SFC - Multisig Operations

Is there a clearly named person or team accountable for multisig operations? At minimum, accountability scope includes policy maintenance, signer onboarding/offboarding coordination, documentation currency, periodic review scheduling, and incident escalation.

Do you keep multisig documentation current after any operational or signer change, with a documented process? At minimum, documentation must be updated within 24 hours for security-critical changes and within 3 days for routine changes.

Do you maintain an up-to-date registry of all multisigs? At minimum, the registry must include address, network, threshold, classification, purpose, signer addresses, controlled contracts, on-chain roles, and last review date.

Do you maintain an up-to-date list of authorized signers mapped to the correct multisigs? At minimum, the signer mapping must be reviewed quarterly with documented evidence of review.

Do you classify multisig wallets based on both impact factors (financial exposure, protocol criticality, reputational risk) and operational needs (response time requirements, coordination complexity), with a formal documented system?

Do you map each classification level to required controls (thresholds, quorum composition, review cadence, etc), with documented criteria? At minimum, higher-risk classifications must require stronger controls (more signers, higher thresholds).

Do you periodically review and update classifications and associated controls when conditions change, with a documented process? At minimum, reviews must occur every 6 months, with triggered reviews when TVL changes significantly, new products launch, protocol upgrades occur, or security incidents happen.

Do you define when timelocks, modules, and guards are required based on multisig classification, and what security review is needed before enabling any module or guard, with documented policies?

Do you have an exception approval process for deviations from standard multisig policies, with documentation? At minimum, exceptions must include an expiry date, documented compensating controls, a remediation plan to return to compliance, and higher-level approval for Critical-class exceptions.

Do you segregate assets across multiple wallets based on value, operational needs, and risk tolerance (e.g., hot/cold separation, treasury distribution), with documented policies?

Do you implement contract-level security controls that complement multisig governance (e.g., address whitelisting, invariant enforcement, parameter bounds), with documented policies?

Do you perform cryptographic attestation of address ownership and signer affiliation, with a documented process? At minimum, the process must include message signing with the intended signer address, verification via an independent tool, and documented proof of verification.

Do you enforce signer key management standards, with documentation? At minimum, hardware wallets are required for all multisig operations, and signers must use dedicated signing addresses exclusively for multisig operations.

Do you securely back up and protect signer seed phrases and recovery materials, with documented policies and procedures?

Do you ensure seed phrases are disaster resistant (geographically distributed), theft resistant (no single point of compromise), and operator loss resistant (recoverable with absence of one operator), with documented requirements? At minimum, seed phrases must never be stored digitally, in cloud storage, or photographed.

Do you manage signer lifecycle for adding, replacing, and removing signers, including offboarding and periodic access reviews, with a documented process? At minimum, offboarded signers must be removed within 48-72 hours for Emergency-class multisigs, 7 days for Critical-class, and 14 days for others. Access reviews must occur quarterly.

Do you train signers before they are authorized to participate, with a documented program? At minimum, training must cover transaction verification, emergency procedures, and security best practices, with annual refreshers and updates within 30 days of significant procedure changes. Training should include practical skills assessment.

Do you enforce hardware wallet capability standards for multisig signing (e.g., display requirements, clear signing support, PIN security features, PIN time-based lockouts, firmware integrity verification, and brute force protection mechanisms), with documented requirements?

Do you procure hardware wallets through verified supply chains (direct from manufacturer or authorized resellers), including device authenticity verification procedures, with documented requirements?

Do you require signers to use dedicated wallet addresses exclusively for multisig operations, with policies prohibiting use for other purposes?

Do you enforce signer device security standards (e.g., requirements for dedicated signing devices or network isolation for high-value operations), with documentation?

Do you ensure signer diversity across organizational roles, external parties, and geographic distribution appropriate to the multisig classification, with documented requirements?

Do you follow defined processes for transaction initiation, approval, simulation, execution, and confirmation, including who is authorized to initiate, with documentation? At minimum, transaction simulation is required for all transactions.

Do you follow signing and verification procedures before any signatures are applied, with documentation? At minimum, verification must include chain ID, target address, calldata (decoded), value, nonce, and operation type. DELEGATECALL operations to untrusted addresses must be flagged as high risk.

Do you require each signer to independently verify transaction details through a separate interface or data source before signing, rather than relying solely on the initiator's representation?

Do you maintain audit trails and retention for transaction reviews, approvals, execution, and post-execution confirmation? At minimum, audit trails must be retained for 3 years and include proposer, approvers, verification evidence, timestamps, and any issues encountered.

Do you apply enhanced controls for high-risk transactions (emergency actions, large transfers, protocol configuration changes), with a documented policy? At minimum, high-risk transactions must require mandatory simulation, a waiting period where operationally feasible, and elevated threshold approval. High-risk transaction thresholds must be defined based on multisig classification and reviewed periodically.

Do you evaluate and standardize multisig technology and tools, with a formal documented process for adopting new ones? At minimum, evaluation must consider whether tools are open source or have been audited by at least 2 reputable firms, have no known critical unpatched vulnerabilities, and have established ecosystem adoption.

Do you have backup infrastructure for multisig operations, with documentation? At minimum, backup infrastructure must include an alternate signing UI, backup RPC providers (2-3 different services), and an alternate block explorer.

Do you maintain dedicated primary and backup communication channels for multisig operations, with documented membership controls and onboarding/offboarding procedures? At minimum, channels must use end-to-end encryption, require MFA for access, and use invitation-based membership. Primary and backup channels must be on different platforms.

Do you verify the identity of signers during sensitive communications, with documented procedures? At minimum, acceptable methods include pre-established code words, video call confirmation, or verification via a secondary authenticated channel.

Do you have escalation policies that define response-time expectations, on-call coverage, and procedures for urgent coordination, with documentation? At minimum, response times must align with operational classification - Emergency less than 2 hours, Time-Sensitive 2-12 hours, Routine 24-48 hours.

Do you have procedures for responding to suspected communication channel compromise, including switching to backup channels and out-of-band verification? At minimum, all signers must know how to invoke these procedures, and procedures must be tested annually.

Do you maintain and distribute an up-to-date emergency contact list for multisig operations? At minimum, the list must be reviewed every 6 months with documented confirmation that contacts remain valid, and must include protocol security team, external security resources, legal/compliance contacts, and backup contacts for reaching signers in emergencies.

Do you have written emergency playbooks covering key compromise, lost access, communication channel compromise, and urgent protocol actions? At minimum, each scenario must have step-by-step procedures and escalation paths.

Do you have 24/7 paging capability for critical/emergency-class multisigs to reach the required threshold and document escalation paths? At minimum, paging capability must be tested quarterly to verify signers can be reached within expected response times.

Do you have monitoring infrastructure and procedures to detect unauthorized, anomalous, or suspicious activity across all multisigs, with documented alerting and escalation paths? At minimum, monitoring must detect signer/threshold changes, transfers exceeding defined thresholds, nonce gaps, interactions with previously unknown addresses, failed transactions, and module/guard changes. Monitoring infrastructure must be protected against tampering.

Do you conduct periodic rehearsals and drills of emergency playbooks to test response procedures, communication channels, and signer coordination, with a documented schedule? At minimum, drills must occur annually, or bi-annually for Emergency-class multisigs, and after major procedure changes. Documentation must include drill date, participants, response times achieved, issues identified, and improvements made.