Lido Proposal: #0x48e552d0dab3d49f72f8618302a68be56afbdfef0d0e7bcf9f73588335d2842b

Lido DAO Ops Multisigs Policy 2.0

Status:

Closed

Adopt multisig policy 2.0100%

Adopt multisig policy 2.0: 100%

62,126,590 LDO

No changes: 0%

21 LDO

Voting Period

Proposer

0xDbBC6A93ae517D3ea568C04219cbBBd025f01CB6

Discussion

Go to Discussion

Description

Motivation

Operating within a DAO requires striking a balance between flexibility and security. Lido DAO relies heavily on Safe multisig wallets, leveraging them across different operations to enable safe, transparent, and efficient transaction execution.

This proposal builds on the foundational principles set in the Lido DAO Ops Multisigs Policy while adapting to evolving operational needs. The goal is to optimize multisig governance for scalability, enhance security measures, and ensure a clear framework that aligns with the fast-moving nature of Web3 governance.

Additionally, each such multisig or committee should be ready for adoption by a BORG (ex. Lido Alliance, Lido Ecosystem, Lido Labs) if there is alignment on objectives and if the transition introduces synergistic benefits. In such cases, adherence to BORG bylaws and the signing of necessary agreements will be required to ensure smooth integration and governance continuity.

General Rules

To keep operations secure yet agile, all Lido DAO ops multisigs recommended to follow these baseline requirements (please see Special cases for exceptions or additional rules set):

Minimum of 3 signers.
50%+ signing threshold (rounded to the nearest whole number).
5+ signers for multisigs managing roles and permissions.
7+ signers for multisigs holding 1M+ in assets (USD stable coins equivalent).
Signers should use hardware wallets in multisigs managing roles and permissions or holding 100K+ in assets (USD stable coins equivalent).
For token holdings exceeding a $50K balance equivalent at least once, an unlimited allowance must be set with the Lido Aragon agent as the beneficiary.
Adherence to the BORG’s bylaws and multisig participation agreement if a part of any (example - Lido Labs BORG).
Signers of multisigs having critical security roles in Lido protocol operations (like GateSeal and Emergency Brakes) are discouraged from using their addresses for other purposes. They should create a brand new wallet for that purpose instead.
In the event of loss of access to the keys or their potential compromise, the signer is required to promptly notify the other multisig participants, the community, and BORG (if applicable) by posting a message on the forum or communicating through the relevant channels.

Committee Structure and Responsibilities

Lido DAO multisigs are structured across various committees, each executing specific operational tasks.
These committees operate transparently under DAO governance, ensuring accountability and alignment with Lido’s mission.
Multisigs having critical security roles are to come up with their reasonable process of ensuring its integrity and responsiveness of signers (as an example - GateSeal drill report).

Public Process

Lido DAO contributors, LDO token holders and the wider community must have visibility into multisig operations. To uphold transparency:

Each multisig should have a research.lido.fi forum post detailing its purpose, general operating rules, multisig wallet address and the list of signer addresses.
Multisig addresses should be documented in the Lido DAO Multisigs section.
Prospective signers should verify their addresses by posting proof in the forum and social media.
Any changes to signer composition should be disclosed in the forum post with updated verification.
Unless explicitly defined as static, signers can be rotated, but a public audit trail should be maintained.
Any signer change should NOT:
1. Reduce the number of signers below the DAO vetted one (if applicable).
2. Decrease the signing threshold. If such changes are necessary, a DAO Snapshot vote is required.

Multisig Signer Rotation

Signers may rotate without a Snapshot vote if a simple majority of the original signers (e.g., 3/5, 5/8) remains.
The original signer list is stored in IPFS (please see Original Signers List section for links), ensuring verifiable historical records.
Updating an address to preserve the integrity of the multisig is not considered a signer rotation if the owner of the address remains the same (for example a person-signer asks to replace their old potentially compromised address with freshly created one). This type of update must be announced and documented in accordance with this policy and Updating Signer Addresses section in particular.
Before a rotation, a committee must confirm that a minimum number of original signers remain. If this condition is not met, a new multisig structure must be proposed via a Snapshot vote.
The Board of Directors of a BORG can initiate a signer or signer’s address rotation for the multisig if adopted by the named BORG.

Rotating Multisig Members

The committee announces a rotation at research.lido.fi and the new signer must publicly verify their address.
A 7-day objection period follows. If no objections at research.lido.fi arise, the rotation is finalized by the current signers.

Updating Signer Addresses

If the original key is accessible:
- The signer proves ownership of a new address by signing a message with their existing address.
If the original key is lost:
- The signer must verify their identity to the other signers through alternative methods such as:
  - Authentication via a verified social media account.
  - A video call with other signers for confirmation.
  - Other sufficient methods.

Special Cases

Multisigs managed by Lido-on-X (non-Ethereum Lido protocols) are exempt unless otherwise stated.
Lido DAO contributors may set up ad-hoc multisigs for specific operations. If these multisigs do not manage rights, roles, or DAO funds, they are not required to follow this policy. These wallets may be used for gas refunding for dev and ops purposes.