This set of contracts provide "N-of-M multisig" functionality: at least N parties out of predefined set of M signers must approve Order to execute it.
Each Order may contain arbitrary number of actions: outgoing messages and updates of parameters. Since content of the messages is arbitrary Order may execute arbitrary high-level interactions on TON: sending TONs, sending/minting jettons, execute administrative duty, etc.
⚠️ Multisig does not limit the content of Order actions, so Order can include absolutely any actions, including those that create new multisig orders or approve existing multisg orders or change multisig configuration (e.g. a list of signers).
UI and other tools for working with multisig must fully parse the contents of orders and clearly report all actions that will be performed by the order. Such tools should also explicitly report parsing errors or actions of an unknown type.
Singers must approve order only after fully reading order contents.
⚠️ The multisig UI should display all created and unexecuted orders (these can be found in outgoing messages from multisig), as well as the match of their list of signers with the current list of singers of multisig, so that users clearly see all active orders that can be executed.
Parameters, such as threshold N, list of signers and other can only be updated by consensus of current N-of-M owners.
Any signer may propose new Order. Multisignature wallet also allows to assign proposer role: proposer may suggest new Orders but can not approve them.
Each Order has expiration date after which it can not be executed.
Each signer may be wallet, hardware wallet, multisig themselves as well as other smart-contracts with its own logic.
This Multisignature wallet was developed keeping in mind Safe{Wallet}.
Whole system consists of four parts:
Flow is as follows:
1) proposer of new order (address from Proposers or Signers sets) build new order which consist of arbitrary number transfers from Multisig address and sends request to Multisig to start approval of this order
2) Multisig receives the request, check that it is sent from authorized actor and deploy child sub-contract Order which holds order content
3) Signers independently send approval messages to Order contract
4) Once Order gets enough approvals it sends request to execute order to Multisig
5) Multisig authenticate Order (that it is indeed sent by Order and not by somebody else) as well as that set of Signers is still relevant and execute order (sends transfers from order)
6) If Order needs to have more than 255 transfers (limit of transfers in one tx), excessive transactions may be packed in last transfer from Multisig to itself as internal_execute
7) Multisig receives internal_execute
, checks that it is sent from itself and continue execution.
All fees on processing order (except order execution itself): creation Order contract and it's storage fees are borne by the actor who propose this order (whether it's Proposer or Signer).
Besides transfers, Order may also contain Multisig Update Requests
contracts
- source code of all the smart contracts of the project and their dependencies.wrappers
- wrapper classes (implementing Contract
from ton-core) for the contracts, including any [de]serialization primitives and compilation functions.tests
- tests for the contracts.scripts
- scripts used by the project, mainly the deployment scripts.npx blueprint build
or yarn blueprint build
npx blueprint test
or yarn blueprint test
npx blueprint run
or yarn blueprint run
use Toncenter API:
npx blueprint run --custom https://testnet.toncenter.com/api/v2/ --custom-version v2 --custom-type testnet --custom-key <API_KEY>
API_KEY can be obtained on https://toncenter.com or https://testnet.toncenter.com
Threshold must be > 0 and <= signers_num.
By design orders smart contract are not notified of multisig configuration update (signer, proposers, threshold). Such an order will continue to accept approvals, but when executed, it will be rejected because the multisig configuration has changed.
TON balance of an expired order can be returned to multisig. To do this, the order must collect enough approvals - it will be sent for execution, there will be no execution, but the TONs will be returned to the multisig.
approve_accepted
auxiliary notification is not sent if the order is initialized and executed immediately (approve_on_init with threshold = 1).