When setting up a multisig and deciding on owner composition, various factors come into play:

Asset ownership

The nature of the assets held in the multisig wallet significantly influences its owner composition. For personal wallets, a single user might control all keys or share some with close associates. Shared funds among small groups typically involve key individuals to ensure all parties have a say in resource management. Company accounts may include executives or key employees responsible for financial operations. Community-managed treasuries often involve a diverse group of owners, promoting transparency and shared responsibility in managing collective funds.

Transparency

The decision to disclose owner identities depends on the multisig’s purpose and the desired balance between transparency and privacy. Publicly disclosing identities can enhance trust and accountability, particularly for community funds or public-facing projects. However, keeping identities private offers increased security and personal protection, often preferred for high-value storage or sensitive operations. The appropriate level of transparency should be determined based on the multisig’s specific needs, considering factors such as asset value, legal requirements, and overall project goals.

Decentralization

The level of decentralization in a multisig setup is closely tied to the project’s objectives and philosophy. Control may be concentrated among a closed group for quicker decision-making, suitable for setups requiring rapid response. Alternatively, many projects opt for a more distributed control structure, spreading ownership among a wide range of community members. While this can enhance engagement and reduce single points of failure, it may also introduce challenges in coordination and consensus-building.

By carefully considering these factors, projects can create a multisig setup that balances security, efficiency, and their unique operational needs.

Learn more about multisignature wallets:

• Follow Multisight on X/Twitter

• Visit Multisight.app

• Subscribe to Multisight here on Mirror

The combination of these two parameters is often specified as M/N or m-of-n, where M defines the required number of confirmations (the threshold), and N represents the total number of owners of the multisignature wallet. The threshold can range from 1 to the total number of owners - for example, configurations such as 1/6, 4/6, and 6/6 are all valid.

Every use case for multisig wallets is unique, and therefore, there is no universally recommended value for these parameters. Several factors influence the configuration: value of managed assets and controlled contracts, size of the group or community, desired level of decentralization, frequency and urgency of action executions, and more.

The vast majority of multisig wallets focus on one of two main objectives:

• Backup - utilizing multiple owners to prevent losing access to an important wallet

• Security - utilizing multiple owners to prevent unauthorized control over shared assets

Setting up a multisig as a backup solution emphasizes the total number of owners. By adding more personal wallets as owners to the multisig wallet, users can still access the multisig through other wallets if they lose access to one. However, this can increase the risk of a hostile takeover - for instance, in a 1/X multisig, taking over a single wallet grants control over the entire multisig.

To counter the risk of a hostile takeover, multisignature wallets can be configured with security as the main objective. In this setup, a higher threshold is required, meaning multiple owner confirmations are needed for any transaction or action. This approach is useful for individuals seeking to protect their important wallets from a single point of failure and for groups or communities managing shared funds or contracts, requiring broad consensus. On the other hand, this can reduce operational efficiency, as it may take longer to reach the required threshold for action.

Since the configuration can be updated over time, you can take inspiration from publicly available setups and experiment to find the configuration that fits your use case best.

Learn more about multisignature wallets:

• Follow Multisight on X/Twitter

• Visit Multisight.app

• Subscribe to Multisight here on Mirror

On-chain signature storage

On-chain storage is based on recording every signature directly on the blockchain. The accessibility and verifiability of all transaction data enhances transparency, trust, and accountability within the system, benefiting decentralized and immutable networks the most. Additionally, the process of on-chain storage is relatively straightforward, requiring no extra infrastructure beyond the blockchain itself.

However, storing each signature on-chain can significantly increase the costs of owning a multisig wallet. Each signing owner has to pay network fees for publishing their signature, which can accumulate quickly, especially in systems requiring multiple signatures for a single transaction, like multisignature wallets. Privacy can also be another concern, as all transaction details are publicly exposed, which may be undesirable for users prioritizing confidentiality.

