User Guide
Transparent Accounts
Multisignature

Multisignature accounts on Namada

Multisignature accounts (multisigs) are accounts on Namada that allow for multiple signers. There are many benefits to multisignature accounts, including but not limited to:

  • Increased security
  • Ability to share wallets
  • Better recovery options

For this reason, all established accounts on Namada are multisignature accounts by default.

A multisignature account can be described as an "x of y" account, where x is the 'threshold' or required number of signatures on a transaction and y is the total number of keys associated with the account. For example, a 3 of 5 multisig will need at least three of the parties to sign any transaction.

Example: Initialising a multisignature account

Here is the process to generate a 2 of 3 multisig account:

Create three signing keys

Assuming we have three parties -- Alice, Bob, and Charlie -- on the multisig, they each need to first generate their keypairs.

namadaw gen --alias alice
namadaw gen --alias bob
namadaw gen --alias charlie

Fund an implicit account for transaction fees

Recall from the section on established accounts that we will need to provide an implicit account to sign and to pay the gas costs of the init-account transaction. This can be any account you own, whether or not it's party to the multisig. In this example, Alice will cover the transaction fees and we'll assume she already has sufficient NAM in her account.

Init-account

The init-account transaction is no different from a typical established account, except for threshold and number of public keys associated. (In fact, a typical established account is simply a 1 of 1 multisig.)

The --signing-keys flag indicates that Alice is signing and paying fees for this transaction.

namadac init-account --alias abc-multisig\
  --public-keys alice,bob,charlie --threshold 2 \
  --signing-keys alice

Submitting a multisignature transaction

A multisignature transaction requires that an offline transaction first be constructed so that it can be signed by each required party before being submitted to the chain.

Dump the raw tx

The --dump-tx argument will write the transaction to disk. A folder is required to be specified where the transaction will be dumped (use . for the current directory). Consider the example of a transparent transfer:

namadac transparent-transfer --source abc-multisig --target $TARGET \
  --token nam --amount 2 \
  --dump-tx --output-folder-path . \
  --node $NODE
 
# Example output:
Transaction serialized to ./9c92fe1f2cdc64956582e69b898101e6df78700968fcad5e88bfc1cdf0a5496d.tx.

By default, transactions have an expiration of 1 hour from the time they're created. This can be changed using the --expiration flag and providing a new expiration time (in UTC). Transactions submitted after expiry will not be accepted on-chain.

Sign the transaction with the necessary number of keys (2 in this case)

This command will sign the transaction with Alice's key and Bob's key:

cd tx_dumps
namadac utils sign-offline \
  --data-path 9c92fe1f2cdc64956582e69b898101e6df78700968fcad5e88bfc1cdf0a5496d.tx \
  --secret-keys alice,bob \

You should have created two new files -- one with Alice's signature and one with Bob's.

# contents of current directory
9c92fe1f2cdc64956582e69b898101e6df78700968fcad5e88bfc1cdf0a5496d.tx
offline_signature_9c92fe1f2cdc64956582e69b898101e6df78700968fcad5e88bfc1cdf0a5496d_tpknam1qpnpmq2mpxaag9e0xcczgc0w66pzaxvpnhysjsm8h5tgmajgvunwck67w5j.sig
offline_signature_9c92fe1f2cdc64956582e69b898101e6df78700968fcad5e88bfc1cdf0a5496d_tpknam1qqjnwcwpjy09ty4v0z6jwpkr04m3q2h0dgr6j62dfs4g6q6l4dk5yy5we05.sig

To make things easier in the next step, we'll save these filenames to the shell variables TX, SIG1 and SIG2.

Submit transaction on-chain

Since we have enough signatures to meet the threshold of this account, we can submit the transaction. Note that we need to specify an implicit account that will pay the transaction fees.

namadac tx \
  --tx-path $TX \
  --signatures $SIG1 $SIG2 \
  --gas-payer alice --node $NODE

Note the lack of commas used in the --signatures argument.

Changing the multisig threshold or associated keys

It is possible to change the multisig threshold of an existing account. This can be done by submitting a valid update-account transaction.

For example, to change the threshold on our multisig to 1:

namadac update-account \
--address abc-multisig \
--public-keys alice,bob,charlie \
--threshold 1 \
--signing-keys alice,bob --node $NODE

Note: you must include both the threshold and the list of public keys to be associated with this account, even if there is no change to one of those values.

💡

Updating an account's threshold or public keys requires submitting a valid transaction meeting the existing requirements -- the update-account transaction is no different from any other transaction in that regard. Therefore, you may need to follow the steps described in the previous section to first dump the update-account transaction to a file and collect the required signatures.

Querying the threshold and public keys of an account

One can check that the threshold has been updated correctly by running:

namadac query-account \
--owner abc-multisig --node $NODE

This will list the threshold and all associated public keys of an account.

A video tutorial

Skip all the boring reading and watch a video tutorial instead!

Implicit AccountsSend and Receive Nam Tokens