Multisig Policy
Gnosis Safe configuration, threshold roadmap, signer policy, and project continuity guarantees.
Treasury Safe: 0x5ad6193eD6E1e31ed10977E73e3B609AcBfEcE3b — 3-of-5 active (5 signers).
LP Reserve Safe: 0x5D93E7919a71d725054e31017eCA86B026F86C04 — 3-of-5 (same 5 signers). Holds 400.6M IFR. Transferred from Deployer 18.03.2026.
Why Multisig?
A single private key controlling a protocol is a single point of failure. If that key is lost, stolen, or compromised, the entire protocol is at risk. A multisig wallet requires multiple independent signers to approve any transaction, eliminating this risk.
- No single point of failure — no one person can unilaterally change the protocol
- Key loss protection — losing one key does not lock the treasury
- Compromise resilience — an attacker needs multiple keys, not just one
- Transparent — all multisig transactions are on-chain and publicly visible
Threshold Policy
The multisig threshold increases as the protocol matures. More signers = more decentralization = more security.
Threshold Roadmap
| Phase | Threshold | Date | Status |
|---|---|---|---|
| Genesis | 1-of-2 | Feb 2026 | ✅ Completed |
| Phase 2a | 1-of-3 | Mar 2026 | ✅ Completed |
| Phase 2b | 2-of-4 | 14 Mar 2026 | ✅ Completed |
| Phase 2c | 2-of-5 | 15 Mar 2026 | ✅ Completed |
| Phase 2d | 3-of-5 | 15 Mar 2026 | ✅ Active now |
Current Signers
| # | ID | Address | Safe | Status |
|---|---|---|---|---|
| 1 | A.K. | 0x6b36687b0cd4386fb14cf565b67d7862110fed67 | Treasury + Community + LP Reserve | ✅ Active |
| 2 | M.G. | 0x17F8DD6dECCb3ff5d95691982B85A87d7d9872d4 | Treasury + Community + LP Reserve | ✅ Active |
| 3 | A.M. | 0x0c4893DcF730E0Ddc7D18CF9723932784Fb4ED74 | Treasury + Community + LP Reserve | ✅ Active |
| 4 | Y.K. | 0xA0860f872a9cAB34817D9a764e71ab43B942b275 | Treasury + Community + LP Reserve | ✅ Active |
| 5 | A.P. | 0x32cF8b4F29A8F211804857EcF8BF0847f0BC0fE9 | Treasury + Community + LP Reserve | ✅ Active |
Phase 3: DAO Transition Planned
4-of-7 → 5-of-9 — Final multisig configuration before full DAO governance transition.
What Signers Can Do
| Action | Mechanism |
|---|---|
| Submit governance proposals | Via Governance contract (propose()) |
| Execute proposals after 48h | Via Governance contract (execute()) |
| Cancel malicious proposals | Guardian role (cancel()) |
| Emergency pause (IFRLock) | Guardian role (pause()) |
| Transfer Governance admin | Only current admin can transfer |
What Signers Cannot Do
| Restriction | Reason |
|---|---|
| Directly access token supply | No mint function exists. Supply can only decrease. |
| Bypass 48-hour timelock | Hardcoded in Governance contract. Not configurable. |
| Change fee above 5% | Hard cap enforced in InfernoToken contract. |
| Move locked user tokens | IFRLock only allows the original depositor to withdraw. |
| Execute instantly | Every change is public for 48 hours before execution. |
Who Can Become a Signer?
Signer selection is transparent and community-driven. Candidates are evaluated based on:
- Technical competence — ability to verify and understand governance proposals
- Independence — no two signers should share organizational affiliations
- Track record — verifiable on-chain history and community presence
- Hardware wallet — all signers must use hardware wallets (Ledger/Trezor)
Signer additions and removals are on-chain transactions visible to everyone. The community can verify the current signer set at any time via the Gnosis Safe interface.
On-Chain Verification
| Contract | Role | Controlled By |
|---|---|---|
| InfernoToken | owner() |
Governance (timelock) |
| LiquidityReserve | owner() |
Governance (timelock) |
| BuybackVault | owner() |
Governance (timelock) |
| BurnReserve | owner() |
Governance (timelock) |
| Governance | admin() |
Treasury Safe 3-of-5 (transferred 20.03.2026 — TX) |
| PartnerVault | admin() |
Governance (immutable) |
| IFRLock | guardian() |
Deployer (pause-only) |
| Vesting | guardian() |
Deployer (revoke-only) |
| FeeRouterV1 | governance() |
Governance (immutable) |
Project Continuity
Inferno Protocol is designed to outlive any single contributor, company, or team. The protocol is permanently decentralized infrastructure:
- Open source — all code lives on GitHub. Anyone can fork, audit, or continue development.
- Verified on-chain — all 10 contracts are verified on Etherscan. The bytecode is public and immutable.
- Governance protects — the 48-hour timelock prevents single-actor mistakes. Every change is publicly visible before execution.
- Multisig prevents failure — no single key loss can freeze the protocol. Threshold increases over time.
- Community can continue — if the original team disappears, anyone with the contracts, ABI, and governance access can operate the protocol.
- No off-chain dependencies — the core protocol (token, lock, governance, fees) runs entirely on Ethereum. No servers required.
Inferno Protocol is fully open source and community-owned. No single entity controls the protocol. All contracts are verified on Ethereum Mainnet, governed by a 48-hour timelock, and protected by Gnosis Safe multisig. The protocol lives on-chain — permanently.