7 (higher for upgrades, consider 7/9+) | +| Capital Allocation | High | Time-Sensitive | 3/5 | +| Treasury - Large | High | Routine | 4/7 | +| Treasury - Small | Medium | Routine | 3/5 | +| Constrained DeFi | Medium | Time-Sensitive | 2/3 | + +### Step 4: Document Your Decision + +Record your classification decision in the [Registration template](/multisig-for-protocols/registration-and-documentation#registration-template). + +## Important Notes + +⚠️ **When between classifications**: Always err toward higher security requirements. Classifications can be relaxed with proper justification, but security incidents cannot be undone. + +This classification will guide your threshold selection ([Thresholds & Configuration]), signer requirements, and operational procedures throughout the rest of the documentation. + +## Next Steps + +After completing classification, proceed to: + +1. [Setup & Configuration](/multisig-for-protocols/setup-and-configuration) - Deploy your multisig +2. [Registration & Documentation](/multisig-for-protocols/registration-and-documentation) - Document your setup + + + diff --git a/docs/pages/multisig-for-protocols/registration-and-documentation.mdx b/docs/pages/multisig-for-protocols/registration-and-documentation.mdx new file mode 100644 index 00000000..d947caee --- /dev/null +++ b/docs/pages/multisig-for-protocols/registration-and-documentation.mdx @@ -0,0 +1,171 @@ +--- +tags: + - Engineer/Developer + - Security Specialist + - Multisig Security +contributors: + - role: wrote + users: [isaac, geoffrey, louis, pablo, dickson] + - role: reviewed + users: [pinalikefruit, engn33r] +--- + +import { + TagList, + AttributionList, + TagProvider, + TagFilter, + ContributeFooter, +} from "../../../components"; + + + + +# Registration & Documentation + + + + +Proper documentation is essential for multisig security and accountability. This page covers the registration process and required documentation. + +## Protocol Documentation + +Fill out the registration template and send as a PDF to protocol security team. They will create a dedicated section in protocol docs for your multisig with the registration information. + +## Registration Template + +``` +Multisig Name: [Name] +Address: [Checksummed address] +Network: [Ethereum/Solana/etc] +Threshold: [X of Y signers] +Classification: [Impact Level] / [Operational Type] +Purpose: [Brief description] + +Signers: +- [Handle/Entity]: [Address] - [Verification signature] +- [Handle/Entity]: [Address] - [Verification signature] + +Controlled contracts: [List contract addresses and purposes] +On-chain roles: [Describe roles like ownable, Access Control roles (PAUSER_ROLE)] + +Impact assessment: +- Financial exposure: $[amount] ([reasoning]) +- Protocol impact: [description] +- Classification: [Low/Medium/High/Critical] + +Operational classification: [Routine/Time-Sensitive/Emergency] + +Constraining factors: +- [Smart contract limits, governance controls, etc.] + +Attestation: This multisig [meets/deviates from] security standards. +[If deviation: Justification and compensating controls] + +Last updated: [Date] +Updated by: [Name/Handle] +``` + +## Signer Verification Process + +Each signer must provide a verification signature linking their identity to their address: + +1. **Sign message**: "[handle/entity] intends to join [multisig address] with signer [address]" +2. **Share signature** with multisig team +3. **Update registration** with verified information + +Detailed steps for collecting this information are provided in [Joining a Multisig](/multisig-for-protocols/joining-a-multisig). + +**Note**: Entity affiliations are acceptable - the goal is accountability, not doxxing. + +## Update Template + +Use this template when making changes to signer composition: + +``` +Multisig Signer Update + +Multisig Name: [Name] +Address: [Checksummed address] +Network: [Ethereum/Solana/etc] +Updated by: [Name/Handle] +Update Date: [Date] + +Threshold Changes: +Previous: [X of Y signers] +New: [X of Y signers] + +Signer Changes: +Additions: +- [Handle/Entity]: [Address] - [Verification signature] + +Removals: +- [Handle/Entity]: [Address] + +Current Signer Set: +- [Handle/Entity]: [Address] +- [Handle/Entity]: [Address] +- [Handle/Entity]: [Address] + +Transaction: [Link to executed transaction] +``` + +## Documentation Requirements + +### Initial Registration + +- Complete registration template with all required fields +- Verification signatures from all signers +- Classification assessment from [Planning & Classification](/multisig-for-protocols/planning-and-classification) +- Submit to protocol security team + +### Ongoing Maintenance + +- Update documentation when signers change +- Record rationale for any threshold changes +- Update classification if operational patterns change +- Maintain current contact information + +## Ongoing Management + +### Regular reviews + +Set periodic reminders to keep documentation current: + +- **Quarterly**: Review and update protocol documentation if needed +- **After major changes**: Update when operational patterns or financial exposure changes significantly +- **Protocol updates**: Reassess if significant protocol changes affect the multisig's role + +### Signer changes + +Follow these procedures for adding, removing, or replacing signers: + +#### Adding/Removing signers + +- Maintain or increase total signer count and threshold +- Document rationale for any changes that reduce signers or threshold +- Update all documentation immediately after change + +#### Replacing signers + +Follow steps in [Signer Rotation] + +### Documentation updates + +After any signer change: + +- Record change rationale and date +- Communicate changes to protocol security team +- Update communication channel memberships + +#### Update Template + +Use the template in [Registration & Documentation → Update Template](/multisig-for-protocols/registration-and-documentation#update-template). + +## Related Documents + +- [Planning & Classification](/multisig-for-protocols/planning-and-classification) - How to classify your multisig +- [Joining a Multisig](/multisig-for-protocols/joining-a-multisig) - Signer verification process + + + diff --git a/docs/pages/multisig-for-protocols/setup-and-configuration.mdx b/docs/pages/multisig-for-protocols/setup-and-configuration.mdx new file mode 100644 index 00000000..dee244b6 --- /dev/null +++ b/docs/pages/multisig-for-protocols/setup-and-configuration.mdx @@ -0,0 +1,104 @@ +--- +tags: + - Engineer/Developer + - Security Specialist + - Multisig Security +contributors: + - role: wrote + users: [isaac, geoffrey, louis, pablo, dickson] + - role: reviewed + users: [pinalikefruit, engn33r] +--- + +import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components' + + + + +# Setup & Configuration + + + + +This page covers the technical deployment and configuration of multisigs on supported networks. + +## Basic Setup + +### EVM Networks (Ethereum, Base, etc.) + +1. Go to https://app.safe.global +2. Connect wallet of the deploying signer +3. Create new Safe with your determined threshold and signer addresses +4. **Multi-network deployment**: If deploying on multiple networks, Safe UI will offer to replicate the configuration + +### Solana + +1. Go to https://squads.xyz/squads-multisig +2. Connect wallet of the deploying signer +3. Create new multisig with your determined threshold and signer addresses + +## Delegated Proposer + +It is recommended, but not required to authorize a separate transaction proposer for a Safe. This address can prepare transactions for signers to sign but is not an authorized signer on the Safe. Therefore **there is no risk of malicious signatures which can affect the Safe assets**. This wallet can hold no funds and simply act as a proposer. The primary reason to have a delegated proposer is that the hash verification utilities depend on the Safe API (unless details are entered manually). Until a transaction is **proposed** it does not show up in the API so the hash verification tools cannot detect it. + +![Delegated proposer configuration interface](https://frameworks-static.s3.us-east-2.amazonaws.com/images/multisig-for-protocols/delegated-proposer-configuration-interface.png) + +## Modules & Guards + +### Allowance Module (Required for Treasury Multisigs) + +If your multisig will hold any assets on behalf of the DAO, set up governance rescue capability: + +**Mainnet configuration:** +- **Module**: Allowance Module +- **Grant allowance to**: DAO Agent +- **Amount**: Max value for each token held + +### Other Modules + +Do not install any other modules or guards without explicit governance approval and security review. + +## Initial Testing + +### Verify Basic Functionality + +1. **Small test transaction**: Send a low-value token transfer (e.g., 1 USDS or equivalent) +2. **All signers test**: Ensure each signer can successfully sign the test transaction +3. **Confirm execution**: Verify the transaction executes as expected +4. **Test communication**: Use your established channels to coordinate the test + +## Pre-Launch Checklist + +- [ ] Safe deployed with correct threshold +- [ ] All signer addresses added and [verified](/multisig-for-protocols/registration-and-documentation#signer-verification-process) +- [ ] Allowance module configured (if required) +- [ ] Test transaction completed successfully +- [ ] All signers confirmed they can sign +- [ ] [Communication channels](/multisig-for-protocols/communication-setup) tested during transaction +- [ ] Safe addresses documented for all networks + +### Practice on Testnet + +Before deploying on