Optimism Collective Multisig Security Policy v1

Policies and Templates 📌
,
1

Optimism Collective Multisig Security Policy v1

This policy establishes a framework for operating and dissolving Council managed multisignature wallets (multisigs) within the Collective. It establishes certain standards for Councils that secure and operate multisigs, with a view to improving oversight, security, and accountability.

This is a preliminary policy which applies to Council-managed multisigs.* This document is subject to iteration and updates (e.g., as the Collective prepares to scale up the number of Council-managed multisigs in Season 8 and beyond).

*Multisigs created before Season 7 do NOT need to be in compliance with this policy for Season 7, but MUST achieve compliance by Season 8.

Applicability

The Collective Multisig Security Policy (MSP) is intended to cover all multisig accounts used by governance-elected participants (e.g., Councils) during their work within the Optimism Collective—other than (i) the Security Council and (ii) low risk accounts. An account is considered low risk if any potential safety or liveness failure would only cause trivial damage (e.g., the multisig owner for a short-lived devnet). The Security Council maintains separate, internal and external operating procedures purpose-built for its specific structure.

Guidelines for specific parameters are dependent on the potential risk that a given account carries. When assessing potential risk, multisig participants should consider both current risk and any potential risk that may arise in the future.

Note: While this document establishes certain baselines, it is not a comprehensive list of all precautions that should be taken in all instances. Each individual signer is ultimately responsible for the security of their keys and the measures they take to achieve it (including, but not limited to, those listed here).

Risk Bands

Multisig accounts are separated into risk bands. Certain requirements apply only to accounts that fall within a given risk band. The risk band of each multisig should be defined in the given Council’s Charter at the start of Season 8.

  • Medium Risk — Safety or liveness failure would result in moderate reputational damage or financial damage below $1m USD equivalent.
  • High Risk — Safety or liveness failure would result in high reputational damage or financial damage below $10m USD equivalent.
  • Critical Risk — Safety or liveness failure would result in severe reputational damage, financial damage above $10m USD equivalent, or any other mechanism that could ultimately result in a non-trivial risk to the future of Optimism as a whole.

Registration

  • All Multisig accounts MUST be registered in the Multisig Registry on GitHub by the Optimism Foundation or a party designated by the Foundation after its setup.
  • In the future, registration will be a prerequisite to authorization or funding by Optimism Governance.

Default Signing Thresholds

Multisigs should utilize these thresholds by default unless there is a clear and specific reason why an alternative threshold would be appropriate. Alternative thresholds can be requested as part of the registration process.

  • Medium Risk: 3/5
  • High Risk: 5/7
  • Critical Risk: 7/9

Signer Training

  • All Multisig signers MUST read and understand this document.

    Rationale Understanding this document is fundamental to maintaining the security of multisig accounts. It ensures that all signers are aware of their responsibilities, security protocols, and the potential risks involved in managing multisig accounts. This baseline knowledge is essential for maintaining consistent security practices across all account risk levels.

  • High Risk signers and Critical Risk signers MUST participate in a 30 minute training session to walk through the details of this and supporting documents.

    Rationale Direct training sessions enable signers to fully comprehend their responsibilities and the potential consequences of their actions. These sessions also provide an opportunity for signers to ask questions and clarify any uncertainties about security procedures.

Communication

  • All Multisig accounts MUST have a dedicated communication channel that allows those members to communicate in a timely and efficient manner. Membership to this channel must be restricted only to members of the multisig and any other management staff assisting the multisig in its operations.

    Rationale A dedicated communication channel is essential for several reasons:
    • Enables rapid coordination for time-sensitive transactions
    • Creates clear accountability by having all multisig-related comms in one place
    • Reduces the risk of social engineering attacks by limiting comms to verified members

    By restricting channel access to only multisig members and authorized management staff, we maintain operational security while enabling efficient communication for necessary multisig activities.

Safe Modules and Guards

  • All Multisig accounts MUST NOT install any Modules or Guards under any condition except with the express permission of the established approval process. Modules or Guards that your multisig needs should be either part of the governance proposal process, or the coresponding Council Charter. If the multisig does have any Modules or Guards, this should be specified in the relevant governance proposal authorizing/funding the multisig. Multisig members MUST NOT add any Modules or Guards unless pre-authorized as a part of that process.

