A security checklist for on-chain treasury and multisig setups

A multisig treasury checklist comes down to four things: who can sign and why, what the quorum threshold actually protects against, whether anything is watching the wallets in real time, and what happens automatically when a signer leaves. Miss any one of those and the rest of the setup doesn't matter much. This is built from running multisig monitoring for a treasury spanning multiple EVM chains, including the offboarding trigger that prevents loss of quorum when a signer leaves.

Signer management

  1. Every signer key has a named human owner tied to identity, not just a wallet address on a spreadsheet.
  2. Hardware key requirement for any signer on a treasury-tier multisig, no software-only keys for material value.
  3. A documented, current signer list, reviewed on a set cadence (quarterly at minimum).
  4. No shared or pooled signing devices across multiple people.

Quorum and threshold design

  1. Threshold sized to the value actually at risk, not defaulted to a generic 2-of-3 or 3-of-5.
  2. Signers distributed across teams, individuals, and ideally time zones, not all reachable through one point of failure.
  3. A documented rationale for the chosen threshold, revisited as treasury value or signer roster changes.

Monitoring

  1. Real-time alerting on proposed and executed transactions, not a periodic manual review.
  2. Monitoring coverage across every chain the multisig is actually deployed to, not just the primary one. Secondary-chain deployments are the most commonly under-monitored surface.
  3. Alert thresholds tied to transaction value, so meaningful movements get flagged distinctly from routine activity.

Offboarding risk

  1. An automatic trigger that notifies a responsible individual the moment a signer's employment or role changes, removal shouldn't depend on someone remembering.
  2. A tested re-key or threshold-adjustment procedure, not just a policy document that assumes it will work.
  3. A time-bound SLA (same-day or next-business-day) for removing a departed signer's key from the quorum.

FAQ

What's a reasonable multisig quorum threshold?

There's no universal number. It should be sized to the value at risk and the operational tolerance for delay, not defaulted to 2-of-3 or 3-of-5. What matters more than the specific ratio is that the rationale is documented and revisited as treasury value changes.

How fast should a departed signer actually be removed from the quorum?

Fast enough that it's a same-day or next-business-day action, not something that waits for the next scheduled review. The strongest setups trigger an automatic notification to a responsible individual the moment a signer's employment or role changes, so removal isn't dependent on someone remembering.

Does this checklist apply specifically to Safe (Gnosis Safe) setups?

It applies to Safe and to on-chain governance contracts like Compound-style Governors, and generalizes to most multisig and timelock structures across EVM chains. The specific tooling changes; the underlying risks (signer management, quorum design, monitoring, offboarding) don't.

What's the biggest blind spot teams actually miss?

Monitoring coverage on secondary chains. Teams often watch their primary treasury chain closely and quietly under-monitor the same multisig's presence on other chains it's deployed to, which is exactly where an issue is most likely to go unnoticed.

I've built and run multisig monitoring across multiple EVM chains. Happy to review your current setup against this checklist. Get in touch.