--- title: Multisig Best Practices version: 2023.05.29 author: Sam Bacha, et al. --- # Multisig Best Practices > Contract Source Link: <TODO></TODO> > **Action Items** > Local Machine conformance enforcement > Dry run practices > Hardware safeguards ## Abstract This appendix summarizes the best practices for the use of a 2-of-3 multi-signature wallet where the authority to execute a transaction requires a consensus of two individuals in possession of two of the wallet’s three private keys. 1. The private keys must be stored or held separately, and each must be respectively access-limited to separate individuals. 2. Multiple keys should not be stored with the same custodian. For example, if the keys are physically held in the custody of a third party (e.g., a bank), then no more than one key can be custodied in that bank. Doing so would violate best practice #1. 3. The second signatory (a.k.a. the co-signer) must refer to a policy established beforehand specifying the conditions for approving the transaction before signing it with their key. 4. The co-signer should verify that the half-signed transaction was generated willfully by the intended holder of the first signature’s key. ## Policy for Transaction Validation Best practice #3 prevents the co-signer from becoming merely a “deputy” acting on behalf of the first (forfeiting the decision responsibility back to the first signer, and defeating the security model). If the co-signer refuses to approve the transaction for any reason, then the due-diligence conditions for approval may be unclear. That is why a policy for validating the transaction is needed. Example verification policy rules may include: ● A predetermined protocol for being asked to cosign (e.g., a half-signed transaction will be accepted only via an approved channel). ● An allowlist of specific actions that can be performed by the wallet. ● A threshold for the number of transactions that can be executed on a given day, week, etc. Best practice #4 mitigates the risk of a single stolen key. In a hypothetical example, an attacker somehow acquires the unlocked Ledger Nano of one of the signatories. ### Duress / Safeword A voice call from the co-signer to the initiating signatory to confirm the transaction will reveal that the key has been stolen and that the transaction should not be co-signed. If under an active threat of violence, a “duress code” (code word, phrase, or other system agreed upon in advance) can be used as a covert way for one signatory to alert the other signers of an issue. #### Warrant Cannary Usage of Warrant Cannary is advised for escliated policy identification for duress levels. ## Operational Safeguards > Note that each multi-signature wallet used by the team should be treated independently of the others. Thus, each wallet should have its own policies for transaction validity and storage. ## Citations > MultiSig Contract >
Last changed by  
manifoldx
manifoldx
147

Read more

Untitled

Nix Hydra for Web3

8/12/2023
Frontend DApp FSM

The diagram starts with the user at the beginning of their journey. The user then attempts to connect their wallet. If the wallet connection is successful, the user proceeds to deposit ETH. If the wallet connection fails, an error message is displayed and the user is directed back to the start.

8/1/2023
Fixed Timestamps for Reproduceibility

https://github.com/bazelbuild/bazel/blob/92f0d6aace87d0bf1fed8249fe834d07cff733be/third_party/ijar/zip.cc#L78-#L79

7/4/2023
CREAM and Manifold Finance Omnibus

[!abstract] CREAM and Manifold Finance

6/26/2023
Read more from manifoldx
Published on HackMD