Multisig operations

A practical operating playbook for organizational multisig: policies, workflows, verification, change control, recovery, and audits.

Prerequisites

  • Documented custody model (e.g., 2‑of‑3 or 3‑of‑5) and defined roles.
  • Hardware wallets provisioned and registered with fingerprints/xpubs.
  • Coordinator wallet/app set up; address book initialized.

Policy templates

Signer quorum: e.g., Treasury 2‑of‑3 for payouts; Board 3‑of‑5 for treasury moves.
Limits: per‑transaction, daily, and monthly caps; tiered approvals above thresholds.
Address allowlists: verified destinations for routine payouts.
Change control: PR‑style approvals for policy/address edits with independent review.
Separation of duties: initiator ≠ final approver; independent auditor verifies receive addresses.

Address verification

  • Verify receive addresses on‑device for each signer; compare against coordinator.
  • Use test sends for new addresses/beneficiaries before large transfers.
  • Maintain signed address attestations for auditors.

Spend workflow

  1. Initiator drafts payout (recipients, amounts, fee target) and selects an approved address or requests verification.
  2. Coordinator constructs PSBT; signers verify outputs and change address on‑device, then sign.
  3. Final approver broadcasts; txid recorded with purpose tag and approver list.
  4. Receipt archived (txid + signed message) and shared with accounting.

UTXO management

  • Consolidate during low‑fee windows; avoid address reuse; prefer Taproot/bech32.
  • Label UTXOs with source/purpose; avoid mixing hot and cold funds.

Backups & recovery drills

  • Quarterly restore from seed backups into a spare coordinator; spend a small UTXO to a known address.
  • Keep encrypted metadata (derivation paths, multisig map) offline in multiple locations.

Emergency playbooks

  • Lost or compromised signer → revoke, rotate, and move funds with remaining quorum.
  • Compromised coordinator → rebuild policy on clean machine; verify addresses with hardware displays.
  • Facility risk → relocate backups; move treasury to an emergency vault setup.

Audit & reporting

  • Monthly proof‑of‑reserves snapshot with signed messages from current addresses.
  • Export transaction logs with txids, approvers, and purpose tags for accounting.
  • Track device lifecycle: firmware versions, rotations, and decommissions.

Recommended tooling

  • Hardware wallets with on‑device address display and secure elements.
  • Multisig coordinator compatible with your devices; exportable policy files.
  • Password manager for non‑seed secrets; offline storage for seed metadata.
Note: Pair this with our article Self‑custody for teams for governance context, and consider Plan B Vault to codify limits and time‑locks.
← Back: In‑store Lightning POS Next: Training →