Investigating the 5/9 Polygon Multisig contract and Polygon's lack of transparency
And correcting several misconceptions about them
Background
Many of those familiar with Polygon have probably heard complaints about Polygon's "5 out of 8 [sic] Multisig" account. Polygon’s Multisig contract is a Gnosis Safe that was created on Jul 1, 2020. It was most noticeably brought up on May 27, 2021 by Chris Blec in a long complaint letter about decentralization and control.
It’s a Gnosis Safe contract that controls access to multiple other Polygon contracts, including:
It only takes 5 out of 9 signatures from the Multisig Gnosis Safe contract to completely control the vast majority of Polygon’s contracts on the Ethereum blockchain. It has made 170 transactions in the past 3 years (many of which are redeployed contracts), so they’ve made so many changes already. At any time, they could rewrite those vital contracts, taking over the Polygon PoS network.
Correcting Outdated information
If you search for "5/8 multisig" on Reddit (r/0xPolygon and r/CryptoCurrency) or Google, you get plenty of references to it. But apparently no one has been researching it carefully since it was updated to a 5/9 Multisig only 2 weeks later on June 3, 2021 with Polygon controlling 4 of them. And a Timelock contract was added to the Multisig process in Aug 2021.
And yet the media still keeps calling it a 5/8 Multisig and has never mentioned the Timelock. This suggests that everyone lazily stopped monitoring it only 2 weeks after it made headlines.
It also doesn’t help that Polygon doesn’t discuss this or other changes to it on either their dev protocol forums or on their public Discord.
Polygon's Response and Plans
Polygon responded to the initial concern about the multisigs in a Tweet on May 14, 2021 saying that they had plans to do the following:
Move from multisigs to governance-controlled proxies
Introduce timelocks
Remove the multisigs/upgradeability (eventually)
A TimeLock contract was created 3 months later in Aug 2021 and given ownership of the all the previously-deployed contracts . What the TimeLock contract did is force actions to wait with a 172800s (48 hours) before they are executed. That adds an extra safety delay. Thus, they've already completed step 2 of their plan.
And now the multisig Gnosis Safe indirectly controls those vital Polygon contracts through the TimeLock contract through its Executor and Proposer roles.
Biggest concerns about this
No one is doing their research. Otherwise, we would've known about the Timelock contract and that it’s no longer a 5/8 Multisig
Lack of transparency - No one has ever documented or reported about this. I checked Polygon Twitter, Polygon forums, Reddit, Polygon documentation, Google. And there's not a single report of this Timelock contract. They should’ve announced this back in Aug 2021. The only document that mentions 'Timelock' on Polygon's website, incorrectly mentions that it’s not active despite that the document was recently updated in Sept 2022. Why did the Polygon Team silently update this without any records? Their own documentation team isn’t aware of this.
The multisig Gnosis Safe contract still exists and has been very busy with 40 contract executions in the past year. Is anyone investigating or reporting on these changes? I haven’t found any articles on what these updates are. The investigator would have to be quite technical, know how to decode transactions, and also have insider knowledge about what those operations mean. So ideally, this would’ve been done by the Polygon team and made public, but they have decided to remain behind closed doors.
Multisig account owners have changed 3 times since May 2021, and none of these were announced or publicized.
2021-06-03 - Added owner
2022-04-04 - Swapped owner
2022-09-06 - Swapped owner
Unknown owner identities: We don’t really know who the owners are. I’ve tracked down the addresses and compared them to the questionable official list. Several of the DeFi owner addresses don’t match, so it’s probably outdated. I can tell Polygon owns at least 4 of them. 4 more belong to DeFi members. I don’t recognize the final 9th member.
0xD0FD9303fe99EdFAF5eD4A2c1657a347d8053C9a - Polygon 1
0x803B74766D8f79195D4DaeCF6f2aac31Dba78F25 - Polygon 2
0xFb9af163DF1e54171bC773eb88B46aa1E912489f - Polygon 3
0x8Eab5aEfe2755E1bAD2052944Ea096AEbdA1d602 - Polygon 4
0xA7499Aa6464c078EeB940da2fc95C6aCd010c3Cc - bneiluj.eth, Stake Capital
0x1aE033D45ce93bbB0dDBF71a0Da9de01FeFD8529 - jdetychey.eth, Cometh
0x0D2600C228D9Bcc9757B64bBb232F86A912B7b03 - azr.eth, Horizon
0x39415255619783A2E71fcF7d8f708A951d92e1b6 - swiss-stake.eth, Swiss Staking (Maybe this is the Curve owner?)
0xb771380f912E4b5F6beDdf81314C383c13F16ab5 - Unknown. Maybe EasyFi??
My Takeaway
Currently, all Ethereum L2s are still on training wheels secured with similar Multisig contracts on Ethereum L1, so the Polygon sidechain is in a similar situation: It’s not completely decentralized or trustless.
The addition of the 48-hour Timelock provides some more safety, but that only helps if people are monitoring it. Polygon does not announce owner changes or updates related to the Multisig, so it’s very unlikely anyone outside of the team is monitoring it. The whole process lacks transparency. The Polygon team is likely unilaterally making updates to it without any oversight.
Polygon already has a reputation of rushing out changes. Governance update PIP-9 only took a day to pass, and only 27 validators (out of 100) voted on it. Governance update PIP-7 was even worse with only 15 validators voting on it. 85% of their own validators either didn’t bother to participate or didn’t know about it. People complain about Hedera Council’s governance process being behind closed doors (for up to 30 days before public announcement). But Polygon’s governance and decision-making is nearly just as bad because it also lacks adequate announcement and publicity.
I’m certain the Polygon team isn’t going to purposely sabotage their own network since that would be suicidal. But I’m still very concerned about the lack of transparency over the 40+ changes they’ve made this year using that Multisig contract. They need to do more if they want to be decentralized and trustless.