Multisig Security & an Index Coop Address Book

Motivation

As the Index Coop continues to decentralize, multisig execution ownership will fall to more and more community contributors. There are almost daily hacks in DeFi. To avoid being the next victim, we need to keep our multisigs and signers up-to-date with good operational security hygiene.

The first piece we’re introducing now is a source controlled, shared Index Coop address book for usage with Parcel and Gnosis Safe.

Index Coop Address Book

The Index Coop is getting to the size, market capitalization, and depth of trust such that community members may soon be executing multi-million dollar multisig transactions. When executing multisig transactions, it can be difficult to have confidence when confronted with a list of ethereum addresses.

You might ask yourself:

  • Are these addresses correct?
  • Where did these addresses come from?
  • If using an execution doc, did I copy and paste the addresses exactly as they were written?
  • Who had edit access to the execution doc?
  • Could the execution doc have been edited by a malicious actor?

Gnosis allows users to import address books (in CSV file format) which label known addresses in the Gnosis interface. This can give you higher confidence that the addresses you are seeing are correct. If you see an un-labeled address, this can also serve as a gut-check confirming that the contract you are interacting with is new.

Without an address book, what exactly is happening in the gnosis UI can be difficult to decipher:

This is a screen shot of the same exact transactions from the same wallet (Treasury Multisig). It’s much easier to tell what is going on:

As a multisig signer you should be able to easily view transaction metadata, understand which contracts are being interacted with, what method is being called, who are the other signers thus far, etc…

Why use Github & source control?

An address book can be a dangerous dependency for the Coop. Users with edit access to such a list could update addresses and trick our multisig operators into sending funds to the wrong address.

By using Github we can enforce strict control over who can edit the address book and how those users can edit it. Any changes to the address book will also automatically be tracked in Git.

Next Steps

We invite all working group leaders, multisig signers & curious community members to begin leveling up their operational security by using the common address book above.

Detailed instructions on how to get started are linked in the repository.

If you see any important addresses are missing, please submit a pull request.

13 Likes

PR submitted for the addresses for myself, ELEV8 Crypto, and MetaGov Gnosis/EOAs.

3 Likes

PR Submitted for the BDWG Contacts
cc: @BigSky7 @Mringz

5 Likes