Timelocks and Multisigs

Elliot
5 min readJul 19, 2024

--

Having spent the last few years building smart contracts for Decentralized Finance (DeFi), I have had the privilege of seeing many different organizational structures. Some organizations were mainly on-chain, others were not. For brevity’s sake, organizations will be categorized as either DAOs or startups.

After observing these organizational structures in action, I’ve identified some patterns and best practices. The key question I explored was, “How do these organizations ensure the safety of their and their users’ funds?” The answer lies in their use of multisignature wallets (multisigs) and timelocks. These tools help mitigate single points of failure and protect against potential rug pulls by the team.

Multisigs

A multisignature wallet (multisig) is a cryptocurrency wallet that requires one or more signatures in order to spend funds. The Gnosis Safe wallet is the most popular choice to hold large amounts of funds. The team has been around for over 6 years. Funds held in Safe wallets easily exceed $100 billion, and there have never been hacks or security breaches of the smart contract code, making them the “Safe” place to store funds.

Multisig wallets used by startups and DAOs alike usually have many signers, requiring a quorum of signatures for a transaction to be approved. This helps secure funds because even if a single user’s laptop or signing key were compromised, other signers would likely notice a malicious transaction. Requiring a quorum of signatures from multiple signers has the added benefit of making the system more secure because even if a single signer loses their key, the remaining signers can rotate that address off the signing set.

Timelocks

Timelocks are a technology that only allows funds to be spent following a two step process. First, the owner(s) must propose the action, whatever it may be, to the timelock. Then the time delay must elapse before the owner can execute the desired operation. Timelocks in banks prevent criminals from burglarizing a location like a vault. Usually these timelocks are set to only allow safe doors to be opened during business hours on weekdays. When a timelock is used to govern a DAO, it protects users from a malicious team by only allowing system changes after a predefined period of time. This time period should be long enough to allow users to withdraw funds should a malicious proposal go live.

While timelocks have benefits such as preventing or slowing down malicious proposals, they also have downsides such as slowing access to funds and making system changes. If a DAO treasury is stored in a timelock, it will always take at least the time delay to access funds. This causes friction and slows simple operations like transferring funds to contributors. If a bug is identified in the live system with a long timelock, then it will take a long time for a patch to be applied. More advanced governance models implement fine tuned timelocks for each type of system change, with less sensitive operations requiring shorter timelock durations and more sensitive operations requiring longer timelocks.

DAOs

A DAO governance structure typically resembles a multisig and timelock combined, with majority-rule voting based on token ownership for the multisig. If you have enough votes, you can pass whatever proposal you like. This system distributes ownership and outsources key management to its token holders. Even if a single entity were compromised, the hope is the tokens are sufficiently distributed such that a single malicious entity could be vetoed if they acted in a way that was not in all party’s best interests. These on-chain governance structures typically have timelocks to give users of their systems time to withdraw in case governance proposes a malicious or adversarial action against them.

DAOs with large treasuries can become the targets of raiders who use social pressure to coerce these organizations into using their funds to conduct token buybacks or redemptions.

Since DAOs are large multisigs with ways for anyone with the right amount of tokens to create proposals, they are frequently targets of cybercriminals. See the Tornado Cash hack, where a hacker deceived community members into voting yes on a malicious proposal and then took control of the system. To this day, most DAOs do not have mitigations in place to detect similar kinds of attacks. An example of a governance attack that circumvented a timelock was the Beanstalk exploit.

On-chain organizations invest significant resources into securing the smart contracts they write. However, they seldom invest resources into securing their governance systems and proposals. I expect to see more attacks on DAOs in the future.

Custody Systems

Most custody systems on the market today are some form of a timelock or multisig, often combined. As an example, Fireblocks offers an MPC wallet that requires enough signatures be present to sign and approve all transactions. This wallet resembles a multisig, with its code for controlling funds and aggregating signatures being offchain as opposed to being onchain like Gnosis. These custody systems usually allow users to set some type of timelock, either through rate-limiting the outflow of funds, or explicit transaction rules that limit transactions to certain days, times and IP addresses. Most custody systems allow enforcement of transaction policies through offchain systems. If these offchain systems contain bugs, these rules can be circumvented.

Social Recovery

Social recovery allows multisig users to have a trusted set of signers who can recover their funds if they lose the required number of keys to reach quorum. Good design of social recovery systems requires the use of timelocks during recovery to prevent malicious actions. This way, if a malicious recovery is proposed, the current multisig owners can veto this action. When done correctly, social recovery makes use of a multisig (backup signers) and timelock for recovering the ownership of a smart contract wallet.

Guardians

Guardians are a trusted party to multisigs and governance systems alike that can either cancel proposals or slow down proposed actions. This role usually allows cancelling of proposals in DAOs and account recovery in wallets.

Closing Thoughts

Governance contracts, multisigs and timelocks, whether they are used for an individual, or entity all end up looking very similar in structure. Key differences include the length of timelock delays, social recovery, guardians or other features that only appear in one system or the other.

Most custodial systems today are opinionated implementations of timelocks and multisigs. Many of the building blocks of custody systems exist today. However, it is hard for consumers of this technology, whether they be individuals, DAOs or startups to fully understand the tradeoff space. Individuals are left to their own devices to figure out custody systems. They usually lack the resources to craft their own systems that fit the tradeoffs they prefer. Even those with resources for a high-quality custody setup may not understand its blind spots without the necessary technical expertise. DAOs and startups are better positioned to handle these challenges as they usually have both resources and technical talent that can help explain the tradeoffs or create their own implementations that suit their needs.

Most of the custody systems we have in crypto are largely inspired by or based on concepts used for physical security in meatspace. Fortunately, we have the benefit of these systems being software-based, which makes them inherently more flexible and customizable.

--

--

Elliot
Elliot

No responses yet