[RFC] Scroll DAO Multisig Management Policy

SEEDGov · February 4, 2026, 7:00pm

1. Purpose

This policy is established to define clear, consistent, and accountable standards for the secure configuration and operation of multisigs, to safeguard Scroll DAO funds, reduce operational risk, and ensure transparency and trust in treasury management. It reflects best practices observed across mature decentralized organizations and is informed by multisig and security policies adopted by leading DAOs such as Optimism, zkSync, and Lido.

As the Scroll DAO evolves, this policy serves as a living framework, intended to adapt over time while maintaining a strong baseline for operational security and governance integrity.

This policy aims to ensure:

Secure management of DAO funds.
Operational efficiency.
Transparency and accountability.
Clear signer responsibilities.

2. Scope

This policy applies to:

The Scroll DAO Treasury Multisig, which manages the DAO-approved treasury budget.
All program-level multisigs created to execute program expenses funded through the treasury.

This policy governs operational execution only and does not override governance decisions.

3. Treasury Multisig Architecture

The Scroll DAO treasury is controlled by a single multisig wallet with a 3/5 configuration:

Owners: 5 signers
Threshold: 3 signatures required for execution

Signer allocation:

Operations Committee: 2 signers
Accountability Committee: 1 signer
Scroll Foundation: 2 signers

This distribution ensures:

Operational continuity,
Cross-committee accountability,
Contingency participation from the Foundation without unilateral control.

No single entity or committee can execute transactions alone.

4. Transaction Flow

Proposal of transactions

Treasury transactions should normally be proposed by members of the Operations Committee.

Execution of transactions

Any multisig signer may execute a transaction once the required threshold of signatures is reached.

This separation allows efficient operations while preserving distributed execution capability.

5. Program Multisigs

Programs funded through the treasury must operate via dedicated multisigs rather than directly using the treasury wallet.

Program multisigs must be configured with a 2/3 signing threshold, ensuring an appropriate balance between operational efficiency and security.

Minimum requirements include:

At least one signer must belong to the Operations Committee.
At least one signer must belong to the Accountability Committee.

This structure is intended to support the timely execution of program-related transactions while maintaining shared accountability and effective oversight among signers.

Program multisigs should only receive funds necessary for program execution.

6. Transaction Recording and Transparency

All treasury transactions must be recorded in an operational ledger maintained by the Scroll DAO (e.g., Notion or spreadsheet).

Each record should include:

Transaction purpose,
Amount,
Destination,
Transaction hash,
Date,
Responsible program or budget category.

This ledger ensures auditability and transparency for governance participants.

7. Signer Terms and Replacement

Signer roles are tied to committee mandates.

Signers serve for the duration of their committee mandate.
Replacement occurs automatically if committee membership changes.

Inactivity or emergency replacement

If a signer becomes inactive or unable to participate:

Possible approaches (recommended flexible approach):

The Scroll Foundation nominates a replacement signer.
Replacement is executed via a multisig transaction.
Replacement is recorded publicly for transparency.

A signer may be replaced in cases including:

Loss of access,
Security compromise,
Persistent inactivity,
Resignation,
Committee membership change.

The objective is operational continuity, not punishment.

8. Best Practices Guide

When creating multisigs, those involved are expected to follow the guidelines listed below:

Verify the deployed multisig contract.
Verify signers’ ability to sign transactions to verify keys’ ownership.
Test the multisig with a low‑value transaction before funding it.
Confirm the multisig threshold is appropriate for the number of signers (to avoid a 3/3 or 5/5 threshold)
Record the multisig address in an immutable or publicly verifiable location (DAO Forum, governance docs, etc.).

Signers are expected to follow the guidelines listed below:

Signers must store seed phrases physically, offline, and securely.
Signers must notify of planned unavailability.
Signers must control only one private key per multisig.
Keys must not be reused across multisigs.
Keys must not be used for any unrelated on‑chain activity.
Signers must carefully verify transactions (recipient, value, type, nonce, etc.) before signing.
Hardware wallets must be stored separately from the signer’s seed phrases.
Hardware wallets’ firmware must be regularly updated.
Lost or compromised devices must be reported immediately, and affected keys must be replaced immediately.

