[RFC] Formalizing the Community Multisig

PGov · February 24, 2025, 11:01pm

Authors

@cylon, @PGov (CGWG), RexShinka (Defi Safety)

Summary

This proposal details an improved community multisig process and documentation. Working with DefiSafety, we have created a robust and detailed process to professionalise the community multisig to meet industry level security and opsec standards. This process improves transparency and clarity for the Multisig and ensures all signers are active.

Background

At Compound, the community multisig was initially created to:

Pause the Compound protocol in case of emergency
Whitelist accounts for submitting governance proposals that did not require a COMP threshold to be met
Set borrow caps (Compound V2 only)

The power of the community multisig was recently modified to also include cancelling malicious proposals as well following the passage of Proposal 303 to add a Proposal Guardian. This power must be periodically renewed by governance.

Over the years, the process for onboarding and operational procedures for this very important multisig have been undefined. Over the last few weeks, the multisig signers have all internally doxxed themselves and worked together to set some ground rules for the responsibility. Using this momentum, we think it’s time to finally officialize the role and set expectations for the role.

The current multisig signers and members can be found here: Forums

Improvements

Through a Compound security tooling grant, DeFiSafety has developed base documentation, proof of humanity, and a history document for the multisig.

This detailed multisig document puts clearly in one place all of the documentation about the Multisig and its management process. This includes what the Multisig is capable of, who the signers are, what their responsibilities are, and their proof of humanity. It includes how the signers will communicate when an issue has been raised. It describes the regular testing and how the resulting executed transactions are documented. There is also a summary document which makes for quick reading. This document is a one-stop reference for the signers and the community on all aspects of the multisig. The grant funded an initial version of these documents. Revisions will be required.

DeFiSafety has a Proof of Humanity process that we used internally on the present signers of the Multisig. The proof of humanity document on chain is here, the description document is here. This will be revised if signers change in the future.

Performing regular tests will prove that all signers are able to sign rapidly and ensure that the signatures work on all chains.

Additionally, DeFiSafety developed an initial history document for the multisig. It includes the transactions from 2024 to the present. Which will be updated as new transactions and regular multisig testing take place.

Proposal

As indicated above, the initial docs and proof of humanity were funded by the grant to DefiSafety. With this groundwork, we propose finally officializing this community multisig. This includes (about 2 days per month):

Formally voting to accept the rules of operation and processes for the community multisig.
Establishing a recurring stipend for the multisig signers, similar to that of a security council.
Creating a budget for DefiSafety to continue as a quality engineer. As quality engineer, DefiSafety will be tasked with keeping everything up to date with each transaction and any changes in signers, facilitating security checkups, and covering management tasks.

Budget

For an initial 6 month trial period, we propose

Multisig Signers (8): $1.5k/month/signer => $72k
Quality Engineer (DefiSafety): $2k/month => $12k

Total: $84k

The Compound Governance Working Group will be tasked with sending monthly remuneration payments and financial operations around such. There will be no extra budget needed for this.

Lastly, this Multisig improvement makes the operation of the Compound protocol easier to understand for non-DeFi natives. Excellent clarity will make it easier for future investors to enter and working with DefiSafety, we will continue to identify other areas where better clarity and processes can occur.

Timeline: We will look to take this to a on chain vote in the coming weeks pending discussion and feedback.

Argonaut · February 25, 2025, 12:13am

Great proposal! The method used to verify that each signer is a distinct human is both effective and interesting.

On another note, we noticed that while the document outlines the responsibilities of signers—such as prompt responses to transactions, active participation in testing, and maintaining open communication—it does not specify any penalties for failing to meet these duties. We believe it would be beneficial to discuss whether the absence of punitive measures could impact accountability. To maintain the DAO’s governance security, it may be necessary to replace signers who fail the test twice.

Additionally, under “Timing Information,” each situation is described qualitatively rather than quantitatively. It would be helpful to define the maximum tolerated delay for a signer to acknowledge and sign a transaction in each scenario.

PGov · February 25, 2025, 3:51am

We’re trying to finalize internally around what the best allotted time is, and are currently leaning towards 2 business days for non-urgent messagings, and 12 hour maximum for pager emergency situations. Agree that working out punitive measures are good, but large part of it is situational and will come down to internal vote to remove/decide in whatever situation as it is now.

For the “timing information” section. Agree, @RexShinka and us will work to get that fleshed out more.

RexShinka · February 26, 2025, 1:45pm

The “Timing Information” in Section 2 (Section 2) is intended as guidance for clarity for the signers and others. In the regular testing (Section 6) there is a hard requirement for signing within a day. In the signature history document, I will add a duration element from when the signature is suggested to when the transaction took place. This will give excellent transparency on the actual speed of signature on the Multisig. There will also be transparency on the testing results. Through all of this it will be very clear the speed and signatures and the actual signers.

misher · March 1, 2025, 7:24pm

Would this pay continue beyond the trial period? I get the 1.5k a month for the first 6 as they need to do some test work but beyond that I’d want to reduce it to .5k or less to cover gas.

PGov · March 2, 2025, 7:32am

Nothing set in stone discussions wise for future months (frankly don’t think that and scope have been discussed much). Focusing on trial and keeping open mind for next cycle.

Topic		Replies	Views
Community Multisig (4-of-6) Deployment Governance Process	19	5108	February 6, 2025
Compound Governance Proposal Guardian Proposals	6	278	March 26, 2025
[Grant Result] CIP-5 Checklists for Linea, Zksync, Blast, Mode Network and Celo Grants grants	1	338	June 4, 2024
Certora Formal Verification Proposal Proposals	13	3383	May 17, 2022
Whitelist of addresses that can create proposals Governance Process	27	4449	September 20, 2021