[AIP-8] Multi-sig best practices framework

Authors
Emiliano Bonassi (protocol multi-sig)

Summary
Having high performances and operation excellence in the multi-sigs wallets helps a protocol to stay healthy and react quickly to a fast pacing environment like DeFi. The goal of this proposal is to agree on a set of standards/practices and improve current setup based on last performances.

Motivation and Background

Current multi-sig
We have two 4/7 multi-sigs wallets:

The former manages the Aura community treasury and the latter the configuration of the protocol plus some emergency functions.

Treasury signers:

  • 0x3dB7FCD09cF12df1b8978ddf66F8bbF9f039eDd8
  • 0xB65c1Ab1bF106F86a363dC10230a4AF11cCD063E
  • 0x2BE293361aEA6136a42036Ef68FF248fC379b4f8
  • 0x4Ab5E3F0b2d1604dD2002CfEcA6163802D74c6Cb
  • 0x337F8f3316E1326B3188E534913F759460bd57CB
  • 0xC02ad7b9a9121fc849196E844DC869D2250DF3A6
  • 0x4702D39c499236A43654c54783c3f24830E247dC

Protocol signers:

  • 0x3dB7FCD09cF12df1b8978ddf66F8bbF9f039eDd8
  • 0x512fce9B07Ce64590849115EE6B32fd40eC0f5F3
  • 0xF01Cc7154e255D20489E091a5aEA10Bc136696a8
  • 0x30019eB135532bDdF2Da17659101cc000C73c8e4
  • 0x3CBFFF3E75881c1619eaa82DC724BDEE6fF6ED19
  • 0x6429602699fEC6D205e0b9531C7f33476BA11Fb0
  • 0x2BE293361aEA6136a42036Ef68FF248fC379b4f8

More info in the original article


Launch to Date Performances

Multi-sig performance are often measured in terms of the single signers KPIs. The common ones are:

  • percentage of transaction signed, the proportion of the transactions signed over the total of executed ones
  • time to confirm (TTC), the amount of time elapsed from the transaction proposal and the effective signing by a signer

Below the respective performances

Treasury

-- % Tx Confirmed --
total txs: 10
signer                                      %   
0x3dB7FCD09cF12df1b8978ddf66F8bbF9f039eDd8 100.0
0xB65c1Ab1bF106F86a363dC10230a4AF11cCD063E  90.0
0x2BE293361aEA6136a42036Ef68FF248fC379b4f8  70.0
0x4Ab5E3F0b2d1604dD2002CfEcA6163802D74c6Cb  60.0
0x337F8f3316E1326B3188E534913F759460bd57CB  60.0
0xC02ad7b9a9121fc849196E844DC869D2250DF3A6  20.0
0x4702D39c499236A43654c54783c3f24830E247dC   0.0

-- Signers Time To Confirm (p=0.95) --
signer
0x3dB7FCD09cF12df1b8978ddf66F8bbF9f039eDd8   0 days 00:00:00
0xB65c1Ab1bF106F86a363dC10230a4AF11cCD063E   0 days 06:58:16
0x4Ab5E3F0b2d1604dD2002CfEcA6163802D74c6Cb   0 days 14:53:05
0xC02ad7b9a9121fc849196E844DC869D2250DF3A6   0 days 16:22:36
0x337F8f3316E1326B3188E534913F759460bd57CB   0 days 18:47:04
0x2BE293361aEA6136a42036Ef68FF248fC379b4f8   1 days 00:17:53

Protocol

-- % Tx Confirmed --
total txs: 14
signer                                      %    
0x3dB7FCD09cF12df1b8978ddf66F8bbF9f039eDd8 100.00
0x512fce9B07Ce64590849115EE6B32fd40eC0f5F3 100.00
0xF01Cc7154e255D20489E091a5aEA10Bc136696a8  92.86
0x30019eB135532bDdF2Da17659101cc000C73c8e4  57.14
0x3CBFFF3E75881c1619eaa82DC724BDEE6fF6ED19  28.57
0x6429602699fEC6D205e0b9531C7f33476BA11Fb0  21.43
0x2BE293361aEA6136a42036Ef68FF248fC379b4f8   0.00

-- Signers Time To Confirm (p=0.95) --
signer
0x6429602699fEC6D205e0b9531C7f33476BA11Fb0   0 days 00:04:30
0x512fce9B07Ce64590849115EE6B32fd40eC0f5F3   0 days 08:39:02
0xF01Cc7154e255D20489E091a5aEA10Bc136696a8   0 days 10:32:34
0x30019eB135532bDdF2Da17659101cc000C73c8e4   0 days 12:20:18
0x3CBFFF3E75881c1619eaa82DC724BDEE6fF6ED19   0 days 13:17:37
0x3dB7FCD09cF12df1b8978ddf66F8bbF9f039eDd8   0 days 20:32:11

Proposal

Good governance practices incentivise decentralisation and quick responses as well as active healthy participation.

