Multisignature accounts on Namada

Multisignature accounts (multisigs) are accounts on Namada that allow for multiple signers. There are many benefits to multisignature accounts, including but not limited to:

  • Increased security
  • Ability to share wallets
  • Better recovery options

For this reason, all established accounts on Namada are multisignature accounts by default.

A multisignature account can be described as an "x of y" account, where x is the 'threshold' or required number of signatures on a transaction and y is the total number of keys associated with the account. For example, a 3 of 5 multisig will need at least three of the parties to sign any transaction.

Example: Initialising a multisignature account

Here is the process to generate a 2 of 3 multisig account:

Create three signing keys

Assuming we have three parties -- Alice, Bob, and Charlie -- on the multisig, they each need to first generate their keypairs.

namadaw gen --alias alice
namadaw gen --alias bob
namadaw gen --alias charlie

Fund an implicit account for transaction fees

Recall from the section on established accounts that we will need to provide an implicit account to sign and to pay the gas costs of the init-account transaction. This can be any account you own, whether or not it's party to the multisig. In this example, Alice will cover the transaction fees and we'll assume she already has sufficient NAM in her account.

Init-account

The init-account transaction is no different from a typical established account, except for threshold and number of public keys associated. (In fact, a typical established account is simply a 1 of 1 multisig.)

The --signing-keys flag indicates that Alice is signing and paying fees for this transaction.

namadac init-account --alias abc-multisig\
  --public-keys alice,bob,charlie --threshold 2 \
  --signing-keys alice

Submitting a multisignature transaction

A multisignature transaction requires that an offline transaction first be constructed so that it can be signed by each required party before being submitted to the chain.

Dump the raw tx

The --dump-tx argument will write the transaction to disk. A folder is required to be specified where the transaction will be dumped.

mkdir tx_dumps
namadac transfer --source abc-multisig --target <destination address> \
  --token nam --amount 2 \
  --signing-keys alice \
  --dump-tx --output-folder-path tx_dumps
 
# Example output:
Transaction serialized to tx_dumps/FC2955C6B252EF6E93B1B54923B2178A7DC47E06D27448A43426487DF4BAD0E3.tx.

Sign the transaction with two of the three Keys

This command will sign the transaction with Alice's key. Afterwards, repeat the command using Bob's key.

cd tx_dumps
namadac sign-tx \
  --tx-path FC2955C6B252EF6E93B1B54923B2178A7DC47E06D27448A43426487DF4BAD0E3.tx \
  --signing-keys alice \
  --owner abc-multisig

You should have created two new files, one with Alice's signature and one with Bob's:

# contents of tx_dumps directory
FC2955C6B252EF6E93B1B54923B2178A7DC47E06D27448A43426487DF4BAD0E3.tx
offline_signature_FC2955C6B252EF6E93B1B54923B2178A7DC47E06D27448A43426487DF4BAD0E3_tpknam1qpnpmq2mpxaag9e0xcczgc0w66pzaxvpnhysjsm8h5tgmajgvunwck67w5j.tx
offline_signature_FC2955C6B252EF6E93B1B54923B2178A7DC47E06D27448A43426487DF4BAD0E3_tpknam1qqjnwcwpjy09ty4v0z6jwpkr04m3q2h0dgr6j62dfs4g6q6l4dk5yy5we05.tx

To make things easier in the next step, we'll save these filenames to the shell variables TX, SIG1 and SIG2.

Submit transaction on-chain

Since we have enough signatures to meet the threshold of this account, we can submit the transaction. Note that we need to specify an account that will pay the transaction fees.

namadac tx \
  --tx-path $TX
  --signatures $SIG1 $SIG2
  --owner abc-multisig
  --gas-payer alice

Note the lack of commas used in the --signatures argument.

Changing the multisig threshold or associated keys

It is possible to change the multisig threshold of an existing account. This can be done by submitting a valid update-account transaction.

For example, to change the threshold on our multisig to 1:

namadac update-account \
--address abc-multisig \
--public-keys alice,bob,charlie \
--threshold 1 \
--signing-keys alice,bob

Note: you must include both the threshold and the list of public keys to be assosicated with this account, even if there is no change to one of those values.

💡

Updating an account's threshold or public keys requires submitting a valid transaction meeting the existing requirements -- the update-account transaction is no different from any other transaction in that regard. Therefore, you may need to follow the steps described in the previous section to first dump the update-account transaction to a file and collect the required signatures.

Querying the threshold and public keys of an account

One can check that the threshold has been updated correctly by running:

namadac query-account \
--owner abc-multisig

Which will list the threshold and all associated public keys of an account.

A video tutorial

Skip all the boring reading and watch a video tutorial instead!