A multisig (also known as a multisignature wallet) is a smart contract that offers hightened security for funds or sensitive admin controls. Control over the contract is split between several individual "signers" (other individuals with a linked wallet address), and "M of N" signers are required to approve any transactions from the multisig.
Multisig governance is usually paired with offchain voting. Signers may be elected by vote or be unelected team members. As an example, a 2 of 3 multisig would require 2 of the 3 linked signer addresses to approve a transaction before it can be sent. By splitting authority among several signers, multisigs help reduce the risk of governance attacks or self dealing.
While onchain voting and proposal execution are often regarded as the pinnacle of decentralized governance, they come with several trade-offs. Protocols may encounter technical or crypto-economic vulnerabilities in their governance mechanisms, or even face a hostile takeover. Even in the absence of adverse events, onchain governance is inherently more expensive and less flexible compared to other execution methods, such as multisignature wallets (multisigs). Participating in onchain governance requires each voter to submit a transaction on the blockchain, incurring gas fees, and the proposal voting and timelock periods introduce significant delays.
On the other hand, multisigs present a different set of advantages and disadvantages. While protocols must depend on multisig signers to act ethically and respond promptly to signature requests, entrusting known individuals can sometimes be less risky than granting full power to anonymous token holders.
Ultimately, there are trade-offs between multisig and onchain governance mechanisms, but both are widely regarded as superior and more reliable alternatives to allowing a single signer to dictate governance. A notable example from mid-2020 illustrates this point: the pseudonymous Sushiswap founder, Chef Nomi, was able to cash out over $10 million by directly controlling the development fund through a single-signature wallet, without any oversight. This incident underscores the risks associated with centralized control and highlights the importance of implementing robust governance mechanisms.
Multisig governance is typically paired with a signal voting mechanism to maintain legitimacy. As an example, Yearn, Synthetix, and Sushiswap all use the Snapshot voting tool to let token holders make key decisions and delegate authority.
After considering a proposal in the community's discussion venue, a signal vote will be held to assess support. While this typically involves voting with Snapshot, in some cases communities may use onchain signal voting (eg. early Yearn ygov.finance voting tool) or off chain voting which is weighted by user accounts instead of token holdings (eg. polls in Discourse forums or Discord).
Regardless of voting system used (on or off chain, weighted by users or token holdings), the vote itself doesn't trigger execution of the proposal's effects. Instead, the vote serves as instructions for the multisig signers to execute the proposal using their admin priveledges.
Multisigs can act against the will of their community or voters. With tokens used merely for signalling but lacking any executive control, it's possible for multisigs to slowly diverge from their community's interest. If multisigs are comprised of core team members, there may also be conflict on compensation and profit sharing.
Multisigs have a small number of identifiable signers, which makes them a clear target for government regulation, legal actions, or other attacks. Multisig signers' discretion in executing their authority could also cause liability issues. So a distributed set of token holders could potentially offer greater censorship resistance.
Gnosis Safe is the most prominent Ethereum multisig, and Synthetix, Yearn, and Sushiswap all use the Snapshot voting tool to let token holders make key decisions and delegate authority. After a proposal is considered in the community's discussion venue, a signal vote is held to assess support. The vote itself doesn't trigger execution of the proposal's effects; instead, it serves as instructions for the multisig signers to execute the proposal using their admin privileges.
While this system has its drawbacks, such as the potential for multisig signers to act against the will of their community or voters, and the risk of government regulation, legal actions, or other attacks targeting the identifiable signers, it is generally accepted as much better and more reliable than allowing a single signer to control governance.