    Rationale
    • Safe Modules and Guards can introduce additional complexity and potential security vulnerabilities to multisig accounts. While these features can provide useful functionality, they must be carefully evaluated as they may compromise the security of the account. By requiring explicit permission from Optimism Governance and/or the Optimism Foundation, we enable any Module or Guard installations to be reviewed for security implications before being implemented.
    • Additionally, some Modules and Guards may interact with the multisig in unexpected ways or introduce dependencies on external contracts that could pose risks to the account’s security or functionality. Optimism Governance can properly assess these risks and make informed decisions about which Modules and Guards are safe to use.

Anonymity

  • All Multisig accounts for Optimism Governance have public membership by default. Optimism Governance multisigs do not associate specific signing keys with their corresponding members, or specific individuals as signers if acting on behalf of elected organizations, but a list of member entities and individuals should be known.
    Rationale Optimism Governance multisig membership generally cannot be private as members are typically elected as part of a public process, but privacy should otherwise be maximized wherever possible.

Hardware Policy

  • All Multisig signers MUST use hardware wallets.

    Rationale Hardware wallets provide significantly better security compared to software wallets by keeping private keys isolated in a secure chip. This makes it much more difficult for attackers to extract private keys, even if the computer used for signing is compromised. Hardware wallets also typically require physical confirmation of transactions, adding an important layer of protection against remote attacks.

  • All Multisig signers MUST only use one of the following hardware wallets:

    • Ledger Nano X
    • Ledger Nano S Plus
    • Trezor Model One
    • Trezor Safe 3

  • All Multisig signers MUST ensure the integrity of their hardware wallet before setting up.

    • Buy hardware wallets only directly via the manufacturer, or via manufacturer-authorized resellers.
    • Verify the tamper-resistant packaging provided by the seller is untouched.
    • Upgrade wallet firmware before creating the account to be used in the multisig.

  • All Multisig signers MUST have two hardware wallets that use the same PIN. Signers must also have two additional devices kept in their original packaging to be used in the case that a key is compromised/lost and existing devices must be rotated.

    • One primary device and one backup device.
    • Signers must confirm that they are able to create valid signatures from both devices.
    • Signers must destroy the seed phrase after confirming the above.
    Rationale Having two hardware wallets with the same PIN serves multiple purposes:
    1. The backup device provides redundancy in case the primary device fails or is damaged
    2. Using the same PIN reduces cognitive load and the risk of forgetting access credentials
    3. Destroying the seed phrase after confirming both devices work prevents the possibility of seed phrase theft while maintaining the ability to recover from hardware failure

    This approach balances security and practical usability while maintaining a strong backup strategy.

  • All Multisig signers MUST keep signing devices inside tamper-evident containers and must regularly check these devices for any evidence of tampering.

    Rationale Keeping backup devices in tamper-evident containers and performing regular checks helps detect any unauthorized access attempts. This practice ensures that if someone attempts to physically access the backup device, there will be clear evidence of the tampering.

  • High Risk signers and Critical Risk signers MUST NOT use the same hardware device or address for any other purpose than signing transactions for that particular account. Signers on more than one High Risk or Critical Risk account must have different sets of hardware wallets and addresses for each account.

    Rationale Using the same hardware wallet or address for multiple purposes increases the exposure of that key to potential compromise. By maintaining separate hardware wallets and addresses for each High Risk or Critical Risk account, we ensure that if one key is compromised, the damage is limited to a single account rather than potentially affecting multiple high-value accounts simultaneously.

Key Loss or Compromise

  • All Multisig signers that suspect a key of being lost or compromised MUST immediately notify the Optimism Foundation and begin the process of rotating that key.

    • A key rotation transaction should be promptly coordinated in its shared communication channel.
    Rationale Immediate reporting of key loss or compromise is crucial for maintaining the security of multisig accounts. Quick action allows the Optimism Foundation to assess the situation and coordinate an appropriate response before any potential security breach can be exploited.

Monitoring

  • All Multisig accounts MUST be configured for basic monitoring by the Optimism Foundation.
    Rationale Basic monitoring by the Optimism Foundation enables suspicious or unexpected activity to be detected and addressed. This monitoring acts as an additional layer of security beyond individual signer vigilance and helps protect against both external threats and potential internal misuse. Early detection of unusual patterns or unauthorized attempts to interact with the multisig can prevent or minimize potential damage.

Physical Safety

  • Critical Risk accounts MUST NOT have a majority threshold of signers in the same physical location at the same time. If signers must meet in person, guarantee that the physical keys are not present at the given physical location.

    • Refer to Appendix A
    Rationale Having a majority of signers in the same physical location while also having access to their signing keys creates a single point of failure. An attacker who gains access to that location could potentially compromise multiple keys at once. Additionally, a physical disaster affecting that location could impact multiple signers simultaneously. By keeping keys physically separate from in-person meetings, we maintain the security benefits of having geographically distributed signers.

