EOS Multisig — Advanced Security Made Easy

I could not find a really simple tutorial on multiple signature security (multisig or MSIG) on EOS, so I’m writing one up that should help anyone do a multisig transaction.

Using multiple signatures protect an account by requiring many keys or accounts to approve a transaction. This is much safer than using a single key to protect an account.

This tutorial uses a `cleos.sh` script that you can get from my post here EOS — Get Started in 5 Minutes.

Setup a “Signing” Account

This signingaccount account will act as an intermediary — allowing simple management of permissions. It will not actually be used for signing transactions — the actual signing will be done by the 3 “signer” accounts that we trust.

The signing account will have 3 accounts set as it’s owner and active permission — firstsigner, secondsigner , and thirdsigner.

I have outlined this here in my post How to Setup a Secure EOS Account Using Permissions.

Today, I actually used https://bloks.io and it is very, very easy.

I recommend doing this instead of using cleos where you can easily make mistakes with a JSON.

Go to bloks.io and login with Scatter and then go to “Wallet” in the top menu and then “Keys and Permissions” on the right menu.

Click the “Advanced” tab and you can easily configure the keys and/or accounts you want to use to secure your multisig signer.

The image below shows how to setup your permissions. You will want to remove any keys and set the threshold to “2” then add your accounts that you want to use for signing.

Now your signingaccount permissions should look like this:

owner     2:    1 firstsigner@active, 1 secondsigner@active, 1 thirdsigner@activeactive     2:    1 firstsigner@active, 1 secondsigner@active, 1 thirdsigner@active

Update yourprotected_account permissions to use your signingaccount for owner and active:

owner     1:    1 signingaccount@owneractive     1:    1 signingaccount@active

Now, you can manage permissions on the signingaccount easily and have it protect multiple protected_accounts

How Multisig in EOS Works

  1. Propose
  2. Approve
  3. Execute

The proposer of a multisig can be anyone, but they must specify which actors can approve the transaction and which account is protected.

Here is an template for proposing a multisig transaction on EOS:

Any user can propose a msig action. In this example below, the firstsigner and secondsigner are being requested to approve a transfer authorized by the protected_account from the protected_account to a destination_account .

cleos.sh multisig propose <proposalname> '[{"actor":"<firstsigner>","permission":"active"},{"actor":"<secondsigner>","permission":"active"}]' '[{"actor": "<protected_account>", "permission": "active"}]' eosio.token transfer '{"from":"<protected_account>", "to":"<destination_account>", "quantity":"25.0000 EOS", "memo":"<memo>"}' -p <proposer>@active

One signer must now approve (order does not matter):

cleos.sh multisig approve <proposer> <proposalname> '{"actor":"<firstsigner>","permission":"active"}' -p <firstsigner>@active

A second signature is required:

cleos.sh multisig approve <proposer> <proposalname> '{"actor":"<secondsigner>","permission":"active"}' -p <firstsigner>@active

Now any account can issue the execution of the proposal:

cleos.sh multisig exec <proposer> <proposalname> <firstsigner>

Special shoutout to Andy Do for helping me work through this.