9. Hardware Wallet Requirement (Future Enforcement)

Use of hardware wallets for multisig signing will become mandatory starting July 2026.

Until then:

Hardware wallets are strongly recommended.
New signers are encouraged to adopt hardware signing devices from onboarding.

Future updates may introduce additional operational security requirements as the DAO’s practices and infrastructure evolve.

The list of devices approved for signer use will be communicated to the community through official governance channels. Signers are encouraged to participate in security training to ensure the proper and secure use of approved devices and to maintain a strong collective security posture.

10. Policy Updates

This policy may be updated through governance decisions as Scroll DAO operations evolve.

coffee-crusher · February 5, 2026, 1:20am

Thank you to @SEEDGov and the Operations Committee team on this policy. I really like implementing a policy such as this, something that we need to operate successfully.

I particularly appreciate the 3/5 signature threshold, as it strikes a solid balance between operational security and committee accountability. Furthermore, the Program Multisigs (Section 5) are an excellent inclusion; utilizing separate 2/3 wallets effectively isolates risk and ensures payment efficiency without bottlenecking individual projects. Finally, the addition of an Operational Ledger (Section 6) as a live dashboard is a fantastic step toward institutional-grade transparency, I’m looking forward to seeing this published!

However, to ensure our operational security matches our growth, I recommend the following refinements to the policy:

Accelerated Hardware Mandate:
While the move toward hardware wallets is the correct direction, the July 2026 enforcement date and the “recommended and encouraged use” leaves a significant vulnerability gap. Since during this time we will be voting for the next cohort of the Operations Committee and therefore, we should establish a secure foundation now instead of closer to July. This ensures that that any programmatic issues are resolved before the new cohort of Operations committee starts.

I propose moving to a mandatory hardware wallet requirement to March 1, 2026. Transitioning mid-term introduces unnecessary security debt; starting the new term with hardened security ensures the integrity of the Treasury from the outset.

Mandatory Security Training:
To professionalize our operations, security training must evolve from an ‘encouragement’ to a mandatory prerequisite for being added to any multisig. I suggest implementing a Signer Readiness requirement by March, ensuring all signers, are fully briefed on secure custody, air-gapped signing, and physical backup protocols. We cannot treat security as optional when managing the DAO assets and budget.

pmprojectz · February 5, 2026, 4:51am

I like this because it gives Scroll DAO a clear, secure, and practical way to manage multisigs, while keeping operations efficient and transparent for the community.

It uses a 3/55 treasury multisig split between the Operations Committee, Accountability Committee, and Scroll Foundation, so no single group can act alone.
It requires each funded program to use its own 2/3 multisig, with at least one signer from Ops and one from Accountability, and only the funds that program needs.
It separates duties: the Operations Committee usually drafts transactions, but any signer can help execute them once enough signatures are collected.
It mandates a shared ledger where every treasury transaction is recorded with purpose, amount, receiver, transaction hash, date, and budget category for transparency.
It ties signers to their committee roles and defines how they’re replaced if they leave, are inactive, or lose access, so continuity is protected.
It sets simple, concrete security expectations for signers (secure seed storage, no key reuse, careful review, low‑value test transactions) that are easy to understand and follow.
It introduces a clear path toward stronger security by making hardware wallets strongly recommended now and fully mandatory from July 2026, with future guidance and training

Topic		Replies	Views
🧾 Request for Comments: DAO treasury management RFP Ecosystem Growth request-for-comments , treasury-management	17	459	August 8, 2025
Operations Committee – Ongoing Updates General weekly-update	1	77	February 4, 2026
Co-Creation Sprint - Governance Mechanisms Discussion Co-Creation Cycle	10	184	January 8, 2026
Update on how we’re evolving the Scroll DAO General announcement	15	776	September 28, 2025
Proposal: Governance Framework Update (Scroll DAO 2.0) General	23	489	January 26, 2026