Admin Accounts and Multisigs

Admin Accounts and Multisigs

Smart contracts can have privileged roles, such as for minting, pausing, and upgrading. Privileged roles are not the ideal but are often necessary in the early lifecycle of a project. Over time, a project can become more and more decentralized, either disabling privileged roles or placing them under the control of the community.

In the meantime, admin accounts with such privileged roles need to be protected. If such an account were to fall in the hands of a malicious attacker, they could wreak havoc on your system.

In March 2021, 59 million PAID tokens were stolen from the PAID Network when an attacker used a compromised private key to upgrade to a new smart contract which had the ability to burn and re-mint tokens.

In December 2020, $8 Million dollars were stolen from Hugh Karp’s personal funds whilst using a hardware wallet and a version of MetaMask modified by the attacker that injected a spoof transaction. The standard practice for personal funds of using hardware wallets is not secure enough for admin accounts.

These examples show that we need extra protection for admin accounts from a targeted attack, whether electronic or physical.

Multisigs

Best practice for securing admin accounts is to use a multisig (short for multi-signature wallet). A multisig is a contract that can execute actions, as long as a predefined number of trusted members agree upon it.

A multisig has a number of owners (N) and requires some of them (M) to approve a transaction. This configuration is referred to as M of N.

To compromise an admin account an attacker needs to target at least M owners. Assuming this is at least two owners, electronic or physical attacks become much more difficult, especially when owners are spread geographically and use different technology.

Choosing M of N

We generally shouldn’t use M = 1 as losing control of a single private key means our system is compromised, just like we shouldn’t use M = N as the loss of a single private key means we can no longer use the multisig.

Common practice is to use M = (N/2) + 1. As an example, the Ethereum Foundation, uses a 4 of 7 multisig.

We asked the community what M of N they used and had a mix of responses between 2 of 3, 3 of 5 and other M of N.

Use cases

We should choose an appropriate M of N for the use case of our admin account. Taking into account how quickly we would need to respond and how sensitive the functionality is.

For time-sensitive tasks such as a pause (emergency stop) we need to have owners on call so they can react quickly. The value of M we choose as part of our emergency response plan also needs to take into account special circumstances such as major holidays and major conferences.

We asked the community whether a 1 of N should be used for pause functionality and the responses were close, with M = 1 slightly ahead. Though I would suggest using M > 1 for pause whenever team responsiveness can allow.

Tooling

A popular multisig is Gnosis Safe, which protects over $20 billion of Ether and ERC20 tokens (at the time of writing this).

The original multisig is the Gnosis MultiSigWallet, which still protects significant value for projects such as Aragon and Golem.

OpenZeppelin Defender Admin supports both Gnosis Safe and Gnosis MultiSigWallet for creating proposals for upgrades, pause/unpause as well as custom actions.

Resources and Best Practices

We have been gathering multi-sig wallet resources in the community forum and welcome contributions.

To learn more about multi-sig best practices see the Defender Advisor articles on Use multiple signatures for critical administrative tasks, along with Emergency Response Plan. It is free to signup for OpenZeppelin Defender.

Written in collaboration with Leo Arias.