TC - Where should the DAO store $XRD?

There is discussion around where we should be keeping the $xrd tokens with the DAO and want to see where the community is at? My personal opinion is keeping it anywhere but on the Radix ledger is a mistake. Having to keep $xrd on EVM in gnosis would be quite embarrassing. Also using PrimeVault from what I can tell is another stupid and unnecessary recurring expense the DAO probably cant afford and shouldn’t pay for if we can make our own. I saw numbers in main chat that it would be around $14,000 per year.

We probably need a native multisig solution. Does anyone have an idea of work required to build this out? At bare minimum it could be a scrypto blueprint/component solution. I think Nicolai is working on something and I would be happy to brainstorm as well if I had a very specific scope to work from of what is required.

If were not using our own tech to store our $xrd (and probably a large chunk of any $husdc after handover), we will be cucking our whole ecosystem. Our ledger is awesome and we should be proud to store our funds here while using all the safety features we constantly go on about.

image888×499 65 KB

Developing a multisig solution involving multiple wallets would take months because changes are needed at wallet level too.

I have a solution, ready just now, we just need a kind soul to develop an interface for it: GitHub - nemster/dao_wallet: This blueprint is a wrapper implementing M-of-N multisignature around an Account.

I agree that it would be best to keep the assets/wealth on our own network/ledger. It will/can also be used publicly to underline how secure our project is.

Thanks @Austin , think this topic is worth exploring.

I wrote this on Telegram which might give some context:

Marco’s done a great job with his solution at: DAO multisig wallet

It is worth a discussion whether we’d want to:
A. Sign a single transaction with multiple accounts (design @xStelea proposed)
B. Sign multiple different transactions, which authorize a preset of actions defined on a component (design Don Marco proposed)

I personally think A is more flexible and trustless. It allows for any transaction, instead of a preset of ones. But they are both valid approaches, to be honest.

Since @Ghenadie_XRD mentioned the wallet work for option A is 99% there, I don’t think one or the other is harder to build out. They both just need a convenient UI and way to set up.

That is still my view :).

PrimeVault is also an option for me, to be honest. But it depends on the amount of cash available to us, whether it’s a valid one.

Yeah, I agree, most of it should be on the Radix native chain. We can keep some on other chains but mainly for bridging, market making and other needs we might have.

But if we don’t keep our treasury on our own chain, what’s the point of it. Put your money where your mouth is, as they say.

Do you think A or B has a more robust way of preventing bad actors? With stelea’s solution, is there a clear way to add/remove signors? Is there something to prevent loss of funds in case of 2 signors keys being lost for whatever reason? Would we be placing too much trust in whoever owns the wallet? I am still trying to understand both ideas.

With both options, you can remove and add multi-sig signers.

Native multi-sig
In @xStelea’s way, multi-sig works via the OwnerRole of the multi-sig account. Just like on any component (an account is a component), you can change the owner role to requiring a badge. Normally, the OwnerRole of an account is set to a single Ed25519 Signature Resource, which is a virtual badge which proof can only be added to the worktop by signing with the correct private key corresponding to that proof. When, for example, you’d want a 3 out of 5 multi-sig, you can set the OwnerRole of an account to ‘require 3 of 5 non-fungibles’ with the specific non fungibles set to the Ed25519 Signature Resources of the multi-sig signer’s accounts. This way you require 3 out of 5 signatures of multi-sig signer’s accounts to be present in order to access the account.

Changing the multi-sig is a matter of changing the OwnerRole on the account. This is possible, as long as you still have enough people that are a part of the multi-sig. In our 3 out of 5 multi-sig account, if you don’t have at least 3 out of 5 people left that can sign transactions, you’re stuck forever.

Component-based multi-sig
In @StakingCoins’ way, you can mint badges that allow you to be part of the multi-sig. You can then give these badges to people you want to give multi-sig access. These badges give you permission to vote for certain actions defined in the component. Once a threshold of enough people that have a badge voting for defined action has been reached, it can be executed. You can also disable badges you’ve already given out.

This is essentially the same as with native multi-sig: once you cannot reach the threshold of sufficient signers anymore, you’re stuck (because you cannot approve the action of minting new badges). So for both of these methods, it’s important that never happens.

Considerations
The you’re stuck sounds a bit dramatic - and it probably is - because it’s intended behaviour. If there aren’t enough signers, transactions shouldn’t be able to happen. For both options, while there are enough signers, you can add and remove multi-sig signers as you please.

An interesting side note though, is that if you’d use PrimeVault it’s probably easier to recover access once you’ve lost access to sufficient people that can sign multi-sig transactions. They probably have a whole compliant process to recover access (because they still have access, even if we don’t have enough people to sign anymore). AND, if something goes wrong with custodying our assets, we’ve got someone to point to, and demand our funds back. The money we’d pay them for using their solution is not only for the technical side of the product they offer, we’re outsourcing the risk.

Edit: on the bad actors part of your question. These all seem to be fairly safe solutions to me. The only issue I have with the component based approach, is that you either need to predefine EVERY action you want to be able to take in the component, or you’d need to trust a single person whenever you want to handle funds in a non-predefined way.

Example, imagine we want to take 10k XRD out of our treasury, sell for hUSDC, and then deposit the hUSDC in Weft:

1. Through native multi-sig, you can do this all atomically, we’re just controlling an account: we write a tx manifest for this transaction, and we’re good.
2. PrimeVault, I believe, also supports transaction manifests
3. With our component-based solution, it is possible, but then this entire sequence of actions needs to be defined inside of our multi-sig component (through Scrypto). In practice, this is not really viable. So what would happen is that we do a multi-sig for withdrawing 10k XRD to some managing member. This managing member would then solely have access to the 10k XRD, and we’d trust them to swap the 10k XRD to hUSDC, deposit into Weft, and send back the receipt to our multi-sig treasury.

I love this. If this decision were up to me I would pick this and a larger set of council or multi sig signors to reduce risk of signors being lost and being “stuck”. The 5 member RAC does not seem sufficiently big for multisig signing security long term imo.

It’s indeed a nice (and beautiful) solution.

My preferred option would probably still be PrimeVault though, just because it feels safest. Our assets are the one thing I feel we shouldn’t take short cuts on. There’s a reason many institutions use third-party custody, even though could easily build something in-house that would be cheaper. They are insuring themselves against the risk of something going wrong.

Maybe we can talk down the price PrimeVault want for their services a bit