Off-chain signature storage

Off-chain signature storage involves collecting and managing signatures outside of the blockchain through a separate service. Once all required signatures are gathered, they are included in the final transaction execution on the blockchain. Compared to on-chain storage, efficiency is a major advantage, as it reduces the data load on the blockchain, allowing for faster and cheaper signature collection. Depending on the chosen solution, privacy can also be another key benefit of this approach. By keeping interim transaction data off the public ledger until the final transaction is executed, off-chain storage can increase user privacy.

To achieve these benefits, a custom infrastructure next to the blockchain is required to collect and manage signatures. This complexity introduces potential trust and reliability concerns, as users depend on external services. While these services can be secure, they may still be susceptible to attacks or failures, unlike the inherent protection offered by on-chain systems.

One of the most popular multisig solutions, Safe, leverages this method by offering a custom smart contract and providing a public transaction service for the collection and management of signatures, making it convenient for the majority of users. Moreover, their code is audited and open-sourced, enabling more advanced users to deploy and manage their private transaction service.

The choice between on-chain and off-chain signature storage depends on each user’s needs and concerns. On-chain storage offers transparency and security, making it ideal for decentralized systems, but it can be costly and less private. Off-chain storage, suitable for high-frequency trading or private networks, reduces fees and enhances privacy but relies on external services, which may introduce trust issues. For large, well-audited contracts, off-chain storage can combine efficiency with trustworthiness. Advanced users can further minimize risks by managing their infrastructure, ensuring greater control and security.

Learn more about multisignature wallets:

• Follow Multisight on X/Twitter

• Visit Multisight.app

• Subscribe to Multisight here on Mirror

Seed phrase

When a new cryptocurrency wallet is created, the wallet software generates a seed phrase. Most commonly, seed phrases consist of 12, 18 or 24 human-readable words designed to be easy to understand, store, and remember. Their simplicity and memorability makes them an effective backup mechanism for securing and recovering your wallets.

The seed phrase plays a crucial role, as it is used to derive a master seed. The master seed, in turn, is used to generate private keys. This is why your wallet provides you with a single seed phrase but allows you to create multiple addresses, each with its own private key. This hierarchical structure makes managing multiple accounts both secure and convenient.

Private key

A private key is a long alphanumeric string generated through complex encryption algorithms. It grants full access to the associated wallet, so it is crucial to keep both the private key and the originating seed phrase secure and never share them with anyone.

To validate wallet ownership, the private key is used to generate public keys and signatures, which can be freely shared publicly.

Public key

A public key is derived from the private key and allows others to verify that a message or transaction was signed by the holder of the respective private key without revealing the private key itself. A wallet address is a short and user-friendly representation of a public key.

This mechanism is not exclusive to blockchain and cryptocurrencies but is also the standard for secure and private communication over the internet. The feature is enabled through asymmetric cryptography. The relation between the private and public keys is based on mathematical principles that make it easy to generate a public key from a private key, but not the other way around.

To illustrate such one-way functionality with a simplified example, consider the modulo operation. Representing the private key with a large number, we can easily compute its modulo value. However, given the result, it is infeasible to perform a reverse operation to determine the original value of the private key.

Signature

A signature is also derived from the private key. When a transaction or message is created, the data is hashed and then encrypted with the private key, resulting in a digital signature. This signature is attached to each on-chain interaction and can be viewed through a blockchain explorer.

To verify the authenticity of the signature, anyone can use the public key to decrypt the signature and compare the decrypted hash with the hash of the original data. If they match, it confirms the data's authenticity and integrity.

Learn more about multisignature wallets:

• Follow Multisight on X/Twitter

• Visit Multisight.app

• Subscribe to Multisight here on Mirror

However, it quickly turned out that this was only a single part of the puzzle. The main challenge was a lack of accessible information to learn from. We received validation of this claim from multiple community discussions and through our successful application to the 1st wave of the Safe Grants Program. During our research on multisig signer incentives, it became even more evident that effective management and governance of shared assets can be a real unknown for projects across the whole spectrum of web3.

