★ Low-threshold multisig vs TVL

A governance & admin factor in the v1.7.0 rubric. Measured per protocol on a s cadence.

Methodology how we score #

**What this measures** This factor assesses whether a protocol's multisig signing threshold is abnormally low relative to its TVL and peer cohort. Rather than scoring the raw threshold number in isolation, the measurement places it against the distribution of thresholds used by protocols in the same TVL bracket — flagging cases where the required signer count falls materially below what peers of equivalent size have adopted. A 2-of-3 threshold securing $5M may be unremarkable; the same configuration securing $500M is structurally indefensible.

**Why it matters** Low signing thresholds concentrate effective control into a small, compromisable set of signers. OpenZeppelin governance security guidance recommends using battle-tested multisig implementations with "publicly known" owners who can be "linked to specific individuals in the community" — the accountability argument collapses when two or three unknown signers collectively hold the keys to hundreds of millions. The dataset's largest bridge and protocol exploits share a structural feature: a threshold low enough that a nation-state actor, rogue insider, or targeted phishing campaign need only compromise two or three endpoints. Both Harmony Bridge and Radiant Capital II demonstrated that even a 3-of-11 threshold on a $53M protocol represents an unacceptable concentration of risk.

**Green / Yellow / Red** Green is assigned when the multisig threshold meets or exceeds peer norms for the TVL cohort (typically 5-of-8 or higher at $100M+ TVL) and signers are geographically and institutionally distributed. Yellow covers cases where the threshold is within one signer of the peer median or where distribution of signers is unclear. Red is assigned when the threshold is two or more signers below the peer median for the TVL bracket, or when a protocol above $50M TVL uses a threshold below 3-of-N.

**Common gray cases** This factor is grayed when the protocol does not publish a signer list and on-chain discovery is inconclusive, or when the TVL is below the $5M floor at which peer-cohort comparison becomes meaningful.

**Notable historical examples** - **Harmony Horizon Bridge** ($100M, 2022): 2-of-5 multisig with hot wallet signers; threshold compression made key compromise catastrophic. - **Radiant Capital** ($53M, 2024): 3-of-11 threshold on a large lending protocol; suspected DPRK-attributed compromise of three signers was sufficient for full control. - **Poly Network (2nd incident)** ($4.4M extracted, 2023): 3-of-4 threshold enabled forged cross-chain proofs with minimal key exposure. - **Orange Finance** ($843K, 2025): Multisig misconfigured as effectively 1-of-1; complete drain executed unilaterally.

**★ Critical factor** This factor alone is sufficient to trigger a D or F grade under rubric v1.7.0 — a single red assessment here overrides all other category scores. An abnormally low signing threshold relative to TVL is a structural vulnerability that makes every other security investment conditional on the safety of a small number of private keys.

Measurement what to look for #

Determine whether the multisig threshold is abnormally low relative to TVL peer cohort (e.g., 2-of-3 for a protocol with >$100M TVL where peer norm is 5-of-8).

Data & output #

Data source

Safe/Gnosis multisig contract `getThreshold()` and `getOwners()` calls via RPC + DeFiLlama TVL + curator peer-cohort threshold table

Output format

Green / Yellow / Red · critical gate active

Evidence artifact

Multisig address + threshold integer + owner count + TVL at check + peer-cohort table version

Confidence signal

green = threshold ≥ peer-cohort norm for TVL band; yellow = one below norm; red = threshold ≤ 2-of-N or single signer for any TVL; gray = multisig contract not identifiable

Scored protocols 80 carry this factor #

Protocol RD-F-028

Aave v3 ethereum yellow Across Protocol ethereum gray Aerodrome Finance base yellow Axelar Network ethereum yellow Babylon Protocol bitcoin yellow Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum yellow BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum gray Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum yellow Chainlink CCIP ethereum gray Circle USYC binance not_applicable Compound V3 (Comet) ethereum yellow Concrete ethereum yellow Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum red Curve Finance ethereum yellow deBridge ethereum yellow Dolomite ethereum red dYdX v4 (dYdX Chain) dydx yellow EigenLayer ethereum yellow Ethena ethereum yellow ether.fi ethereum yellow Euler V2 ethereum yellow Falcon Finance ethereum red Fluid ethereum yellow Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum yellow Hyperlane ethereum yellow Hyperliquid arbitrum yellow Jito solana yellow Jupiter solana yellow Jupiter Perpetual Exchange solana green JustLend DAO tron not_applicable Kamino Lend solana red Kinetiq hyperliquid yellow Lido ethereum green Liquid Collective (LsETH) ethereum red Liquity V1 + V2 (LUSD / BOLD) ethereum not_applicable Lista DAO bsc yellow Lombard Finance ethereum yellow M^0 ethereum not_applicable Maple Finance ethereum yellow Marinade Finance solana yellow Meteora solana yellow mETH Protocol ethereum yellow Midas ethereum red Morpho V1 (Morpho Blue + MetaMorpho) ethereum green Multipli ethereum not_applicable Ondo Finance ethereum yellow OpenEden ethereum yellow Orca solana yellow PancakeSwap bsc gray Pendle Finance ethereum red Polymarket polygon yellow QuickSwap polygon red Raydium solana green Rocket Pool ethereum not_applicable Sanctum solana yellow Save (formerly Solend) solana not_applicable Sky Lending (formerly MakerDAO) ethereum yellow Spark Protocol ethereum yellow Spiko stellar red Stake DAO ethereum yellow StakeWise v3 ethereum yellow Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid yellow SUNSwap (sun.io) tron gray Superstate ethereum not_applicable Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum gray Synapse Protocol ethereum red Uniswap (v2 + v3) ethereum green USDD (Decentralized USD) tron not_applicable Usual (USD0 / bUSD0 / USUAL) ethereum red Veda (BoringVault) ethereum yellow Venus Protocol bsc yellow Wormhole ethereum gray Yearn Finance ethereum green

Linked hacks 4 historical incidents #

Orange Finance — Admin private key compromise → proxy upgrade → privileged drain of LP vault positions2025-01-07 · $844K · Admin private key compromise → proxy upgrade → privileged drain of LP vault positions · ★ Low-threshold multisig [via cross-hack: Factor 39: Multi-Sig Misconfigured as Single-Sig]

causalRadiant Capital — Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain2024-10-16 · $53M · Compromised multisig private keys → malicious contract upgrade → pool ownership transfer → drain · ★ Low-threshold multisig vs TVL [via cross-hack: Factor 23: Minimum-Threshold Multisig With Hot Wallet Signers] || ★ Low-threshold multisig vs TVL [via cross-hack: Factor 28: Insufficient Multisig Signing Threshold for TVL at Risk]

causalPoly Network (2nd incident) — Compromised 3-of-4 multisig → forged deposit proofs → cross-chain withdrawal drain2023-07-01 · $4M · Compromised 3-of-4 multisig → forged deposit proofs → cross-chain withdrawal drain · ★ Low-threshold multisig vs TVL [via cross-hack: Factor 23: Minimum-Threshold Multisig With Hot Wallet Signers] || ★ Low-threshold multisig vs TVL [via cross-hack: Factor 28: Insufficient Multisig Signing Threshold for TVL at Risk]

causalHarmony Horizon Bridge — Compromised Multisig Private Keys (Hot Wallets)2022-06-23 · $100M · Compromised Multisig Private Keys (Hot Wallets) · ★ Low-threshold multisig vs TVL [via cross-hack: Factor 23: Minimum-Threshold Multisig With Hot Wallet Signers]

rubric_version v1.7.0 factor RD-F-028 category 2 carried 80 critical yes