SFC - Multisig Operations
The SEAL Framework Checklist (SFC) for Multisig Operations provides best practices for managing multisig wallets securely. It covers governance, risk management, signer security, operational procedures, and emergency operations.
For more details on certifications or self-assessments, refer to the Certification Guidelines.
Section 1: Governance & Inventory
0/5
Policies Governing Multisig Operations
Do you maintain documented policies and procedures governing your multisig operations?
Named Responsible Multisig Owner
Is there a clearly named person or team accountable for multisig operations (policy upkeep, reviews, hygiene)?
Multisig Documentation Maintenance Process
Do you operate a documented maintenance process to keep multisig documentation current after any operational or signer change?
Current Multisig Registry Details
Do you keep an up-to-date registry of all multisigs (address, network, purpose, threshold, modules/guards, admin roles, etc)?
Authorized Signer Mapping Registry
Do you maintain an up-to-date list of authorized signers and map them to the correct multisigs?
Section 2: Risk Assessment & Management
0/5
Formal Multisig Classification System
Do you define and maintain a formal classification system for multisig wallets that covers both impact factors and operational needs?
Classification Criteria and Controls
Do you maintain documented criteria that map each classification level to required controls (thresholds, quorum composition, review cadence, etc)?
Review and Update Classifications
Do you periodically review and update classifications and associated controls when conditions change?
Timelocks, Modules, and Guards Policies
Do you maintain documented policies on the use of timelocks, modules and guards, including justification and security review requirements for any exceptions?
Exception Approval Process for Multisig
Do you maintain a documented exception approval process for deviations from standard multisig policies, including justification requirements, and authorization levels?
Section 3: Signer Security & Access Control
0/5
Cryptographic Signer Identity Attestation
Do you maintain a documented process for cryptographic attestation of address ownership and signer affiliation for multisig signers?
Signer Key Management Standard
Do you maintain a documented standard for signer key management?
Signer Seed Backups and Protection
Do you maintain documented policies and procedures for securely backing up and protecting signer seed phrases and recovery materials?
Multisig Signer Lifecycle Management
Do you operate a documented lifecycle for adding, replacing, and removing signers, including offboarding and periodic access reviews?
Signer Training and Readiness Program
Do you have a documented training and readiness program for signers before they are authorized to participate?
Section 4: Operational Procedures
0/6
Documented Transaction Lifecycle Procedures
Do you maintain documented processes for transaction initiation, approval, simulation, execution, and confirmation, including who is authorized to initiate?
Signing and Verification Procedures
Do you maintain documented signing and verification procedures that must be followed before any signatures are applied?
Audit Trails and Retention
Do you maintain audit trails and retention for transaction reviews, approvals, execution, and post-execution confirmation?
Policy for High-Risk Transactions
Do you maintain a policy defining enhanced controls for high-risk transactions (emergency actions, large transfers, protocol configuration changes)?
Multisig Standards and Evaluation
Do you maintain documented standards for multisig technology and tools, and a formal evaluation process for adopting new ones?
Backup Infrastructure for Multisig
Do you maintain documented backup infrastructure for multisig operations (alternate signing interfaces, RPC/explorers, failover procedures), and test their use?
Section 5: Communication & Coordination
0/5
Multisig Primary and Backup Communications
Do you maintain dedicated primary and backup communication channels for multisig operations with documented membership controls and onboarding/offboarding procedures?
Signer Identity Verification Procedures
Do you have procedures to verify the identity of signers during sensitive communications, with periodic checks to ensure authenticity?
Documented Escalation and On-Call Policies
Do you maintain documented escalation policies that define response-time expectations, on-call coverage, and procedures for urgent coordination?
Channel Compromise Response and Verification
Do you maintain procedures for responding to suspected communication channel compromise, including switching to backup channels and out-of-band verification, and ensure signers know how to invoke them?
Emergency Contacts for Multisig
Do you maintain and distribute an up-to-date emergency contact list for multisig operations?
Section 6: Emergency Operations
0/4
Emergency Playbooks for Compromise
Do you maintain written emergency playbooks covering key compromise, lost access, and urgent protocol actions?
24/7 Paging for Emergency Multisigs
For critical/emergency-class multisigs, do you provide 24/7 paging to reach the required threshold and document escalation paths?
Multisig Monitoring and Alerts
Do you maintain monitoring infrastructure and procedures to detect unauthorized, anomalous, or suspicious activity across all multisigs, with documented alerting and escalation paths?
Rehearsals for Emergency Playbooks
Do you conduct periodic rehearsals and drills of emergency playbooks to test response procedures, communication channels, and signer coordination under simulated emergency conditions?