One compromised key — and the fund's assets are gone in minutes. Institutional clients — DAOs, hedge funds, family offices — cannot rely on a single point of failure. A multi-approval system solves this: it combines on-chain multisig (Safe{Core}) with off-chain policies, HSM integration, and a full audit trail. We have 5+ years of experience developing such systems for 20+ projects. We guarantee asset protection and compliance with stringent requirements. Implementing multi-approval prevents the loss of millions of dollars — statistics show that 80% of DAO treasury incidents occur due to the lack of multi-level approval. Savings from implementation can reach $500k per year for transaction volumes above $10M, and the average cost of a single security incident is $2M.
Technical complexities that multi-approval eliminates
Key compromise — one private key does not grant full control. Even if an attacker gains access to one approver, they cannot withdraw assets — N signatures are required. For HSM keys, the private key never leaves the secure hardware. Human error — a mistaken transaction is blocked at the policy check stage. The Policy Engine rejects transfers to unknown addresses or amounts exceeding the daily limit of $10k. Audit and compliance — every step is logged: who created the request, who approved, from which device. Export logs in auditor format with SIEM integration via webhook. Flexible management — roles are separated (Admin, Initiator, Approver, Executor, Auditor). Policies change without redeploying smart contracts — updates via API take minutes.
How multi-approval works for institutional wallets
We use two layers: on-chain multisig and off-chain policies. On-chain ensures immutable execution of transactions when the signature threshold is reached. Off-chain adds flexibility: amount limits, address whitelists, time-locks, the four-eyes principle. The combination provides security and adaptability.
| Aspect |
On-chain multisig (Safe) |
Off-chain policies (Fireblocks-like) |
| Execution |
Smart contract |
Smart contract + policy engine |
| Flexibility |
Low (only threshold) |
High (limits, roles, time-locks) |
| Policy changes |
Contract migration |
Configuration update without contract |
| Security |
Keys on client |
HSM + physical protection |
| Implementation cost |
Low |
Medium/high |
| Policy type |
Example configuration |
Change time |
| Spending limit |
$50k/day USDC |
5 minutes via API |
| Whitelist |
List of approved addresses |
10 minutes with Admin approval |
| Time-lock |
24 hours for amount >$100k |
Fixed in config |
Detailed system architecture
Policy Engine — service that stores and enforces rules:
- Whitelist of recipient addresses
- Spending limits (daily, weekly per token)
- Time-based rules (transactions only during UTC working hours)
- Amount thresholds (up to $10k — 2 signatures, above $100k — 5 signatures)
- Asset-specific rules (operations with certain tokens require CFO approval)
Approval Workflow Engine — manages request states:
PENDING_APPROVAL → COLLECTING_SIGNATURES → READY_TO_EXECUTE → EXECUTED
↘ REJECTED ↙
Each transition is logged with timestamp and actor_id — mandatory for compliance.
Signature Aggregator — collects EIP-712 (or EIP-1271 for smart contracts) signatures. Stores partial signatures until threshold.
Notification Service — notifies approvers via email, Telegram, Slack with a deep-link for quick approval.
HSM integration — for large institutions, approver keys are stored in AWS CloudHSM or Azure Dedicated HSM. Signing occurs inside HSM without exporting the private key. Implementation:
import * as pkcs11js from "pkcs11js";
class HSMSigner {
private pkcs11: pkcs11js.PKCS11;
async sign(txHash: Buffer, keyLabel: string): Promise<Buffer> {
const session = this.pkcs11.C_OpenSession(this.slotId, pkcs11js.CKF_SERIAL_SESSION);
this.pkcs11.C_Login(session, pkcs11js.CKU_USER, this.pin);
const privateKey = this.findKeyByLabel(session, keyLabel);
this.pkcs11.C_SignInit(session, { mechanism: pkcs11js.CKM_ECDSA }, privateKey);
const signature = this.pkcs11.C_Sign(session, txHash, Buffer.alloc(64));
this.pkcs11.C_Logout(session);
this.pkcs11.C_CloseSession(session);
return this.convertToEthSignature(signature);
}
}
Key point: private key never leaves HSM.
Safe{Core} — de facto standard for Ethereum. A transaction requires accumulation of off-chain signatures and a final execute call. Transaction structure:
struct SafeTx {
address to;
uint256 value;
bytes data;
Enum.Operation operation;
uint256 safeTxGas;
uint256 baseGas;
uint256 gasPrice;
address gasToken;
address refundReceiver;
uint256 nonce;
}
Why combine on-chain and off-chain policies?
