Alternatives to the 3 of 9 multi-sig for CGP approval

As discussed on the governance call of August 19th 2021. @Yaz


  • At present, Celo Governance Proposals need to be approved by a 3-of-9 multi-sig in order to move the referendum stage (see documentation here).
  • This step is intended to prevent whales (large CELO owners) from making a malicious or self-benefiting proposal and pushing it through by reaching quorum and a majority of votes (which assumes that other CELO holders either don’t take enough notice to vote against it).


  1. This allows the signers of the multi-sig to exert veto power over proposals (specifically, if 7 or more want to block, they can). This problem is exacerbated because the 9 signers are not currently public.
  2. Making public the 9 signers potentially puts them personally at risk (e.g. to doxing, bribery, etc.).

Comparison with Uniswap

  • Uniswap protocol does not have any multi-sig step to prevent malicious proposals. Governance process here.
  • Uniswap lays out a number of potential “attacks” and allows them to be dealt with by economic incentives, protocol participants withdrawing funds, and the threat of a hard fork. Worth reading here.

Use of a DAO instead of the multi-sig
It was proposed that some form of DAO could control the multi-sig step. To me this seems like an unproven approach that would add further complication and centralisation to the game theory of making proposals.


  1. I suggest that a list of risks and scenarios be built out just as Uniswap has done under “Adversarial Scenarios”
  2. I suggest that a timelock be added after a referendum is approved before the code can be deployed. This at least gives an opportunity for the community to react/withdraw before a malicious approval comes in. It also gives time for a hard fork.
  3. I suggest that a timeline be set for phasing out the multi-sig.

I am interested in hearing from the community on risks present within Celo (but not Uniswap) that would warrant this multi-sig step.