Process Security, Pillar 02
Your multi-sig configuration and the ceremony used to generate your most critical keys are the cryptographic foundation of your protocol's security. A poorly configured multi-sig or an improvised key ceremony creates a single point of failure that no amount of smart contract auditing can fix.
Multi-signature governance and key ceremony design are the most Web3-specific process security controls that exist. They determine who can authorise critical protocol actions, treasury movements, contract upgrades, parameter changes, and emergency pauses, and how the cryptographic keys enabling those actions are generated, secured, and distributed. Get this wrong and no other security control compensates for it.
The crypto security landscape is littered with protocols whose multi-sig was configured for convenience rather than security: 2-of-3 signers all at the same organisation, hardware wallets held by people who live within a few kilometres of each other, no timelock between proposal and execution. We design multi-sig governance structures and key ceremonies that distribute trust genuinely, prevent unilateral action, and survive the operational realities of a distributed Web3 team.
Work is delivered through our internal consultancy team and a curated network of specialist partner firms, rigorously vetted for technical depth and professional integrity in the Web3 space.
When Multi-Sig Fails
“The Bybit attackers did not crack cryptography. They manipulated the transaction data that three multi-sig signers were shown on their Safe interface, so each signer approved a transaction they believed was routine. The multi-sig threshold was met legitimately. A 3-of-X signature is only as strong as the independence and vigilance of the signers, and the integrity of the interface they use to sign.”
One Jurisdiction. One Arrest. $130M Gone.
“Multichain was processing billions in cross-chain volume when CEO Zhao Jun was detained by Chinese authorities in May 2023. It immediately became clear that he alone held the private keys for all Multichain protocol wallets. There were no co-signers. No geographic distribution. No backup key holders. The protocol was paralysed. In July 2023, approximately $130M was drained to addresses linked to his family. A 2-of-N multi-sig with geographically distributed, organisationally independent signers would have made this outcome impossible.”
Blockchain security at the protocol level ultimately rests on cryptographic key security. A smart contract that is mathematically correct can still be exploited if the keys controlling its admin functions are insufficiently protected. Multi-sig governance and key ceremony design are the process controls that protect those keys.
The Design Areas
A complete multi-sig and key ceremony design addresses four interconnected areas. Weakness in any one of them undermines the security of the others.
Threshold selection (M-of-N), signer identity, organisational independence, geographic distribution, and jurisdictional diversity. The threshold must be high enough to prevent collusion or compromise, and low enough that the protocol can still operate when signers are unavailable.
The process by which cryptographic keys are generated, hardware used, network isolation, witness presence, entropy sources, and immediate verification. An improvised key ceremony on a day-to-day device with no witnesses creates a key whose security you cannot verify. We design and facilitate ceremonies with documented evidence of integrity.
High-impact protocol actions enforced through on-chain timelocks, a mandatory delay between proposal and execution that gives the community time to detect and respond to malicious or erroneous governance actions. Emergency paths scoped to specific actions rather than granting unlimited admin override.
Recovery materials for every signing key, distributed using Shamir Secret Sharing or geographic separation so that no single location or individual can reconstruct a key unilaterally. Tested recovery procedures, so that in an actual emergency, the process is known and rehearsed rather than improvised under pressure.
