Unlocking Powerful Secure Governance Use Cases Via The Elrond Multisig Contract
All digital systems will rapidly grow to depend on blockchain as a core technology. Immutable records that are instantly auditable, transactions that double as an invoice, a trustworthy and inexpensive pay-per-use system that runs unattended 24/7, are all very compelling.
Elrond Network’s carefully designed features make it a suitable candidate to support a broad range of digital use cases. One important feature is the capability that allows multiple stakeholders to securely agree on decisions via a multi-signature contract.
Elrond Multisig overview
On-chain governance of digital assets, where a quorum between multiple administrators (board members) is required, is done via multi-signature contracts (MSC). MSCs are smart contracts that function as a regular wallet but require transactions to be signed by more than just one private key.
For example, a board of 5 members is defined for a multi-sig wallet and the quorum is set to 3. That means that the private keys of any 3 members of the 5 are required to sign outgoing transactions.
The board members can also perform MSC governance actions, such as adding or removing a member, or changing the quorum.
Scope
A multisig wallet can be employed for a wide variety of use cases that can be applied to smart contracts, token governance, or assets management.
- Smart Contract administration - managing a DeFi smart contract securely, i.e. to avoid “rug pulls”
- Token governance - managing the supply and parameters of a token or stable-coin
- Asset management - jointly managing assets together with other predefined administrators
Roles
An account can have one of the different roles available and thus be granted specific permissions.
- Deployer - the creator of the MSC and the default owner. The Owner role can be reassigned. An MSC can be a deployer of another MSC.
- Owner - If the MSC is deployed as an upgradeable smart contract, the owner can perform the upgrade. It’s not recommended to use upgradable MSCs because an owner could potentially circumvent the quorum.
- Board member - The unique individual addresses that can sign in an MSC are called board members. A quorum - the number of board members that are needed to sign - can be defined as a number smaller or equal to that of the total members.
- Proposer - A whitelisted address that can send proposals for transactions, which then the board members need to approve in order to be executed.
Transaction flow
- A proposer or board member proposes an action.
- The proposed action receives a unique id/hash.
- All (N) board members are notified (off-chain) to review the action with the specific id/hash.
- M out of N (quorum) board members sign and approve the action.
- Any proposer or board member “performs the action”.
MSC Actions
Several actions are available for managing and working with a multi-sig contract.
MSC Administration:
- Add / remove board members
- Add / remove proposers
- Change quorum size
- Change multisig contract owner
Sending transactions:
- Send: board members must reach a quorum for any transaction to be issued by the MSC. A transaction can be a balance transfer or smart contract call for managing other smart contracts or tokens
Design Philosophy
- No external contracts. Calling methods of other contracts from within the methods of your own Multisig Smart Contract is an amazing feature but should not be required for our simple use case. This also avoids exposing us to bugs. Because any arbitrarily complex function call can be executed, the Multisig Smart Contract functions exactly as a standard wallet but requires multiple signatures.
- No libraries. Extending the last guideline, our contract has no upstream dependencies other than itself. This minimizes the chance of us misunderstanding or misusing some piece of library code. It also forces us to stay simple and eases auditing and eventually the formal verification.
- Uses cold-storage. The proposer who creates an action or spends from the Multisig Smart Contract has no special rights or access to the Multisig Smart Contract. Authorization is handled by directly signing messages by the board members’ wallets that can be hardware wallets (like Ledger).
- Complete end-to-end testing. Both the design of the contract, and the contract itself have been thoroughly audited, and will soon also be formally verified.
Read the detailed specifications of the Multisig Smart Contract here: https://github.com/ElrondNetwork/elrond-specs/blob/main/sc-multisig-specs.md
Get started with a multi-sig wallet by following the examples we have made available here: https://github.com/ElrondNetwork/elrond-wasm-rs/tree/master/contracts/examples/multisig
Multisig accounts are a critical safety feature for all users of the Elrond ecosystem. The new multisig contract sets a high security standard for decentralized applications, stablecoin issuers, and others who will benefit significantly by using it.