Motivation
Operating within a DAO requires striking a balance between flexibility and security. Lido DAO relies heavily on Safe multisig wallets, leveraging them across different operations to enable safe, transparent, and efficient transaction execution.
This proposal builds on the foundational principles set in the Lido DAO Ops Multisigs Policy while adapting to evolving operational needs. The goal is to optimize multisig governance for scalability, enhance security measures, and ensure a clear framework that aligns with the fast-moving nature of Web3 governance.
Additionally, each such multisig or committee should be ready for adoption by a BORG (ex. Lido Alliance, Lido Ecosystem, Lido Labs) if there is alignment on objectives and if the transition introduces synergistic benefits. In such cases, adherence to BORG bylaws and the signing of necessary agreements will be required to ensure smooth integration and governance continuity.
General Rules
To keep operations secure yet agile, all Lido DAO ops multisigs recommended to follow these baseline requirements (please see Special cases for exceptions or additional rules set):
- Minimum of 3 signers.
- 50% signing threshold.
- 7+ signers for multisigs holding 1M+ in assets (USD stable coins equivalent).
- Minimum 3/5 signer setup for multisigs managing roles and permissions.
- Signers should use hardware wallets in multisigs managing roles and permissions or holding 100K+ in assets (USD stable coins equivalent).
- For token holdings exceeding a 50K balance (USD stable coins equivalent) at least once, an unlimited allowance must be set with the Lido Aragon agent as the beneficiary.
- Adherence to the BORG’s bylaws and multisig participation agreement if a part of any (example - Lido Labs BORG).
- Signers of multisigs having critical security roles in Lido protocol operations (like GateSeal and Emergency Brakes) are discouraged from using their addresses for other purposes. They should create a brand new wallet for that purpose instead.
- In the event of loss of access to the keys or their potential compromise, the signer is required to promptly notify the other multisig participants, the community, and BORG (if applicable) by posting a message on the forum and communicating through the relevant channels.
Committee Structure and Responsibilities
- Lido DAO multisigs are structured across various committees, each executing specific operational tasks.
- These committees operate transparently under DAO governance, ensuring accountability and alignment with Lido’s mission.
Public Process
Lido DAO contributors, LDO token holders and the wider community must have visibility into multisig operations. To uphold transparency:
- Each multisig should have a research.lido.fi forum post detailing its purpose, general operating rules, multisig wallet address and the list of signer addresses.
- Multisig addresses should be documented in the Lido DAO Multisigs section.
- Prospective signers should verify their addresses by posting proof in the forum and social media.
- Any changes to signer composition should be disclosed in the forum post with updated verification.
- Unless explicitly defined as static, signers can be rotated, but a public audit trail should be maintained.
- Any signer change should NOT:
- Reduce the number of signers below the DAO vetted one (if applicable).
- Decrease the signing threshold. If such changes are necessary, a DAO Snapshot vote is required.
Multisig Signer Rotation
- Signers may rotate without a Snapshot vote if a simple majority of the original signers (e.g., 3/5, 5/8) remains.
- The original signer list is stored in IPFS (please see Original Signers List section for links), ensuring verifiable historical records.
- Updating an address to preserve the integrity of the multisig is not considered a signer rotation if the owner of the address remains the same. This type of update must be announced and documented in accordance with this policy. Multisigs having critical security roles are to come up with their reasonable process of ensuring such integrity (as an example - GateSeal drill report).
- Before a rotation, a committee must confirm that a minimum number of original signers remain. If this condition is not met, a new multisig structure must be proposed via a Snapshot vote.
Rotating Multisig Members
- The committee announces a rotation at research.lido.fi and the new signer must publicly verify their address.
- A 7-day objection period follows. If no objections at research.lido.fi arise, the rotation is finalized by the current signers.
Updating Signer Addresses
- If the original key is accessible:
- The signer proves ownership of a new address by signing a message with their existing address.
- If the original key is lost:
- The signer must verify their identity to the other signers through alternative methods such as:
- Authentication via a verified social media account.
- A video call with other signers for confirmation.
- Other sufficient methods.
- The signer must verify their identity to the other signers through alternative methods such as:
Special Cases
- Multisigs managed by Lido-on-X (non-Ethereum Lido protocols) are exempt unless otherwise stated.
- Lido DAO contributors may set up ad-hoc multisigs for specific operations. If these multisigs do not manage rights, roles, or DAO funds, they are not required to follow this policy. These wallets may be used for gas refunding for dev and ops teams, for instance.
Voting Details
- Proposal: Adopt Lido DAO multisigs policy
- Voting Platform: Snapshot.org
- Voting options:
- For - Adopt proposed multisig operational policy for committees and BORGs.
- Against - no changes.
Original Signers List (incomplete, will be finalized before going to Snapshot vote)
Emeregnecy-brakes&Gate-Seal.md
UPDATE
Added hw wallets requirement, requirement for critical security multisigs to have a procedure ensuring their integrity (drills, rotation. etc.), reminder to all signers to raise an issue ASAP if the keys are lost or compromised, other small tweaks to the text.
