I could not find a really simple tutorial on multiple signature security (multisig or MSIG) on EOS, so I’m writing one up that should help anyone do a multisig transaction.
Using multiple signatures protect an account by requiring many keys or accounts to approve a transaction. This is much safer than using a single key to protect an account.
This tutorial uses a `cleos.sh` script that you can get from my post here EOS — Get Started in 5 Minutes.
Setup a “Signing” Account
First, setup a multisig signingaccount
that you can use for setting as an owner/active permission on any accounts you want to protect. This makes the management of your multisig permissions much easier if you have more than one account that needs to be protected by msig.
This signingaccount
account will act as an intermediary — allowing simple management of permissions. It will not actually be used for signing transactions — the actual signing will be done by the 3 “signer” accounts that we trust.
The signing account will have 3 accounts set as it’s owner and active permission — firstsigner
, secondsigner
, and thirdsigner
.
I have outlined this here in my post How to Setup a Secure EOS Account Using Permissions.
Today, I actually used https://bloks.io and it is very, very easy.
I recommend doing this instead of using cleos
where you can easily make mistakes with a JSON.
Go to bloks.io and login with Scatter and then go to “Wallet” in the top menu and then “Keys and Permissions” on the right menu.
Click the “Advanced” tab and you can easily configure the keys and/or accounts you want to use to secure your multisig signer.
The image below shows how to setup your permissions. You will want to remove any keys and set the threshold to “2” then add your accounts that you want to use for signing.
Now your signingaccount
permissions should look like this:
owner 2: 1 firstsigner@active, 1 secondsigner@active, 1 thirdsigner@activeactive 2: 1 firstsigner@active, 1 secondsigner@active, 1 thirdsigner@active
Update yourprotected_account
permissions to use your signingaccount
for owner and active:
owner 1: 1 signingaccount@owneractive 1: 1 signingaccount@active
Now, you can manage permissions on the signingaccount
easily and have it protect multiple protected_accounts
How Multisig in EOS Works
A multisig transaction in EOS has 3 steps:
- Propose
- Approve
- Execute
The proposer of a multisig can be anyone, but they must specify which actors can approve the transaction and which account is protected.
Here is an template for proposing a multisig transaction on EOS:
Any user can propose a msig action. In this example below, the firstsigner
and secondsigner
are being requested to approve a transfer authorized by the protected_account
from the protected_account
to a destination_account
.
cleos.sh multisig propose <proposalname> '[{"actor":"<firstsigner>","permission":"active"},{"actor":"<secondsigner>","permission":"active"}]' '[{"actor": "<protected_account>", "permission": "active"}]' eosio.token transfer '{"from":"<protected_account>", "to":"<destination_account>", "quantity":"25.0000 EOS", "memo":"<memo>"}' -p <proposer>@active
One signer must now approve (order does not matter):
cleos.sh multisig approve <proposer> <proposalname> '{"actor":"<firstsigner>","permission":"active"}' -p <firstsigner>@active
A second signature is required:
cleos.sh multisig approve <proposer> <proposalname> '{"actor":"<secondsigner>","permission":"active"}' -p <firstsigner>@active
Now any account can issue the execution of the proposal:
cleos.sh multisig exec <proposer> <proposalname> <firstsigner>
Special shoutout to Andy Do for helping me work through this.