Strengthen multisig guidance: timelocks, separation, address discipline, and key takeaways

[ipatka]

Strengthen multisig guidance: timelocks, separation, address discipline, and key takeaways

---

Revises the multisig security framework based on lessons from real-world multisig operations and emerging risks. Adds a one-page key takeaways summary for quick reference.

Key changes

• Design principles: Added "build in slowness by design," "constrain emergency powers," and "separate responsibilities across multisigs" as foundational principles
• Timelock guidance: Strengthened from "recommended" to "essential" for protocol admin multisigs. Added tiered duration guidance (long/medium/short/none) and a dedicated timelock monitoring section
• Multisig separation: New section on separating multisigs by function with common patterns and a separation table
• Address discipline: New sections on address book hygiene (never copy from explorer history) and permissionless Safe addition / address poisoning risks
• Dedicated keys: Expanded rationale for using separate keys per multisig (wallet clarity + blast radius containment)
• Calldata decoding: Expanded from brief mention to full section covering how calldata works, decoding steps, and common red flags
• Delegated proposers: Corrected and clarified why delegated proposers matter (first signer verification) and why final signer should avoid "sign and execute"
• Solana differences: New section on architectural differences from EVM for multisig verification
• Access control inventory: New guidance on maintaining a comprehensive inventory of all privileged roles, added structured fields to the registration template
• Key takeaways page: New one-page summary distilling the 11 most important principles with links to full sections

Files changed

• docs/pages/multisig-for-protocols/key-takeaways.mdx (new)

• docs/pages/wallet-security/secure-multisig-best-practices.mdx

• docs/pages/multisig-for-protocols/use-case-specific-requirements.mdx

• docs/pages/multisig-for-protocols/setup-and-configuration.mdx

• docs/pages/multisig-for-protocols/planning-and-classification.mdx

• docs/pages/multisig-for-protocols/registration-and-documentation.mdx

• docs/pages/wallet-security/signing-and-verification/secure-multisig-safe-verification.mdx

• docs/pages/wallet-security/signing-and-verification/secure-multisig-squads-verification.mdx

• docs/pages/multisig-for-protocols/joining-a-multisig.mdx

• docs/pages/multisig-for-protocols/overview.mdx

• vocs.config.tsx

• Describe your changes

• If you are touching an existing piece of content, tag current contributors from the attribution list

• If there is a steward for that framework, ask the steward to review it

• If you're modifying the general outline, make sure to update it in the vocs.config.ts adding the dev: true parameter

• If you need feedback for your content from the wider community, share the PR in our Discord

• Review changes to ensure there are no typos; see instructions below.

[github-actions]

Sidebar Configuration Reminder

This PR includes added, renamed, or removed documentation files:

• docs/pages/multisig-for-protocols/key-takeaways.mdx (added)

Please ensure that:

• The sidebar in vocs.config.tsx has been updated to include these files
• New content has the dev: true parameter so it's marked as under development
• Sidebar links match the file paths - use the preview deployment to verify

See Contributing Guide – Sidebar & Navigation for more details.

---

_{This is an automated reminder. If this PR doesn't need sidebar changes, you can ignore this message.}

[github-actions]

built with Refined Cloudflare Pages Action

⚡ Cloudflare Pages Deployment

Name	Status	Preview	Last Commit
frameworks	✅ Ready (View Log)	Visit Preview	7bfce67

[DicksonWu654]

lgtm! I sent a few suggestions in DMs

[ElliotFriedman]

if the addresses are from the same hd path on a hardware wallet, and the seed is compromised, you don't have true firewalling

[ipatka]

yea will clarify

[ElliotFriedman]

if this advice is ethereum/safe specific I would add something here to add guards and other safeguards to force changes through the timelock.

[ElliotFriedman]

I would add: calculate hashes across multiple devices and OS to make sure computer isn't compromised, then make sure to verify the entire hash on the hardware wallet when signing

[ElliotFriedman]

this is solid advice. if these are all behind timelocks, do they need to deploy 1 msig and 1 timelock for each role?

[ipatka]

yup would require multiple to be deployed

[ElliotFriedman]

recommend adding bullet point on integration testing. there should be extensive internal tooling that will catch mistakes like misconfigurations of a protocol via governance, even after the change is deployed onchain.

if a threat actor wanted to exploit a larger protocol, one vector would be supply chain attack that slips in malicious governance payload. the payload looks one way locally, once broadcast, it morphs into something else.

without extensive tests and harnesses to simulate that what you have in your local repo is actually what ended up on chain, you run the risk of a mismatch.

from experience, once stuff goes onchain, almost no one reviews, which is why automated testing with protocol invariants is extremely important.

[ElliotFriedman]

imo this transparency is non-negotiable. without it, it's hard for the community to understand the changes being made.

[ElliotFriedman]

• unverified smart contracts on etherscan being called
• calldata mismatch with simulation output. e.g. the selector is "transfer(address,uint256)" but no tokens are transferred. (this is similar to how bybit attack worked at the smart contract level. unverified smart contract on etherscan, and calldata that was decoded to "transfer")

[frameworks-volunteer]

Model: z-ai/glm-5.1 Reasoning: high Provider: openrouter

Review: Strengthen multisig guidance

Security Review

No issues found. This is pure MDX documentation content with no code execution, no secrets, no injection vectors, and no dependency changes.

QA Review

• All internal links and anchor fragments resolve to existing headings (verified: dedicated-keys-per-multisig, address-book-discipline, address-poisoning-and-permissionless-safe-additions, constrain-emergency-powers, separating-multisigs-by-function, tiered-timelock-durations, timelock-configuration, timelock-monitoring, delegated-proposer, maintain-an-access-control-inventory, 5-calldata-review)
• Frontmatter on new key-takeaways.mdx matches existing conventions (title, description, tags, contributors, imports)
• Tags in fetched-tags.json match key-takeaways.mdx frontmatter exactly
• vocs.config.tsx sidebar entry added correctly
• CI passes: Build Preview, lint, sidebar-reminder all green
• No leftover debug content, TODOs, or placeholder text
• fetched-tags.json sectionMappings diff is alphabetical reorder only, no functional change

Minor Observation

The PR checklist marks "modify the general outline, update vocs.config.ts adding the dev: true parameter" as done, but the new Key Takeaways sidebar entry does not include dev: true. This appears intentional since the content is production-ready, not a WIP section. No action needed.

Verdict

Solid contribution. The new design principles (slowness by design, constrained emergency powers, separation), expanded timelock guidance with tiered durations, address discipline sections, and the key takeaways summary page are all well-written and internally consistent. Approving.