What is multisig and shared-key custody

A multisig wallet requires multiple independent approvals before a transaction executes. Instead of one private key controlling the assets, there are several, and a defined quorum of them has to sign before anything moves.

A 2-of-3 wallet needs two signatures out of three possible signers. A 4-of-7 needs four out of seven. The quorum and signer set are configured when the wallet is created.

The principle is the same one banks use for wire transfers above a threshold: no single person can move large amounts alone. The implementation is a smart contract that enforces the rule on-chain.

How it actually works

A normal Ethereum wallet is controlled by one private key. Whoever holds that key can sign transactions, and the network treats those transactions as authorized.

Lose the key, lose the wallet. Steal the key, drain the wallet.

A multisig wallet replaces the single key with a contract that holds the funds and maintains a list of authorized signers. When someone wants to move assets, they propose a transaction, and other signers review it and add their signatures.

Once the quorum is met, the contract executes the transaction. Below the quorum, nothing happens, no matter how many signatures pile up against it.

Safe, formerly Gnosis Safe, is the dominant multisig contract on Ethereum and secures more than $100 billion in assets across its deployments. DAOs, foundations, exchanges, and crypto-native funds use it as default treasury infrastructure. Other implementations exist on Solana (Squads), Bitcoin (native multisig at the protocol level), and most major chains.

A related but technically different approach is multi-party computation, or MPC. Instead of multiple complete keys held by multiple people, MPC splits a single key into shards distributed across parties, so no participant ever holds the full key and no full key ever exists in one place.

Signatures get produced jointly through a cryptographic protocol. To an observer on-chain, the transaction looks like it came from a single normal wallet. Institutional custodians (Fidelity Digital Assets, BitGo, Anchorage) lean heavily on MPC because it's quieter on-chain and easier to integrate with traditional compliance systems.

Both approaches solve the same problem. No single point of failure.

Why it matters

A treasury controlled by one private key is one mistake away from zero. Multisig changes the failure mode: a single compromised key, a single rogue employee, or a single phishing attack no longer drains the wallet.

The attacker needs to compromise the quorum, which is exponentially harder when signers are geographically separated, use different devices, and follow independent operational security across multiple jurisdictions.

The cost is operational friction. Moving funds takes coordination, signers have to be available, the proposed transaction has to be reviewed, and the quorum has to actually meet.

For active trading, that friction's a problem. For a treasury that moves capital occasionally and deliberately, it's the entire point.

For institutional buyers reading audits and diligence packs, "multisig with a documented signer set and a sensible quorum" is a baseline expectation. Its absence is a red flag.

Where this shows up in Rekord

Rekord's governance roles (curator, allocator, guardian, sentinel) are controlled through multisig wallets, typically Safe deployments. Parameter changes, fee adjustments, and emergency actions all require quorum approval rather than single-key authorization. For the underlying custody mechanics that protect pledged collateral, see What is a qualified custodian.