Authored by Thibaut Sardan
In a previous article, we explained the shortcomings of simple multisignature accounts in the Polkadot ecosystem. We also showed how Multix - an easy-to-use interface to manage complex multisigs - addresses these issues by adding a pure proxy in front of a multisig.
Below, we will detail how Multix allows rotating the signatories of a multisig in a simple way. Let's go!
Setting the stage
Let's start with an example. Imagine Alice, Bob, and Charlie decided to form a DAO. They create a 2 out of 3 multisig called ABC-1. Because this multisig was created using Multix, they also have a Pure proxy controlled by ABC-1. We'll call this Pure proxy account "Pure."
Here's an overview of the setup:
By the way, this overview is generated dynamically on Multix. If you have a multisig, or if you watch a multisig, head to the "Help" menu to visualize it!
You may know that a Pure proxy account is an account that doesn't have its own private key. It's a puppet account, if you will. It has a controller and does whatever its controller tells it to do, but it can't do anything on its own.
Back to our story. As a DAO, Alice, Bob, and Charlie own some NFTs and also have some assets stored on the Pure. This pure also has an on-chain identity. Now, let's say that Charlie got his account compromised. We need to rotate this key and replace it with a new one. Since both Alice and Bob still have access to their account, this is not a problem. Let's see how to do it.
In our example, Alice will initiate the rotation. On Multix, this is pretty simple, using the three dots menu > change multisig.
Alice is now able to remove Charlie's old account from the multisig and add his new address. We'll call it Charlie 2.
Here is what will happen. The original multisig, ABC-1, was controlling the Pure so far, right?
Now Alice, by doing the action above, will:
Create a new multisig, with Charlie 2 as a member. We will call the new multisig ABC-2.
ABC-2 will be added as a controller of Pure. This action was initiated by ABC-1, who so far was the only controller.
Are you still with me? Now we will end up with two multisigs, the old ABC-1 and the new ABC-2, both controlling the Pure!
This can be visualized in Multix in the help menu:
You can probably guess the last step of the process. They need to remove ABC-1 as a controller. The good news is that on Multix, this transaction has already been initiated by Alice during the rotation flow. So, all that's required is that Bob or Charlie 2 verify and approve it. Once this transaction goes through, the only account in control of Pure will be ABC-2, and the rotation will be done.
The great benefit of having a pure proxy here is that the NFTs and the funds stayed on the Pure. The Pure address has not changed, and neither did the on-chain identity.
How secure is this?
The signatory rotation flow in Multix is straightforward. The transactions are crafted for the users, and very little can go wrong.
1 - The key rotation is initiated by the old multisig. What the signatories of ABC-1 will see is that we're trying to add a new account, ABC-2, in this case, as a controller of Pure. This action needs to be approved by the multisig ABC-1. On Multix, the transaction is nicely decoded, and the signatories can review and clearly see that they are adding a new multisig. They can also see who are the signatories of this new multisig.
2 - If the first step is successful, as seen above, we end up with two multisigs in control of the Pure. Now the last step of removing the old multisig will be initiated by the new multisig, in our case ABC-2. The reason this is made this way is that it allows verifying that the new multisig is actually functional. If, for some reason, the new controller added to the Pure was a wrong multisig, this last step would never go through, and ABC-1 would still be a controller.
Multix in a nutshell
The most open stack
Multix is a product inspired by web3 principles. We chose to have the most open stack. Multix has been open-sourced from day one. It contains no tracker. It doesn't run thanks to a private database. And all the information displayed in the interface comes from the chain.
Compatible with current multisigs
Multix is fully compatible with multisigs created on polkadot-js/apps. If you have a multisig on Polkadot, Kusama, or any supported parachain, you can go on Multix and already view and interact with your multisig.
On-chain decoding of multisig calls
Submit your multisig transactions with Multix, and the call will be on-chain. You will not have to send the call data to the other signatories. They can go to Multix, connect their wallet, and see the transaction while also being able to review and approve it.
Check it out!
ChainSafe is a leading blockchain research and development firm specializing in protocol engineering, cross-chain interoperability, and web3-enabled gaming. Alongside its contributions to major ecosystems such as Ethereum, Polkadot, and Filecoin, ChainSafe creates solutions for developers and teams across the web3 space utilizing expertise in gaming, interoperability, and decentralized storage. As part of its mission to build innovative products for users and improved tooling for developers, ChainSafe embodies an open source and community-oriented ethos to advance the future of the internet.