Lido DAO Ops Multisigs Policy 3.0

Proposals
1

Motivation

Operating DAO-related processes requires striking a balance between flexibility and security. Lido DAO and the Lido protocol are governed by tokenholder voting, while Safe multisig wallets are used to execute a broad set of delegated functions, helping streamline numerous operational processes while remaining transparent and subject to DAO oversight and potential veto.

This proposal introduces a new Lido DAO Ops Multisigs Policy 3.0, effectively replacing the previous version (2.0) to better reflect current operational needs while preserving a strong level of security. Additionally, this proposal is to resolve collisions between Multisig Policy and Lido Foundations’ (Lido Alliance, Lido Ecosystem, Lido Labs) bylaws.

Committees vs Multisigs

For clarity, a committee and a multisig are distinct constructs. A committee is a group of contributors with a defined mandate, responsibilities, and a bounded scope of decision-making. A multisig is a technical tool that requires multiple signers to authorize transactions. Committees may operate without a multisig, and multisigs may exist without a formal committee.

  • Lido DAO multisigs are used across different operational setups, including committees or purposes with defined scopes.
  • Lido DAO committees operate transparently under the DAO-approved mandate, ensuring accountability and alignment with Lido DAO’s goals. Some committees have been adopted by a Lido Foundation (or an entity affiliated with a Lido Foundation) and operate under its governance.

Material Changes vs Previous Version

  • The requirement to keep a simple majority of the original multisig signers for rotation without a Snapshot vote is deprecated. As a result, storing the original signer list on IPFS is no longer required.

    Reason: in most cases, this condition generated unnecessary friction in maintaining multisig responsiveness, which is especially critical for time-sensitive operations. Additionally, this condition caused a collision between the Foundations’ bylaws and the Board of Directors or Emergency Supervisor’s power to make changes to multisig signer lists to effectively do their duties.

  • The “static signer” rule is deprecated: there are no longer any signers protected from rotation.

    Reason: throughout the lifetime of the policy, no suitable cases have been identified where this requirement proved useful, and, as the lifespan of any multisig stretches, the probability of any signer never having to be replaced decreases.

  • The 7-day objection period for multisig member rotation is removed.

    Reason: the Lido Foundations’ internal procedures cover the rotation procedure, and the DAO retains its ability to object through Snapshot voting.

  • Updated the “Special Cases” section:

    • Removed the Lido-on-X exemption, as it has been deprecated.
    • Added a new special case for non-public ad hoc multisigs when disclosure could create security, operational, or governance risks.

General Rules

To keep operations secure yet agile, all Lido DAO multisigs are recommended to follow these baseline requirements (please see Special cases for exceptions or additional rules set):

  • Minimum of 3 signers.
  • 50%+ signing threshold (rounded up to the nearest whole number).
  • 5+ signers for multisigs managing roles and permissions.
  • 7+ signers for multisigs holding 1M+ in assets (USD stablecoins equivalent).
  • Signers should use hardware wallets in multisigs managing roles and permissions or holding 100K+ in assets (USD stablecoin equivalent).
  • For token holdings exceeding a $50K balance equivalent at least once, an unlimited allowance must be set with the Lido Aragon agent as the beneficiary.
  • Signers may be rotated, provided any signer change should NOT:
    1. Reduce the number of signers below the minimum.
    2. Decrease the signing threshold below the minimum.
    3. Any change that would conflict with the above requires approval via a DAO Snapshot vote.
  • Signer’s address may be rotated, provided the rotation complies with the “Public Process” and “Rotating Signer Address” sections set out in this Policy.
  • Adherence to the Lido Foundations’ bylaws and multisig participation agreement, if multisig is a part of any Lido Foundation.
  • Signers of multisigs holding critical security roles in Lido protocol operations (such as GateSeal and Emergency Brakes) are discouraged from using their addresses for any other purposes. They should use a dedicated address for that purpose instead.
  • Members of multisigs with critical security roles are to develop reasonable processes to ensure their integrity and the responsiveness of signers (e.g., the GateSeal drill report).
  • If the signer loses access to the keys or suspects they may have been compromised, they must promptly notify the other multisig participants and the entity that adopted the multisig (if applicable), raise an incident, and follow the incident response procedure. Disclosure on the Research Forum occurs after the primary threat mitigations have been implemented, to ensure that sharing incident details does not introduce new security risks, unless earlier disclosure can be made without increasing that risk.
  • Any multisig signer who provides verification of their appointment as a multisig member shall, by doing so, be deemed to acknowledge that they have read, understood, and agree to comply with the Multisig Policy then in effect.

Public Process

Lido DAO contributors, LDO token holders, and the broader community should have visibility into multisig operations. To ensure transparency:

  • Each multisig should have a dedicated post on the Research Forum describing its purpose, scope, general operating rules, wallet address, and the list of signers, including each signer’s address verification and social media confirmation.
  • Multisig addresses should be listed in the Lido DAO Multisigs section.
  • Any changes to the signer composition or signing threshold should be announced on the Research Forum, along with details of the change, updated verifications from proposed signers, and social media confirmations.

Rotating Signer Address

A signer’s address may be rotated to preserve the integrity of the multisig (e.g., replacing an old, potentially compromised address with a newly created one), provided the new address remains under the same owner’s control. Signer Address may be rotated subject to the following procedure:

  • If the original key is accessible: the signer proves ownership of a new address by signing a message with their existing address.
  • If the original key is lost or compromised: the signer must verify their identity to the other signers through alternative methods, such as: authentication via a verified social media account, a video call with other signers for confirmation, or other sufficient methods.

Special Cases

  • Lido DAO contributors may set up ad-hoc multisigs for specific operations. If these multisigs do not manage rights, roles, or DAO funds, they are not required to follow this Policy. These wallets may be used for gas refunding for dev and ops purposes.
  • Where public disclosure of an ad-hoc multisig could reasonably create security, operational, or governance risk for Lido DAO, Lido protocol, or any of the multisig signers, the relevant signers or entity may keep such multisig and its composition non-public, provided that appropriate internal controls, verification, and oversight are maintained.
3 Likes