Improved Multisig Process and Transparency

The compound community recently voted (Search Compound Tally, Formalizing the Multisig) to improve their multisig process and documentation, improving transparency and security for both the signers and the community. Many of these improvements could be applicable to Lido. In this post I will describe how. The changes are in operation process and documentation. The code for the multisig remains unchanged. Weak processes are now responsible for most of the losses in DeFi protocol incidents. The processes of Lido appear very strong, but also have room for improvement.

Proof of distinct humanity: while you list many of the signers for the various community multisigs (which is awesome, by the way), the lists don’t really prove that each signer is a distinct human. DeFiSafety has a process that ensures this and documents the results. It also allows signers to remain anonymous, as required, yet still proves each are distinct humans.

Regular testing: the need for multisig signers is immense when an incident is underway. This is the worst time that you want to learn that some of your signers are inactive or no longer affiliated with Lido. Some wallets (such as Emergency Brake) are never used. Regular testing mitigates this. For the active committee multisigs, often a small group sign almost all transactions. Regular testing checks that all signers are actively listening and able to sign. Tests are run maybe once a quarter in a manner that minimizes impact on the signers but assures that they are ready when you need them. The test process can be different for different multisigs.

Signer documentation: the signers should have detailed documentation (Google Doc available upon request) on the effects of multisig transactions on the protocol. Exactly what each action does and it’s impact should be clearly described. The information on your multisig pages is good for the public, but the signers should have more detail. Also, the communication path for multisig signers to converse during an incident should be documented. Backup methods of communication or pager details need to be written and available to all signers. A list of responsibilities for the signers also helps.

History document: a multisig history document (Google Doc available upon request) clearly indicates what each transaction did for the protocol such that the community understands what took place. Without it, understanding the actions of the multisig is quite technical and requires tracing through multiple sites before the information becomes clear. This document gives the community a clear understanding.

All of this can be accomplished by DeFiSafety with minimal support from the signers, the tech team and an admin. DeFiSafety can execute the work or if you prefer most (except for the proof of distinct humanity) can be accomplished by the community. Lido has many multisigs (50 by my count). We could do a couple, let the community see their value and go from there. DeFiSafety can perform the initial work and maintain the docs and testing. It is our way to contribute to improved transparency and security in DeFi.

Is this of interest to the Lido community?

Gm, this was recently a topic of conversation in Lido. A proposal was put forward and ratified by voters: Lido DAO Ops Multisigs Policy (2.0)

These are excellent policies. However, there are weaknesses in transparency and he especially security.

I think your system with the committee forums as documentation and signer management is really good. This takes care of most of the documentation and history requirements that I listed above. I also like the fiscal discipline. Your multisigs have reasonable amounts, allowing them fiscal flexibility without being too much of the honeypot. Excellent. You are also managing a large system well.

One improvement I would suggest is starting to move some of your documentation off of forum posts. As systems get older (something I saw with Compound) forum posts become unwieldy. I have to read multiple posts and their comments to try to understand the system. Independent documents that are regularly updated, such as Compound does with their Google Docs, are clearer and easier to maintain.

Where you are weak is in proof of distinct humanity and transaction signing policies.

You have a system where each signer must prove a connection between a social media address and their smart contract address. This is good, and much better than virtually all other DeFi protocols (that I’ve seen anyway). However, it is not much of a proof of distinct humanity. It is quite simple to maintain multiple (and here we’re talking no more than four) social media accounts and allow a single signer control of the multisig. This does not count the personal connections between committee members, which may be a mitigating factor.

Proof of distinct humanity for multisigs is a bit of a unique challenge. Gitcoin Passports won’t cut it because they were never designed to protect against very small numbers of wallets from one person. DeFiSafety has a system with a simultaneous video call from all signers. It is relatively quick, simple and effective. While it does require trust in an external entity (DeFiSafety) but given that, you have proof of distinct individuals at the point of time on the test. At least for important multisigs, this is an area of potential improvement.

DeFiSafety introduced transaction signing policies as a security improvement back in October 2023, with our updated 0.9 review process. We are still struggling to get enthusiasm around this process, even though in 2025 multisig weaknesses are undeniably the biggest security threat in DeFi.

DeFi has a fantastic system for smart contract code improvement. Whenever there is a hack, the code is ruthlessly analyzed and improvements in tools, coding processes and compilers are brought up and utilized by the community. This system has been extremely effective. Smart contract code is more complex than ever but actual hacks are smaller and less frequent.
We do not have a similar system for multisig security. There is no transparency and with it no process improvement. We are not getting better. The attackers recognize this and are focusing more of their energy on this weak link.

Transaction signing policies are simply a list of the steps taken to ensure security of the multisig signers. The policies should be different depending on how important the multisig address is. You write down the security steps, in a general way for the public and in a specific way for the signers. You check to ensure the signers are following the policy (where it’s important). The steps can be things like independent signing computers, hardware wallets, specific approved software (browser, wallet, etc.) Once the process is written down, you have a basis for process improvement.

DeFiSafety wants to improve the security of the DeFi in general and Lido in particular by focusing on the boring process aspects of documentation and quality processes. Nobody wants fat processes like banks have. But clearly multisig quality processes must improve to reduce the security incidents. DeFiSafety wants to help.