  • Critical Risk signers MUST notify other members of intention to travel at least 72 hours before travel begins.

    • Refer to Appendix A
    Rationale Advance notification of travel plans allows other signers to prepare for potential disruptions in availability and ensures that the multisig maintains sufficient active signers for any necessary transactions. This notice period also gives the team time to assess any security implications of the travel and implement additional precautions if needed.

  • Critical Risk accounts without a liveness guard MUST NOT have a minority threshold of participants traveling in the same vehicle (car, plane, boat, etc.) at the same time.

    • Refer to Appendix A
    Rationale A vehicle accident affecting multiple signers could result in a catastrophic liveness failure for the multisig account. By ensuring that no more than a minority threshold of participants travel together, we maintain the ability to execute transactions even in worst-case scenarios.

  • All Multisig signers SHOULD leave signing keys in a secure location when leaving their hotel, apartment, airbnb, etc. Signers should not bring signing keys to external locations like offices, coffee shops, or conference venues.

Key Rotations

  • Critical Risk signing keys MUST be rotated every 2 years.
    • Tracked via timestamp + CI job.
    Rationale Compromise likelihood increases as time goes on. Although the risk of compromise can largely be mitigated by careful key management, regular key rotation resets the risk timer and ultimately increases security.

Impact Adjustments

  • All Multisig accounts SHOULD avoid changes to multisig scope whenever possible.

    Rationale Multisig scope informs the responsibilities of a multisig and defines the risk profile of the account. Quiet changes can result in scope creep that may allow a multisig’s risk profile to change without corresponding changes to the processes for that account.

  • All Multisig accounts MUST have changes to multisig scope approved via a change to the relevant Council Charter or direct approval by Optimism Governance (e.g. a budget approval).

    Rationale Changes to the scope of a given account are sometimes unavoidable, but may require feedback and expertise to determine how to appropriately handle such a change.

  • All Multisig accounts MUST be reviewed annually for unexpected scope changes.

    • Tracked via timestamp + CI job.
    Rationale Changes to the scope of a given account are sometimes unavoidable, but may require feedback and expertise to determine how to appropriately handle such a change. Multisig scope changes may still occur in unintended ways. Regular checks for these scope changes can help catch these instances.

Multisig Account Upgrades

  • All Multisig accounts MUST NOT be upgraded without explicit direction by Optimism Governance, or via updates to the elected body’s relevant governing document (e.g. Council Charter).
    Rationale Safe provides a mechanism to upgrade an account from one version to different Safe implementation. Upgrades are not always straightforward and can potentially impact the functionality of the Safe if not executed carefully.

Proposer Feature

  • All Multisig accounts MUST NOT use Safe’s “proposer” feature that permits accounts outside of the signing set to propose transactions for execution by the multisig.
    Rationale The “proposer” feature allows some specified third-party account that is not a member of the Safe to create transactions that appear on the UI. Any transaction on the UI can potentially create confusion for signers and we cannot enforce the same careful restrictions on private keys used by these external accounts in a scalable way.

Token Transfers

  • All Multisig accounts SHOULD always utilize the approve mechanism for transferring tokens whenever possible.
    Rationale Using `approve` is safer than direct token transactions. `approve` can prevent scenarios where the recipient address is provided incorrectly or the recipient loses access to their account.

Appendix A: How to travel with signing keys

  • Traveling with signing keys can be risky for a number of reasons. You must be careful that your that your travel does not place the safety or liveness of your multisig at risk. Keep this in mind whenever you intend to travel.
  • Send a message to the chat for your multisig notifying the group that you will be traveling. Although unlikely, use this as an opportunity to make sure that you will not have a threshold of signers in transit with their keys in the same location at the same time (e.g., everyone happens to be on the same flight).
  • Keep your backup keys and extra signing keys in their secure storage locations at home. Do not travel with these backup devices.
  • If your multisig is Critical Risk and does not have a liveness guard, do not travel on the same plane, train, or automobile with a minority threshold of other signers of the same multisig at the same time. All Multisig accounts should try to avoid these situations no matter what.
  • Once you arrive at your lodging, find a secure location to keep your signing key. Do not leave your lodging with your signing key on a daily basis. Do not bring your signing key to other locations like cafes, offices, or conference venues.
  • If your multisig is Critical Risk and you are staying at a hotel, do not have your room cleaned.
5 Likes