Below the proposed framework

Performance rules

  • time to confirm p=0.95 ≤ 36hrs
  • signing ratio ≥ 27%

p95 definition below

ALL of them must be respected over a period 4 weeks

Social rules

  • active in the multi-sig telegram chats
  • maintain an active social profile
  • act ethically

these could be difficult to quantify, so it’s up to the signers evaluate and raise eventual concerns

In the case OR performance OR social rules are not respected, signer will be put in a grace period of 4 weeks to give them the opportunity to improve. At the end, if rules are respected the signer get back to their normal status, on the contrary other signers must start a discussion to look for a replacement.

Transaction Submission rules

Proper communication influence KPIs and signer experience. Proposer should facilitate as much as they can for a successful outcome and overall good experience. For these reasons below some initial rules for submitting a transaction:

  • only submit from Mon to Thu, avoid weekend except for relevant or urgent matters (e.g. protocol risk, whale attack, important partnership)
  • share AND pin a message in the respective telegram chat containing all the relevant informations
    • executive summary of the proposal i.e. high level description
    • transaction breakdown i.e. what’s going to execute
    • tenderly simulation link
    • gnosis safe link
    • discussion links e.g. forum or tg
  • you submit you own it, signing is a shared responsibility but proposer is the ultimate owner. proposer is responsible for the successful outcome, proposer should follow-up and facilitate when necessary

Voting

For:

  • Agree on above framework
  • put in grace period for next 4 weeks
    0x4702D39c499236A43654c54783c3f24830E247dC from Treasury, 0x6429602699fEC6D205e0b9531C7f33476BA11Fb0 and 0x2BE293361aEA6136a42036Ef68FF248fC379b4f8 from Protocol

Against: No action

Looking forward for your feedback!

3 Likes

Welcome to the forum!

This is a very detailed analysis. I’m in support of this framework.

(Btw, the links won’t translate to Snapshot properly. You’ll need to paste the actual URL instead of text link.)

1 Like

I support. In favour of any framework that will help maintaining a high standard of operational security over time, and this seems to be a well thought through data oriented proposal.

2 Likes

I also support this. just need to hire Emiliano to do this for Balancer’s multisig now :laughing:

3 Likes

I support this framework. It is very important that multisig signers are responsive and know what they are signing off on. Perhaps it would be wise to have a process for replacements ready before we need it. Thanks Emiliano for writing this up!

3 Likes

happy to see support!

thanks for the links indication, i’ve applied the changes

thanks! happy to support Balancer too, feel free to reach out :wink:

good point mike. i hope we won’t need to replace a lot to need to design a process but we can spend sometime in the case the performance won’t be at the bar for this iteration.

thanks for the support!

@Franklin @0xMaha @solarcurve @mikeb and all the current signers who provided feedback in offline convo

moving to a formal AIP proposal

moved as AIP 8

looking forward for adding to snapshot by @Franklin :pray:

1 Like

Snapshot will be live shortly:

https://vote.aura.finance/#/proposal/0xe5081e1b52f32a0f0e9822590891e6ed93ca4c871144039087a5a796d11ce33d

2 Likes

Proposal passed! Thanks for everyone who participated.

Best practices starts from today (check the tx submission rules). I’ll check monthly the stats and provide results.

The following addresses will be put in grace period for the next 4 weeks (Tue 6th Sep 22):

0x4702D39c499236A43654c54783c3f24830E247dC from Treasury, 0x6429602699fEC6D205e0b9531C7f33476BA11Fb0 and 0x2BE293361aEA6136a42036Ef68FF248fC379b4f8 from Protocol

PASSED- AIP 8- Multi-sig best practices framework

Aura Improvement Proposal 8 has passed the governance vote with 100% in favor. The framework outlines guidelines and rules surrounding the Treasury and the Protocol multi-sigs to align with best practice.

For info: the Treasury Multi-sig wallet deals with the AURA community treasury,

The Protocol Multi-sig wallet deals with the configuration of the protocol plus some emergency functions.

Both wallets require a quorum of 4/7 signers to initiate actions on behalf of the DAO