Turtles All the Way Down: Multisigs Owning Multisigs

Using UniLogin and Gnosis Safe to control a multisig from another multisig.

Despite challenging times, our team is doing our best not to slow down. After tackling the nuances of remote work, we have been focusing on stability and polishing UniLogin.

Meanwhile we are happy to see that some integrations we’ve being working on are going live, namely Kickback and Gnosis Safe Multisig.

But wait, didn’t we already announce we were using Gnosis Safe? To explain, let’s clarify some terms.

Besides their prediction markets and exchanges, the Ethereum development company Gnosis has also built two widely used multisig contract wallets: the original Gnosis multisig and the newer Gnosis Safe, which supports etherless transactions. The latter is what we use internally as our contract-based accounts.

But Gnosis also offers Gnosis Safe as a frontend service for teams, so they have an app named “Gnosis Safe Multisig” (no relation to the previous “Gnosis Multisig”). The Gnosis Safe Multisig app, which was formerly named “Gnosis Safe for Teams”, allows you to create and manage safes from MetaMask or other service providers, now including UniLogin, which is itself a multisig.

But why?

An identity picker concept from 2014 that would allow multiple addresses for each user “profile,” including one for a collective account.

Is this just a curiosity to make a point about daisy-chaining contracts together? Not at all! In fact, the idea of modularity and that every account would eventually be a rich, smart account has permeated Ethereum development since the early days. You can see this from this screenshot from my 2014 presentation of a vision for an Ethereum browser at Devcon0. In fact, when Geth was first developing account management, it was believed that public key pair accounts would be just a temporary measure and that in less than a year most people would have migrated to what we then called “proxy accounts.”

This goes deep into the heart of what an “identity” is. What makes you “you” online?

On the traditional web, it’s about authorization: proving to a central server within their reasonable bounds that you are the correct person, with increasingly hard challenges (a session cookie and, if that fails, a username and password, then a “forgot password” flow, and then sometimes you might be able to escalate it to a human in the help desk).

In the crypto space, traditionally it has been a very binary choice: if you have the private key, then those are your coins. If you lose access to your key, or if someone else gets access to that key, then too bad, you’ve lost them.