Operating within a DAO requires striking a balance between flexibility and security. Lido DAO relies heavily on Safe multisig wallets, leveraging them across different operations to enable safe, transparent, and efficient transaction execution.
This proposal builds on the foundational principles set in the Lido DAO Ops Multisigs Policy while adapting to evolving operational needs. The goal is to optimize multisig governance for scalability, enhance security measures, and ensure a clear framework that aligns with the fast-moving nature of Web3 governance.
Additionally, each such multisig or committee should be ready for adoption by a BORG (ex. Lido Alliance, Lido Ecosystem, Lido Labs) if there is alignment on objectives and if the transition introduces synergistic benefits. In such cases, adherence to BORG bylaws and the signing of necessary agreements will be required to ensure smooth integration and governance continuity.
General Rules
To keep operations secure yet agile, all Lido DAO ops multisigs recommended to follow these baseline requirements (please see Special cases for exceptions or additional rules set):
Minimum of 3 signers.
50% signing threshold.
7+ signers for multisigs holding 1M+ in assets (USD stable coins equivalent).
Minimum 3/5 signer setup for multisigs managing roles and permissions.
Signers should use hardware wallets in multisigs managing roles and permissions or holding 100K+ in assets (USD stable coins equivalent).
For token holdings exceeding a 50K balance (USD stable coins equivalent) at least once, an unlimited allowance must be set with the Lido Aragon agent as the beneficiary.
Adherence to the BORG’s bylaws and multisig participation agreement if a part of any (example - Lido Labs BORG).
Signers of multisigs having critical security roles in Lido protocol operations (like GateSeal and Emergency Brakes) are discouraged from using their addresses for other purposes. They should create a brand new wallet for that purpose instead.
In the event of loss of access to the keys or their potential compromise, the signer is required to promptly notify the other multisig participants, the community, and BORG (if applicable) by posting a message on the forum and communicating through the relevant channels.
Committee Structure and Responsibilities
Lido DAO multisigs are structured across various committees, each executing specific operational tasks.
These committees operate transparently under DAO governance, ensuring accountability and alignment with Lido’s mission.
Public Process
Lido DAO contributors, LDO token holders and the wider community must have visibility into multisig operations. To uphold transparency:
Each multisig should have a research.lido.fi forum post detailing its purpose, general operating rules, multisig wallet address and the list of signer addresses.
Prospective signers should verify their addresses by posting proof in the forum and social media.
Any changes to signer composition should be disclosed in the forum post with updated verification.
Unless explicitly defined as static, signers can be rotated, but a public audit trail should be maintained.
Any signer change should NOT:
Reduce the number of signers below the DAO vetted one (if applicable).
Decrease the signing threshold. If such changes are necessary, a DAO Snapshot vote is required.
Multisig Signer Rotation
Signers may rotate without a Snapshot vote if a simple majority of the original signers (e.g., 3/5, 5/8) remains.
The original signer list is stored in IPFS (please see Original Signers List section for links), ensuring verifiable historical records.
Updating an address to preserve the integrity of the multisig is not considered a signer rotation if the owner of the address remains the same. This type of update must be announced and documented in accordance with this policy. Multisigs having critical security roles are to come up with their reasonable process of ensuring such integrity (as an example - GateSeal drill report).
Before a rotation, a committee must confirm that a minimum number of original signers remain. If this condition is not met, a new multisig structure must be proposed via a Snapshot vote.
Rotating Multisig Members
The committee announces a rotation at research.lido.fi and the new signer must publicly verify their address.
A 7-day objection period follows. If no objections at research.lido.fi arise, the rotation is finalized by the current signers.
Updating Signer Addresses
If the original key is accessible:
The signer proves ownership of a new address by signing a message with their existing address.
If the original key is lost:
The signer must verify their identity to the other signers through alternative methods such as:
Authentication via a verified social media account.
A video call with other signers for confirmation.
Other sufficient methods.
Special Cases
Multisigs managed by Lido-on-X (non-Ethereum Lido protocols) are exempt unless otherwise stated.
Lido DAO contributors may set up ad-hoc multisigs for specific operations. If these multisigs do not manage rights, roles, or DAO funds, they are not required to follow this policy. These wallets may be used for gas refunding for dev and ops teams, for instance.
Added hw wallets requirement, requirement for critical security multisigs to have a procedure ensuring their integrity (drills, rotation. etc.), reminder to all signers to raise an issue ASAP if the keys are lost or compromised, other small tweaks to the text.
In light of recent multisig hacks this is certainly a timely revision. We are supportive of this policy upgrade with some additional considerations for further enhancement.