mainnet, thoroughly practice wallet creation, transaction signing, and owner management on a test network. + +Once setup is complete, proceed to [Registration & Documentation](/multisig-for-protocols/registration-and-documentation) for registration and documentation requirements. + +## Nested Safes + +A nested Safe is one in which a Safe is set as a signer on another Safe rather than an EOA. This can be useful on a case-by-case basis. For example, if a signer is an entity that might want to have multiple individual signers, the nested Safe could have a 1/X threshold allowing anyone authorized on the team to sign. However, this configuration allows the signers on the nested Safe to update the signer addresses without needing authorization from the main Safe. + +It is generally recommended **not** to use nested safe on protocol multisigs unless there is a specific use case that it enables. + +## Next Steps + +After completing setup: +1. [Registration & Documentation](/multisig-for-protocols/registration-and-documentation) - Document your multisig +2. [Communication Setup](/multisig-for-protocols/communication-setup) - Establish secure communication +3. [Hardware Wallet Setup](/multisig-for-protocols/hardware-wallet-setup) - Ensure all signers are properly configured + +## Active Monitoring + +Implement monitoring and alerting systems to be immediately notified of any on-chain activity related to the multisig, including proposed transactions, new signatures, and owner changes (e.g., using tools like [Safe Watcher](https://github.com/Gearbox-protocol/safe-watcher)). + + + \ No newline at end of file diff --git a/docs/pages/multisig-for-protocols/use-case-specific-requirements.mdx b/docs/pages/multisig-for-protocols/use-case-specific-requirements.mdx new file mode 100644 index 00000000..4e4049ff --- /dev/null +++ b/docs/pages/multisig-for-protocols/use-case-specific-requirements.mdx @@ -0,0 +1,84 @@ +--- +tags: + - Engineer/Developer + - Security Specialist + - Multisig Security +contributors: + - role: wrote + users: [isaac, geoffrey, louis, pablo, dickson] + - role: reviewed + users: [pinalikefruit, engn33r] +--- + +import { + TagList, + AttributionList, + TagProvider, + TagFilter, + ContributeFooter, +} from "../../../components"; + + + + +# Use Case Specific Requirements + + + + +## Treasury Multisigs + +### Key requirements: + +- **Allowance module** required for all multisigs (see [Modules & Guards](/multisig-for-protocols/setup-and-configuration#modules--guards)) + +## Emergency response Multisigs + +### Training & Drills: + +- Bi-annual paging system tests to verify alert functionality +- Annual full emergency simulation with all signers + +### Additional requirements: + +- Geographic distribution encouraged for 24/7 coverage +- 24/7 availability for threshold number of signers + +## Capital allocation Multisigs + +### Operational constraints: + +- Encourage on-chain constraints wherever possible (smart contract limits, parameter bounds) +- Protocol expertise required for all signers + +## Smart contract control Multisigs + +### On-chain constraints: + +- [**Timelock contracts**](#timelock-configuration) for major changes (upgrades, significant parameter changes) +- Parameter limits enforced by smart contracts where feasible + +### Threshold considerations: + +- Higher thresholds for contract upgrades (consider 7/9+) +- Lower thresholds acceptable for highly constrained operations (rate setting with bounds and a backup recovery mechanism to replace the multisig) + +## Timelock Configuration + +For sensitive protocol operations like configuration changes or upgrades it is recommended to use a timelock contract (eg. [OpenZeppelin Timelock Controller](https://docs.openzeppelin.com/contracts/5.x/api/governance#TimelockController)) to stage transactions on-chain for final verification before execution. It is not necessary to have a long delay. Some timelock contracts are even configured with 0 delay. The key is to have the full transaction payload fully on chain after signature with a final opportunity to review it and cancel it. + +### Configuration + +When using a timelock contract the timelock address will be set as the owner or role-holder for the protocol contract. +The Safe will be the sole contract that has the Proposer role on the timelock contract. +The Safe, or an address of a multisig signer, or other desired EOA can be set as the canceller or executor on the timelock contract. +By default the timelock contract is set to be its own admin. This means that any changes to timelock contract roles also go through the timelock stage. + +### Simulation Consideration + +When using a timelock the simulation for the multisig transaction will not show the execution of the transaction but instead the addition of the pending transaction