Skip to content

SFC - Multisig Operations

The SEAL Framework Checklist (SFC) for Multisig Operations provides best practices for managing multisig wallets securely. It covers governance, risk management, signer security, operational procedures, and emergency operations.

For more details on certifications or self-assessments, refer to the Certification Guidelines.

Print

Section 1: Governance & Inventory

0/2
Named Multisig Operations Owner
Is there a clearly named person or team accountable for multisig operations?
Baseline Requirements
  • Accountability scope covers policy maintenance, signer onboarding/offboarding, documentation accuracy, periodic reviews, and incident escalation
Multisig Registry and Documentation
Do you maintain a complete, accurate, and accessible record of all your multisigs, their configurations, and their signers?
Baseline Requirements
  • Registry includes address, network, threshold, classification, purpose, signer addresses, controlled contracts, on-chain roles, and last review date
  • Updated within 24 hours for security-critical changes, 3 days for routine changes
  • Accessible to signers and key personnel

Section 2: Risk Assessment & Management

0/4
Multisig Classification and Risk-Based Controls
Do you classify your multisigs by risk level and apply security controls proportional to each classification?
Baseline Requirements
  • Classification considers impact factors (financial exposure, protocol criticality, reputational risk) and operational needs (response time, coordination complexity)
  • Each classification maps to specific required controls (thresholds, quorum composition, review cadence)
  • All multisigs must have at least 3 distinct signers with a signing threshold of 50% or greater; N-of-N configurations should be avoided
  • Higher-risk classifications require stronger controls (more signers, higher thresholds)
  • Classifications reviewed every 6 months and after significant changes (TVL shifts, new products, protocol upgrades, security incidents)
Contract-Level Security Controls
Have you evaluated contract-level security controls that could limit the impact of a multisig compromise?
Baseline Requirements
  • Evaluation covers timelocks, modules, guards, address whitelisting, invariant enforcement, and parameter bounds
  • Controls evaluated for each multisig based on classification
  • Security review required before enabling any module or guard
  • Decisions documented, including rationale for controls not implemented
Exception Approval Process
Do you have a process for approving and tracking exceptions to multisig policies?
Baseline Requirements
  • Exceptions require documented justification, expiry date, compensating controls, and remediation plan
  • Critical-class exceptions require executive or security-lead approval
Wallet Segregation
Do you distribute assets across multiple wallets to limit the impact of a single compromise?
Baseline Requirements
  • Segregation considers value, operational needs, and risk tolerance
  • Examples include hot/cold separation and treasury distribution across multiple wallets

Section 3: Signer Security & Access Control

0/8
Signer Address Verification
Do you verify that each signer address on your multisigs belongs to the intended person?
Baseline Requirements
  • Verification process includes message signing with the signer address, verification via an independent tool, and documented proof of verification
Signer Key Management Standards
Do you enforce signer key management standards?
Baseline Requirements
  • Hardware wallets required for all multisig operations
  • Each signer uses a fresh, dedicated address per multisig, used exclusively for that multisig's operations
Seed Phrase Backup and Protection
Do you securely back up and protect signer seed phrases and recovery materials?
Baseline Requirements
  • Seed phrases never stored digitally, in cloud storage, or photographed
  • Backups are geographically distributed (disaster resistant)
  • No single point of compromise (theft resistant)
  • Recoverable if one operator is unavailable (operator-loss resistant)
Signer Lifecycle Management
Do you have a defined process for adding, removing, and periodically verifying signers?
Baseline Requirements
  • Offboarded signers removed within 48-72 hours (Emergency-class), 7 days (Critical-class), 14 days (others)
  • Access reviews quarterly, confirming each signer still controls their key
Signer Training and Assessment
Are signers trained and assessed on security practices before they are authorized to sign?
Baseline Requirements
  • Training covers transaction verification, emergency procedures, phishing and social engineering awareness
  • Practical skills assessment included
  • Annual refreshers; updates within 30 days of significant procedure changes
Hardware Wallet Standards
Do you define and enforce hardware wallet standards for multisig operations?
Baseline Requirements
  • Wallet capability requirements include adequate display, clear signing support, PIN security, and firmware integrity verification
  • Procurement through verified supply chains (direct from manufacturer or authorized resellers), with device authenticity verification
Secure Signing Environment
Do signers use a secure environment for signing operations?
Baseline Requirements
  • Device security requirements documented and enforced
  • Dedicated signing devices or network isolation for high-value operations
Signer Diversity
Are your signers distributed across roles, entities, and geographies to prevent a single event from compromising quorum?
Baseline Requirements
  • Diversity requirements scale with multisig classification