A pure on-chain multisig adapts slowly to new requirements: any policy change requires contract migration. The off-chain Policy Engine is 10x faster — limits and roles change via API without gas. And on-chain execution guarantees that policies cannot be bypassed. For transactions above a threshold — a mandatory time-lock (e.g., 24 hours), during which other owners can cancel. Emergency pause freezes all outgoing activity upon compromise. Get a consultation on your system architecture — we will assess the risks of your current solution.
Implementation process
- Requirements audit: analysis of current infrastructure, roles, compliance needs. Risk assessment.
- Design: architecture selection (on-chain only Safe or with off-chain engine), policy design, role model.
- Implementation: smart contract development (Safe Modules), backend (Node.js + PostgreSQL), frontend (React + wagmi), HSM integration.
- Testing: unit tests, integration tests, fuzzing (Echidna), formal verification (SLither, Mythril).
- Security audit: external audit of contracts and entire system. Fixes.
- Deployment and training: deployment in client infrastructure, CI/CD setup, team training.
Timeline and what's included
Estimated timeline:
- Basic system (Safe + workflow + UI): 8–10 weeks
- With HSM integration: +3–4 weeks
- With compliance/audit export: +2 weeks
- Security audit: +3–6 weeks
- Total production-ready: 4–5 months
What's included:
- Set of Safe Modules smart contracts
- Backend (API Policy Engine + Workflow Engine)
- Frontend management panel
- Integration with HSM (AWS/Thales/Utils)
- Audit logs and export
- Documentation and training
- Post-launch support (2 months)
Pricing is determined individually after a requirements audit. Savings from implementing multi-approval can reach $500k per year for transaction volumes above $10M, as confirmed by our project experience.
Order a multi-approval system implementation today. Get a consultation — we will assess the risks of your current solution and propose an architecture. Protect your assets with a multi-approval system proven on 20+ projects.
According to Wikipedia, multisig is used to enhance the security of cryptocurrency wallets.
We develop crypto wallets turnkey — from custodial solutions for fintech to smart contract accounts on EIP-4337. 5+ years in blockchain development, 40+ projects implemented. Let's examine which architecture to choose for your task and why MPC or Account Abstraction solve the private key problem that MetaMask and classic HD wallets could not close.
Why are classic wallets dangerous for business?
A seed phrase in a browser extension is the only way to restore access. For retail users, this is a barrier to entry (lost phrase = lost money). For corporate treasuries, it is incompatible with compliance (KYC/AML, role model, multisignature). Any single key leak compromises all funds. These risks are built into the architecture, not poor UX.
We eliminate them at the protocol level: MPC wallets (key never fully assembled), smart contract wallets (authorization logic in code), hardware HSM for institutional storage. Details below.
What is the real difference between custodial and non-custodial?
Custodial — the provider stores the private key. User authenticates via email/password/OAuth. Recovery is trivial, KYC/AML built-in. For centralized financial applications, often the only regulatory acceptable option. Risk: single point of failure (e.g., Bitfinex hack — $72M, FTX — $600M+ client funds).
Non-custodial — keys are with the user. Provider has no access to funds. Storage responsibility falls on the user. For 99% of people, this model is unworkable without additional protection — hence MPC.
MPC wallets: the key that doesn't exist
Multi-Party Computation (MPC) is a cryptographic protocol that allows multiple parties to jointly sign a transaction without revealing their partial secrets. The private key never exists in its assembled form.
Standard scheme: 2-of-3 MPC between user (share on device), provider server, and backup cloud storage. Transaction is signed by any two of three parties. Lost phone — recovery via server + cloud. Server compromised — attacker holds only one share, signing impossible.
TSS (Threshold Signature Scheme) is a concrete implementation of MPC for ECDSA/EdDSA. Algorithms: GG18, GG20, CGGMP21 (the latter is faster and has better security proofs). Libraries: tss-lib (Go, from Binance), multi-party-sig (Go, from Coinbase), ZenGo-X/multi-party-ecdsa (Rust).
MPC requires no on-chain changes — to the blockchain, the signature looks like a normal single-key signature. This saves gas and keeps the key management scheme confidential (not published in chain) — unlike multisig.
Account Abstraction (EIP-4337): smart contract as wallet
EIP-4337 completely changes the model: instead of EOA (Externally Owned Account), a smart contract Account is used. Authorization logic is in contract code, not in protocol cryptography. This opens up arbitrary signing logic, social recovery, session keys, sponsored transactions, and batch operations.