We believe that accessible and understandable resources are key to onboarding new users to web3 and making the ecosystem more secure. In an effort to fill in this gap, we are now expanding Multisight’s scope and mission. Our upcoming work will focus on three main areas:

Onboarding

Multisignature wallets offer an extensive set of powerful features for both individuals and groups. Multisight will provide comprehensive onboarding materials to accelerate the adoption of this technology.

Education

Information and resources on topics related to multisigs are scattered across the web. Multisight will compile an exhaustive knowledge base to promote an informed and confident approach to multisignature wallet ownership.

Tooling

Many wallet interfaces present only a limited view of the underlying data. Multisight will build user-friendly tools to advance the accessibility and comprehension of relevant information that is available.

We’re excited to continue contributing to the ecosystem and supporting the community. Make sure not to miss any updates by following us and join us in advancing our mission!

• Follow Multisight on X/Twitter

• Visit Multisight.app

• Subscribe here on Mirror

“There isn’t a lot of transparency around multisig compensation in various DAOs. This is not because people are hiding the information, but rather it’s simply because this information often isn’t publicly displayed in obvious places” - Amplice from Gearbox

Last fall, Multisight embarked on a mission to address this knowledge gap. Through our community research, we engaged in insightful conversations, gathered valuable feedback from a survey, and even experienced the lack of resources ourselves. We would like to express our gratitude to each and every person who contributed to this research. However, during our work, it became apparent that this challenge is intertwined with other related topics. In 2024, Multisight will continue to build an educational foundation on all aspects of multisignature wallets, enabling both existing and emerging projects to design configurations of their multisigs that fulfill their needs in an easily accessible and understandable manner.

With that said, let's return to the original question:

How to reward multisig signers?

For founders of smaller projects heavily committed to the project’s efficiency and operability, holding multisig owner roles themselves, a reward for their work may be considered nonessential. However, as projects grow and multisig participants gradually become more distant from the project’s founding core, incentives become a reasonable tool for rewarding their roles and responsibilities. A good reward system should compensate signers for their responsiveness and time committed to reviewing individual actions. It should also align reasonably with the value of managed assets and the frequency of multisig actions. As expected, all of this introduces a set of challenges, as numerous variables come into play, and risks abound from various angles.

Reward frequency

Many projects that implement signer incentives choose to distribute equal rewards to all multisig owners at regular intervals, such as monthly or at the end of their owner role. While this approach may seem intuitive, it creates a situation where owners can become inactive yet still receive rewards, leading to an unfair compensation structure for active signers. In more severe cases, the majority of owners may become inactive, negatively impacting the multisig's operations and compromising the efficiency of the entire setup.

A logical countermeasure would be to reward only actively participating signers. However, this approach also introduces serious risks by fostering a competitive environment where speed becomes more important than a thorough review of multisig actions. Such a setup might lead signers to overlook details in pending actions to secure personal rewards, ultimately compromising the heightened security promised by the multisignature feature.

Each project must determine its own optimal balance between responsiveness and security for its multisig. The key to finding and maintaining this balance is continuous monitoring and evaluation of multisig effectiveness. Ideally, owners should be familiarized with activity and responsiveness requirements before the start of their term, and other project members should consistently hold them accountable.

• Mutant Cats DAO, an NFT-related project, rewards its multisig owners every month

• Sushi, a decentralized exchange platform, provides rewards to its multisig owners annually

Reward currency

When determining the form of rewards, many projects choose to further incentivize individuals by providing rewards in the project’s token, if available. Considering the market's volatility and the length of owner role terms, it is often preferable to define rewards in traditional currencies or stablecoins. At the payout period, the reward amount is converted into the token's market value and transferred to the receiver. If a project is not associated with any token, rewards in stablecoins are a sufficient option.

• mStable, a decentralized finance infrastructure, provides USD rewards in their MTA token equivalent at payout date

• Gearbox Protocol, a decentralized finance protocol, rewards its multisig owners in a predefined amount of their GEAR token

Reward amount

Arguably, the most intricate component of the reward system is determining the actual reward amount. This decision hinges on the financial resources available to each project and the importance it places on its security. Additional expenditures can originate from the extent of the duties and responsibilities connected to the role of multisig owner. While there is no universally recommended amount for these reasons, we’ll further explain the most common process for multisig owners to better illustrate their time and focus demands.

