Pilots checking off the preflight checklist to ensure that no important tasks are forgotten. Similarly to aviation, we will require multiple experienced developers sign off that they checked for specific bugs in our MultiSig wallet (via Nasa QuickLaunch).

The Gnosis MultiSig Wallet and our Commitment to Security

Recently, a critical bug was found in the MultiSig wallet implemented by the Parity team. A function that was meant to initially set the key holders was completely unprotected. Everyone could call it anytime and effectively take over control of any MultiSig wallet that was using this insecure code.

Tokens and Ether worth more than $200m were affected by this bug and could have been stolen by anyone. For us, the main question is now: Can we be 100% sure that such a bug can never make it into our MultiSig Wallet?

The realistic answer is: We can never be 100% sure. However, we do think that we can at least make these bugs very, very unlikely. When there’s a single person writing code, it is likely that bugs and errors sneak in during development. The key to preventing errors is a rigorous review process involving multiple developers. This process starts at the initial creation of the smart contract and extends to the actual release to catch all bugs before the contract is used in production.

Below is a list of absolutely minimal process requirements we defined for our smart contracts that intend to deal with millions of dollars of value.

1. All contract code needs to be published multiple months before actual deployment.
2. A natural language specification of the code should exist.
3. A formal internal review process needs to be in place.
4. Multiple experienced developers need to go through a checklist and sign off that they checked for specific bugs.
5. At least two experienced developers undertook external audits of the smart contract.
6. A public bug bounty program had been running for at least one month.

A pilot's checklist (via Shopify).

How does our MultiSig Wallet fare when held to these Standards?

1. We published the code for the first time on September 8th.
2. There is currently no natural language specification of the wallet. However, plenty of automated tests have been written and a natural language specification will be provided soon.
3. As part of our review process we are following a checklist based on the best practices around contract security, created by a team of developers at ConsenSys. It is required that multiple developers check the contracts for known issues (Reentrancy, Integer Overflow, Issues around Gas, …) and document those checks.
4. See previous point.
5. Two full audits of the MultiSig wallet have been performed — one by Martin Holst Swende and the other one by ConsenSys. The results of the audits have been published here.
6. We published a bug bounty program (see also this blog post) and got 5 substantial submissions.

The contracts for the Gnosis MultiSig wallet have been reviewed by at least 5 senior Solidity developers. The majority of teams that did ICOs over the last months are already using instances of the Gnosis MultiSig wallet, holding a combined value of over $1 billion worth of Ether and tokens (Gnosis Vault).

We do believe that a strict formalization of those steps is required. In the future, we envision this formalization to be realized on the blockchain, so that we’ll be able to prove on the blockchain that a pre-defined set of standards was met.

While the development of the MultiSig wallet is ongoing, we will release a standalone alpha version of the wallet as an electron app next week and give a detailed overview of its features.