to the timelock. The pending transaction can be simulated manually as shown in [Simulation testing]. + +![Timelock configuration diagram](https://frameworks-static.s3.us-east-2.amazonaws.com/images/multisig-for-protocols/timelock-configuration-diagram.png) + + + diff --git a/utils/fetched-tags.json b/utils/fetched-tags.json index 29162632..8ce2223c 100644 --- a/utils/fetched-tags.json +++ b/utils/fetched-tags.json @@ -11,6 +11,7 @@ "Human Resources", "Individual Security", "Legal & Compliance", + "Multisig Security", "Operations & Strategy", "Physical Security", "Protocol", @@ -361,6 +362,10 @@ "Devops", "SRE" ], + "/incident-management/playbooks/hacked-dprk": [ + "Security Specialist", + "Operations & Strategy" + ], "/incident-management/playbooks/hacked-drainer": [ "Security Specialist", "Operations & Strategy" @@ -458,6 +463,76 @@ "Engineer/Developer", "Security Specialist" ], + "/multisig-for-protocols/backup-signing-and-infrastructure": [ + "Engineer/Developer", + "Security Specialist", + "Multisig Security" + ], + "/multisig-for-protocols/communication-setup": [ + "Engineer/Developer", + "Security Specialist", + "Multisig Security" + ], + "/multisig-for-protocols/emergency-procedures": [ + "Engineer/Developer", + "Security Specialist", + "Multisig Security" + ], + "/multisig-for-protocols/hardware-wallet-setup": [ + "Engineer/Developer", + "Security Specialist", + "Multisig Security" + ], + "/multisig-for-protocols/implementation-checklist": [ + "Engineer/Developer", + "Security Specialist", + "Multisig Security" + ], + "/multisig-for-protocols/incident-reporting": [ + "Engineer/Developer", + "Security Specialist", + "Multisig Security" + ], + "/multisig-for-protocols/joining-a-multisig": [ + "Engineer/Developer", + "Security Specialist", + "Multisig Security" + ], + "/multisig-for-protocols/offboarding": [ + "Engineer/Developer", + "Security Specialist", + "Multisig Security" + ], + "/multisig-for-protocols/overview": [ + "Engineer/Developer", + "Security Specialist", + "Multisig Security" + ], + "/multisig-for-protocols/personal-security-opsec": [ + "Engineer/Developer", + "Security Specialist", + "Multisig Security" + ], + "/multisig-for-protocols/planning-and-classification": [ + "Engineer/Developer", + "Security Specialist", + "Multisig Security" + ], + "/multisig-for-protocols/registration-and-documentation": [ + "Engineer/Developer", + "Security Specialist", + "Multisig Security" + ], + "/multisig-for-protocols/setup-and-configuration": [ + "Engineer/Developer", + "Security Specialist", + "Multisig Security" + ], + "/multisig-for-protocols/use-case-specific-requirements": [ + "Engineer/Developer", + "Security Specialist", + "Multisig Security" + ], "/opsec/appendices/case-studies": [ "Security Specialist", "Operations & Strategy", diff --git a/vocs.config.ts b/vocs.config.ts index 021b5d93..ae8e3716 100644 --- a/vocs.config.ts +++ b/vocs.config.ts @@ -109,6 +109,45 @@ const config = { { text: 'Tools & Resources', link: '/wallet-security/tools-&-resources' }, ] }, + { + text: 'Multisig for Protocols', + collapsed: false, + dev: true, + items: [ + { text: 'Overview', link: '/multisig-for-protocols/overview', dev: true }, + + { + text: 'Multisig Administration', + collapsed: false, + dev: true, + items: [ + + { text: 'Planning & Classification', link: '/multisig-for-protocols/planning-and-classification', dev: true }, + { text: 'Setup & Configuration', link: '/multisig-for-protocols/setup-and-configuration', dev: true }, + { text: 'Registration & Documentation', link: '/multisig-for-protocols/registration-and-documentation', dev: true }, + { text: 'Communication Setup', link: '/multisig-for-protocols/communication-setup', dev: true }, + { text: 'Use-Case Specific Requirements', link: '/multisig-for-protocols/use-case-specific-requirements', dev: true }, + ] + }, + { + text: 'For Signers', + collapsed: false, + dev: true, + items: [ + + { text: 'Hardware Wallet Setup', link: '/multisig-for-protocols/hardware-wallet-setup', dev: true }, + { text: 'Joining a Multisig', link: '/multisig-for-protocols/joining-a-multisig', dev: true }, + + { text: 'Emergency Procedures', link: '/multisig-for-protocols/emergency-procedures', dev: true }, + { text: 'Backup Signing & Infrastructure', link: '/multisig-for-protocols/backup-signing-and-infrastructure', dev: true }, + { text: 'Personal Security & OPSEC', link: '/multisig-for-protocols/personal-security-opsec', dev: true }, + { text: 'Incident Reporting', link: '/multisig-for-protocols/incident-reporting', dev: true }, + { text: 'Offboarding', link: '/multisig-for-protocols/offboarding', dev: true }, + ] + }, + { text: 'Implementation Checklist', link: '/multisig-for-protocols/implementation-checklist', dev: true }, + ] + }, { text: 'External Security Reviews', collapsed: false,