Skip to content

Governance Signer Guide

What To Understand First

  1. Roles And Custody
  2. Timelock Operations
  3. Monitor Queued Upgrades
  4. Cancel Upgrade
  5. Suspicious Governance Action

What You Are Allowed To Do

Only sign transactions for roles assigned to your Safe and only within an approved ticket. Depending on your Safe, that may include proposing, queueing, executing, cancelling, registering, freezing, or administering roles.

What You Must Never Do

  • Sign from an EOA for production roles.
  • Sign calldata you have not decoded.
  • Trust a web UI summary as the only review.
  • Execute an upgrade before final codehash, metadata, and calldata checks.
  • Ignore guardian objections during the timelock window.

Required Review Habits

Verify target address, target type, contract kind, implementation address, implementation code hash, metadata, policy hash, salt, calldata, expected initialized version, and operation id. For role actions, verify role constant, account, delay, and Safe custody.

Failure Modes To Recognize

Unknown operation id, unexpected registrar event, pending role grant to a new account, role-admin transfer, final-freeze attempt, codehash drift, and calldata selector mismatch all require escalation.

Escalation

Use the guardian/canceller path for unsafe queued operations. Use roleAdmin cancellation or revocation for suspicious grants or compromised role holders.

Role Operating Guide

What This Person Must Understand First

The Governance signer must understand operation hashes, timelock lifecycle, implementation metadata, role custody, cancellation criteria. The four questions must stay separate: Upgrade governance asks which code is official, Deposit permissioning asks who may deposit, Custody/readiness asks whether the deposit route is safe, and Economic/claim safety asks whether funds can later leave safely.

Allowed To Do

This role may sign reviewed governance transactions when the relevant runbook, permission matrix, and reviewer approval support the action.

Must Never Do

This role must never sign unknown calldata or skip source-manifest checks.

Pages To Read In Order

  1. System Map
  2. Permissioned vs Permissionless Deposits
  3. Permission Matrix
  4. Source Manifest
  5. The runbook for the exact action being performed.

Routine Responsibilities

Keep evidence current, record decisions, reconcile action tickets to onchain events, and raise drift quickly. Do not rely on memory when a source manifest, event log, or contract read can answer the question.

Incident Responsibilities

Stop routine automation for the affected layer, preserve evidence, notify the correct owner, and avoid broad remediation until the failing layer is identified.

Escalation Triggers

Escalate on unknown governance actions, mismatched implementation metadata, unexpected allowlist-admin transfer, stale oracle data, slashing/exit anomalies, failed custody readiness, or any claim that cannot be tied to current source and onchain evidence.