Skip to content

Roles And Signers

Minimum Signer Hygiene

  • hardware keys only
  • signer identity attestation before role assignment
  • documented rotation and revocation process
  • independent review for every role grant proposal

Rotation Procedure (Summary)

  1. propose new role grant.
  2. wait timelock.
  3. execute grant.
  4. verify role state.
  5. revoke old signer role.

Required Inventory Fields

Track role, account, Safe name, threshold, signer list, hardware policy, backup/recovery owner, last exercised date, pending grants, pending admin transfers, and revocation procedure. Include operational roles outside the governor: controller owner, factory owner, and deposit allowlistAdmin.

Controls

No production role should be held by an EOA. RoleAdmin should not be the same Safe as every operational role. Guardian/canceller access must remain independent enough to cancel an unsafe operation during the timelock.

Evidence To Archive

For each review, archive hasRole reads, pending grant reads, Safe configuration screenshots or API output, signer roster approval, and remediation actions.