How the EIP-4337 stack works:
User → UserOperation → Bundler → EntryPoint contract → Account contract
↑
Paymaster (optional, pays gas)
UserOperation — a new type of object (not an L1 transaction). Bundler collects UserOps from an alternative mempool, packs them into one transaction, and sends to EntryPoint. EntryPoint calls validateUserOp on the Account contract — Account decides if the signature is valid.
Practical capabilities:
Social recovery. The contract stores a list of guardians (other addresses or a service). Lost key — guardians vote for replacement. Argent has used this scheme since 2020.
Session keys. A temporary key with limited rights: interaction only with a specific contract, until a certain date, up to a certain amount. For GameFi and dApps — user does not sign every micro-transaction.
Paymaster. A third-party contract pays gas for the user. Onboarding pattern: user does not hold ETH, gas is sponsored by dApp or taken from ERC-20 tokens.
Implementations: Safe{Core} Protocol, Biconomy SDK (Stackup), ZeroDev (Kernel), Alchemy (Rundler bundler). EntryPoint v0.6/v0.7 is deployed and active on Ethereum mainnet, Polygon, Arbitrum, Optimism. We guarantee compatibility with the latest contract versions.
What is a Hardware Security Module for corporate wallets?
For treasuries and institutional storage: HSM (Hardware Security Module). The key is generated and never leaves the secure chip. Signing happens inside the HSM. Hardware attestation is supported. Solutions used: AWS CloudHSM, Azure Dedicated HSM, Thales Luna, YubiHSM 2 (for small volumes). Integration via PKCS#11 or cloud-specific API.
A combination of HSM + MPC is optimal for institutional use: key shares are stored in HSMs on different servers/jurisdictions, signing via TSS. This ensures compliance with regulatory requirements (e.g., for crypto custodians).
Integration with dApps: WalletConnect and standards
Any wallet must be able to interact with dApps. Standard: WalletConnect v2 (Sign API): QR code or deep link, peer-to-peer encrypted channel via relay server. For browser extensions: EIP-1193 (Ethereum Provider API).
On the frontend, we use wagmi + viem — one interface for MetaMask, WalletConnect, Coinbase Wallet, injected providers. For Account Abstraction: EIP-5792 (wallet capabilities) and EIP-7677 (paymaster service).
Development process
-
Threat model — who is the user (B2C, B2B, institutional), what operations, what is the acceptable risk model. Architecture depends on this.
-
Selection and design of key storage scheme — MPC, HSM, multisig, or a combination.
-
Development of Account contract (if EIP-4337) or integration of MPC library.
-
Backend — MPC coordination, session management, paymaster service (if needed).
-
Mobile/browser application — UI with WalletConnect integration, biometrics, QR.
-
Integration with dApps — EIP-1193, WalletConnect v2.
-
Audit of contracts and cryptographic implementations — mandatory step. MPC libraries have known vulnerabilities (GG18 susceptible to attack with malicious participant without abort protocol). We use libraries with up-to-date security reviews (CGGMP21). Experience passing audits with Certik, Hacken, Trail of Bits — we have certificates.
What is included in the work (deliverables)
- Source code of smart contracts (Solidity/Rust) with documentation
- Backend MPC coordination service (Go or Rust) with API
- Mobile application (iOS/Android) or browser extension
- Integration with WalletConnect, Ledger/Trezor (if required)
- Preparation for security audit (vulnerability report)
- Administrator and user documentation
- Access to repository, CI/CD, monitoring (Tenderly, Etherscan API)
- Training of your team (2-3 sessions)
- Post-launch support — 1 month
Timeline and cost
| Solution type |
Timeline (working weeks) |
| Custodial with basic UI |
4–8 |
| Non-custodial with MPC integration |
8–16 |
| EIP-4337 Account with paymaster |
6–12 |
| Institutional (HSM + MPC + compliance) |
from 16 |
Cost is calculated individually for your project. We will estimate within one day — contact us by email or Telegram. We provide a guarantee on code and timeline.
Typical mistakes in crypto wallet development (and how to avoid them)
-
Using outdated MPC libraries — GG18 without abort protocol. Choose CGGMP21 or tss-lib with up-to-date audit reports.
-
Tight coupling to a single blockchain — not abstracting for L2/sidechains. Use viem/wagmi for cross-chain.
-
Ignoring MEV attacks — when using multisig without timelocks. Add tx simulation (Tenderly) and sandwiching protection.
-
Lack of fallback recovery mechanism — for Account Abstraction, not setting up social recovery. Include from the first release.
We eliminate these pitfalls at the design stage — for each project, we create a threat model and security checklist.
Need a reliable wallet with no compromises? Get a consultation from our architect — we will analyze your task and propose an architecture with a precise estimate. Leave a request — we will respond within a day.