Section 4: Operational Procedures

0/4
Transaction Handling Process
Do you have a defined, documented process for how transactions are proposed, verified, and executed?
Baseline Requirements
  • Process covers initiation, approval, simulation, execution, and confirmation
  • Defines who is authorized to initiate transactions
  • Each signer independently verifies transaction details (chain ID, target address, calldata, value, nonce, operation type) before signing
  • Transaction hashes compared across at least two independent interfaces (e.g., web UI and CLI, or web and mobile app)
  • DELEGATECALL operations to untrusted addresses flagged as high risk
  • High-risk transactions (large transfers, emergency actions, protocol changes) require waiting periods where feasible and elevated threshold approval
  • High-risk thresholds defined based on classification and reviewed periodically
  • Private transaction submission used when appropriate to prevent front-running or MEV extraction
Transaction Audit Trails
Do you keep records of all transaction reviews, approvals, and executions?
Baseline Requirements
  • Retained for 3 years
  • Records include proposer, approvers, verification evidence, timestamps, and issues encountered
Tool and Platform Evaluation
Do you vet the tools and platforms used for multisig operations before adoption?
Baseline Requirements
  • Evaluation considers whether tools are open source or audited by 2+ reputable firms, have no known critical unpatched vulnerabilities, and have established ecosystem adoption
  • Formal process for adopting new tools
Backup Signing Infrastructure
Do you have backup infrastructure in case your primary signing tools are unavailable?
Baseline Requirements
  • Alternate signing UI
  • 2-3 backup RPC providers
  • Alternate block explorer

Section 5: Communication & Coordination

0/2
Secure Communication Procedures
Do you have secure communication procedures for multisig operations, including standard identity verification?
Baseline Requirements
  • Dedicated primary and backup channels on different platforms
  • End-to-end encryption, MFA required, invitation-based membership
  • Signer identity verified as standard procedure during signing operations (e.g., code words, video call, secondary authenticated channel)
  • Documented procedures for channel compromise including switching to backup channels and out-of-band verification
  • All signers trained on these procedures; compromise response tested annually
Emergency Contact List
Do you maintain a current emergency contact list for all multisig stakeholders?
Baseline Requirements
  • Includes protocol security team, external security resources, legal/compliance contacts, and backup contacts for signers
  • Personal emergency contacts for each signer (e.g., trusted family member, close colleague) for situations where the signer is unreachable through normal channels
  • Reviewed every 6 months

Section 6: Emergency Operations

0/4
Emergency Playbooks
Do you have step-by-step emergency playbooks?
Baseline Requirements
  • Scenarios covered include key compromise, lost access, communication channel compromise, and urgent protocol actions
  • Each scenario has procedures and escalation paths
  • Playbooks accessible through at least one backup method independent of the primary documentation platform
Signer Reachability and Escalation
Can you reach enough signers to meet quorum at any time, including outside business hours?
Baseline Requirements
  • Response times by classification - Emergency less than 2 hours, Time-Sensitive 2-12 hours, Routine 24-48 hours
  • Paging covers all signers including external parties
  • Tested quarterly
  • Escalation paths documented
Multisig Monitoring and Alerts
Do you monitor all multisigs for unauthorized or suspicious activity?
Baseline Requirements
  • Monitored events include signer/threshold changes, transfers exceeding thresholds, nonce gaps, interactions with unknown addresses, failed transactions, module/guard changes, and low submitter/proposer balances
  • Alerting and escalation paths documented
  • Monitoring infrastructure protected against tampering
Emergency Drills and Improvement
Do you regularly rehearse your emergency procedures and track improvements?
Baseline Requirements
  • Annual minimum
  • After major procedure changes
  • Documentation includes date, participants, response times, issues identified, and improvements made