1. Purpose
This policy is established to define clear, consistent, and accountable standards for the secure configuration and operation of multisigs, to safeguard Scroll DAO funds, reduce operational risk, and ensure transparency and trust in treasury management. It reflects best practices observed across mature decentralized organizations and is informed by multisig and security policies adopted by leading DAOs such as Optimism, zkSync, and Lido.
As the Scroll DAO evolves, this policy serves as a living framework, intended to adapt over time while maintaining a strong baseline for operational security and governance integrity.
This policy aims to ensure:
- Secure management of DAO funds.
- Operational efficiency.
- Transparency and accountability.
- Clear signer responsibilities.
2. Scope
This policy applies to:
- The Scroll DAO Treasury Multisig, which manages the DAO-approved treasury budget.
- All program-level multisigs created to execute program expenses funded through the treasury.
This policy governs operational execution only and does not override governance decisions.
3. Treasury Multisig Architecture
The Scroll DAO treasury is controlled by a single multisig wallet with a 3/5 configuration:
- Owners: 5 signers
- Threshold: 3 signatures required for execution
Signer allocation:
- Operations Committee: 2 signers
- Accountability Committee: 1 signer
- Scroll Foundation: 2 signers
This distribution ensures:
- Operational continuity,
- Cross-committee accountability,
- Contingency participation from the Foundation without unilateral control.
No single entity or committee can execute transactions alone.
4. Transaction Flow
Proposal of transactions
Treasury transactions should normally be proposed by members of the Operations Committee.
Execution of transactions
Any multisig signer may execute a transaction once the required threshold of signatures is reached.
This separation allows efficient operations while preserving distributed execution capability.
5. Program Multisigs
Programs funded through the treasury must operate via dedicated multisigs rather than directly using the treasury wallet.
Program multisigs must be configured with a 2/3 signing threshold, ensuring an appropriate balance between operational efficiency and security.
Minimum requirements include:
- At least one signer must belong to the Operations Committee.
- At least one signer must belong to the Accountability Committee.
This structure is intended to support the timely execution of program-related transactions while maintaining shared accountability and effective oversight among signers.
Program multisigs should only receive funds necessary for program execution.
6. Transaction Recording and Transparency
All treasury transactions must be recorded in an operational ledger maintained by the Scroll DAO (e.g., Notion or spreadsheet).
Each record should include:
- Transaction purpose,
- Amount,
- Destination,
- Transaction hash,
- Date,
- Responsible program or budget category.
This ledger ensures auditability and transparency for governance participants.
7. Signer Terms and Replacement
Signer roles are tied to committee mandates.
- Signers serve for the duration of their committee mandate.
- Replacement occurs automatically if committee membership changes.
Inactivity or emergency replacement
If a signer becomes inactive or unable to participate:
Possible approaches (recommended flexible approach):
- The Scroll Foundation nominates a replacement signer.
- Replacement is executed via a multisig transaction.
- Replacement is recorded publicly for transparency.
A signer may be replaced in cases including:
- Loss of access,
- Security compromise,
- Persistent inactivity,
- Resignation,
- Committee membership change.
The objective is operational continuity, not punishment.
8. Best Practices Guide
When creating multisigs, those involved are expected to follow the guidelines listed below:
- Verify the deployed multisig contract.
- Verify signers’ ability to sign transactions to verify keys’ ownership.
- Test the multisig with a low‑value transaction before funding it.
- Confirm the multisig threshold is appropriate for the number of signers (to avoid a 3/3 or 5/5 threshold)
- Record the multisig address in an immutable or publicly verifiable location (DAO Forum, governance docs, etc.).
Signers are expected to follow the guidelines listed below:
- Signers must store seed phrases physically, offline, and securely.
- Signers must notify of planned unavailability.
- Signers must control only one private key per multisig.
- Keys must not be reused across multisigs.
- Keys must not be used for any unrelated on‑chain activity.
- Signers must carefully verify transactions (recipient, value, type, nonce, etc.) before signing.
- Hardware wallets must be stored separately from the signer’s seed phrases.
- Hardware wallets’ firmware must be regularly updated.
- Lost or compromised devices must be reported immediately, and affected keys must be replaced immediately.
9. Hardware Wallet Requirement (Future Enforcement)
Use of hardware wallets for multisig signing will become mandatory starting July 2026.
Until then:
- Hardware wallets are strongly recommended.
- New signers are encouraged to adopt hardware signing devices from onboarding.
Future updates may introduce additional operational security requirements as the DAO’s practices and infrastructure evolve.
The list of devices approved for signer use will be communicated to the community through official governance channels. Signers are encouraged to participate in security training to ensure the proper and secure use of approved devices and to maintain a strong collective security posture.
10. Policy Updates
This policy may be updated through governance decisions as Scroll DAO operations evolve.