Consider implementing volume and time-based limitations. For example, increase the number of required signers if the transaction volume from a wallet exceeds $X within a 24-hour period. Such escalation setups for significant or non-business-as-usual movements serve as practical safeguards, offering more dynamic protection than fixed thresholds based solely on account size.
Implement periodic key and signer rotations to mitigate the risk of ‘silent takeovers,’ where an attacker progressively compromises signers.
The policy states, ‘Signers are discouraged from using addresses for other purposes.’ To reinforce wallet hygiene, this directive should be more assertive. Consider mandating that signers use dedicated addresses (and browser/hardware-wallets) exclusively for their signing roles. Additionally, providing comprehensive training on best practices for wallet management would further enhance security (this could be a grant request itself).
Hi, It’s a bit unclear how it works.
Without access to the original key, does every member of Multisig have to agree to change the address? Or is it decided by a majority by signing multisig?
I think it’s should be according to the signing threshold of the multisig, the basic flow is that each participating signer must check transaction details. If the address couldn’t be verified by the standard flow (because old keys are missing), than an alternative procedure should happen, through which every signing member gains sufficient proof before putting their signature.
Committees have budgets and time-based security limits for Easy Tracks set accordingly, so they request assets in multiple motions during the budget period (to decrease the risk). Major swaps are done via STONKS and TMC committee starting motions there, which are never taking possession of funds. Considering that it seams this temporary threshold changes are unnecessary in my point of view, because processes are having more strict safeguards in place already.
These two points are indeed important and actually DAO ops stream team members have been promoting them for quite awhile already for any new emerging committee.
But totally worth adding it to the policy imo, ty!
Thank you for this timely piece about increasing the security of Lido DAO. After thoroughly reviewing the Lido DAO Ops Multisig Policy, nothing stands out that requires change.
Question
Of the 36 multisigs that exist today, only the Gate Seal multisig has a sunset date and renewal procedure. Would it be wise to introduce additional similar guidelines in Policy 2.0 for multisigs with significant financial or executive power—such as PML, ATC, RCC, or the oncoming three BORGS multisigs?
A small recommendation I would have is that multisig signers could be expected to have GridPlus devices which would allow them to better assess multisig transactions. This seems a reasonably small budget outlay.
I presume when someone is onboarded to a multisig committee that they are provided with documentation of best practises. And I think a document like this should now include a statement to the effect that one should presume that they are a target of social engineering by a nation state APT.
I think Lido is a highly competent DAO and a lot of this is known to them but no harm in upping the paranoia level a little.
Thanks Alex. Just to be clear, the time- and volume-based limitation recommendation are there to reduce the impact of and slow down malicious transfers (e.g. from signer device hack or wallet malware), not regular or BAU operations.
Most if not all institutional wallet solutions has policy driven security features that support such transaction amount limits and velocity controls, mitigating the impact of unauthorized or malicious activity. As you point out with regards to EasyTrack and STONKS, policies should be adaptable to specific business requirements while ensuring a balance between operational efficiency and risk management.
Gm, with the recent multisig hacks and particularly on the SAFE UI exposing bad industrial practises around security and multisig management it’s fair to say that every organization needs better access-control management.
A few questions, apologies:
Is there any reason on some of the most important multisigs that a completely new device isn’t required ONLY used for signing?
With SAFE using both a centralized backend and front-end is there any thought on self-hosting a simple decentralized UI for transactions or transacting directly onchain for the highest risk multisigs?
Finally, having 36 SAFE’s seems like a risk in and of itself for operational mistakes. Is there a way to have grouped multisigs with a higher security assumption for the grouping? I can only imagine the pain of attempting to keep track of all these multisigs!
I will vote yes as this seems like an improvement, but i’m curious if we can even do better in the future!
We voted for the updated policy’s security enhancements, especially requiring use of hardware wallets and the prohibition of using signer wallets for other purposes for certain types of signers. Given recent Safe incidents, we believe prioritizing wallet security is essential, and these changes are a vital step.
There is a more detailed multisig security policy, which we comply with for the multisig operation in Optimism (details). As it has more specific guidelines such as which specific hardware wallets to use, how to prepare the backup wallets, and how to travel with signing keys, this might be useful as a reference in the future policy updates.
Thanks for the recommendation!
GridPlus is indeed and interesting device, although not missing on some drawbacks (it’s really a chonky one, for example), but definitely worth testing. In my opinion diverse set of hardware wallets also contributes to the security.
I believe that constant reminders given to each other about surrounding risks has become a part of cultural code amongst contributors, yeah
Thank you all who participated in Lido DAO Ops Multisigs Policy 2.0 Snapshot, we reached a quorum!
The results are: Adopt multisig policy: 62.1M LDO No changes: 21.9k LDO