Each multisig action begins with the submission of its details, and the format varies depending on the governance interfaces and tools employed. This process may involve manual data entry, uploading CSV files, or confirming submitted asset transfer requests. Accuracy in input data is crucial at this stage as it sets the foundation for the subsequent procedures. An action may involve only a single command or extend to multiple commands, demanding time and attention from the submitter, especially due to the intricacies of alphanumeric data involved. This task is usually carried out by an individual, but cooperation with other owners is possible.

A submitted action must be signed by multisig owners to reach the required confirmation threshold. During this step, signers verify that the data accurately reflects the proposed actions from the original data source. For each specific action, they must confirm the accuracy of all parameters (such as target address, token, token amount, etc.). This process can be demanding in terms of attention and time, varying based on the action details and the number of sub-actions involved.

The last step of the process involves on-chain execution, which is the most straightforward part. A possible time-consuming task is monitoring low gas fees on some of the expensive blockchains. Based on the internal agreement of the owners, this step can be left for the last signer or a dedicated owner can be assigned to it.

When defining the reward system, one should consider the overall expected activity during the owner’s term with all the demands associated with each action.

• Ribbon Finance, a decentralized finance platform, rewards its multisig members with an equivalent of 150-350 USD per month

• dYdX Foundation, a maintainer of the decentralized finance platform, compensates its core contributors with 1100 USD per month in a role that includes other duties besides multisig management

During our research, we have gathered more examples. Feel free to explore our collection of multisig setups, and perhaps you'll find a project similar to yours or gain inspiration for improving your setup.

Learn more about multisignature wallets by:

• Following Multisight on X/Twitter

• Visiting our knowledge base at Multisight.app

• Subscribing to Multisight here on Mirror

DAOs and other collaborative projects frequently utilize multisignature wallets to manage shared assets. Aiming for decentralization and safety, the adoption of multiple signers is a good practice to enhance decentralization by distributing responsibility and minimizing the risk of a single point of failure. Acknowledging the time and effort invested through the signer role, it is reasonable to also set up a signer incentive system.

However, it is not always clear how to fairly reward individual signers. Different setups present various risks, which often might not be obvious at the first sight. To highlight the intricacies involved, let’s take a look at two examples:

Rewarding all members automatically

Providing equal rewards to all multisig members (e.g. periodically each month) may seem equitable initially. However, this approach opens up an opportunity for signers to become inactive while still passively collecting rewards, leading to unfair compensation of active signers. Over time, this can result in a majority of signers becoming inactive, hampering transaction processing and compromising the setup’s efficiency.

Rewarding only the transaction signers

Limiting rewards solely to those signing transactions fosters a competitive atmosphere where speed takes precedence over careful consideration. This may result in signers neglecting transaction details to secure personal rewards, ultimately undermining the enhanced security promised by multisig setups.

A couple of recent instances underline the importance of multisig signer incentives:

• Gitcoin’s signers inadvertently sent over $450k to the wrong address

• PeopleDAO’s signers approved a malicious $125k transfer

While being only partially related to a poor multisig signer rewards design, these examples still amplify the main challenge - a lack of easily accessible resources on the topic:

“There isn’t a lot of transparency around multisig compensation in various DAOs. This is not because people are hiding the information, but rather it’s simply because this information often isn’t publicly displayed in obvious places” - Amplice from Gearbox

To address this knowledge gap, Multisight is conducting research on multisig signer reward schemes. The objective is to gather insights and experience from the web3 community and create an educational foundation for all existing and upcoming projects.

https://multisight.app/research

By dedicating 5 minutes to complete the survey at multisight.app/research, you become an integral part of building this knowledgebase, helping others responsibly incentivize their multisig signers and secure their assets. Don’t stand on the sidelines, contribute to making the web3 space better!

Stay in the loop with all updates:

• Follow bartosjiri_ on X/Twitter

• Learn more at multisight.app/research

• Subscribe to Multisight here on Mirror