docs(evm): add integration requirements for multisig accounts

axelarnetwork · Nov 20, 2024 · a7cd6c3 · a7cd6c3
1 parent 787fa30
commit a7cd6c3
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/contracts/gateway/INTEGRATION.md b/contracts/gateway/INTEGRATION.md
@@ -237,6 +237,19 @@ The EVM gateway uses a proxy pattern for upgrades, i.e there's a fixed proxy con
 
 The upgrade mechanism is expected to vary for non-EVM chains (some chains support contract upgrades natively).
 
+### Multisig
+
+A multisig might be used for certain privileged roles in the smart contracts, e.g. the `operator` account in the `AxelarAmplifierGateway` and `AxelarServiceGovernance`, the `owner` of the `AxelarAmplifierGateway` (temporarily, until the transfer to Governance), and the `owner` of some less critical contracts like the `AxelarGasService`.
+
+For EVM chains, a custom [Multisig contract](../governance/Multisig.sol) is being used. However, another approach might make sense for other chain integrations. If the chain supports native multisig accounts, that might be preferrable. If it doesn't or it's capability is limited, we recommend using the preferred Multisig contract that's standard in the ecosystem (e.g. for EVM chains, [Safe](https://github.com/safe-global/safe-smart-account) is the most popular multisig). If this isn't available, then a custom contract needs to be written.
+
+Requirements:
+1. Supports a `k`-of-`n` signer set. `n` is unlikely to be greater than 10.
+2. A method to update the signer set to a new one, signed off by the current signer set.
+3. A method to execute another arbitrary contract, signed off by the current signer set. If arbitrary execution isn't supported, the multisig needs to be able to execute `transferOwnership`, `transferOperatorship`, `upgrade` methods on an arbitrary contract, along with specific methods in different contracts that are intended to be callable from the privileged role (e.g. `rotateSigners` on the Gateway can be called by the `operator`).
+4. Multisig signing can be performed offline, ideally with hardware wallet support.
+5. Easy to use scripts (or UI if it can be run in offline mode) to sign multisig transactions. Script for EVM chains can be found [here](https://github.com/axelarnetwork/axelar-contract-deployments/blob/main/evm/multisig.js) (note that some cmds are missing there, since EVM gateway is owned by the governance contract already).
+
 ## Signer rotation delay
 
 The auth mechanism of the gateway contract tracks the recent list of signers that were active. This allows a recent signer set to recover the gateway in the event of a compromise of the latest signer set, or a bug in the gateway or Amplifier that allows rotating to a malicious signer set. To prevent the gateway contract from being lost by successive malicious rotations, a minimum delay is enforced between signer rotations (e.g. 1 day). This allows the decentralized governance to step in to react to any issues (for e.g. upgrade the gateway).