Building a DAO Security Posture: From Multisig to Formal Verification

A Practical Guide to Hardening DAO Operations

Want to take your DAO’s operations to the next level? You’ve come to the right place! In this guide, we’re going to dive into some key topics like treasury multisigs, how to design effective governance, timelocks, making upgrades easier, keeping an eye on everything, and the importance of formal verification. Let’s get started! The aim is to help decision-makers move beyond just “good enough” and reach that top-tier level of confidence we’re all striving for.

Treasury Multisigs

Getting a treasury multisig up and running is an awesome first move! One great way to boost security for your transactions is by requiring multiple signatures. This can really help cut down the chances of any unauthorized access happening. When picking signers, go for ones you can trust. And hey, if you're looking for a solid multisig wallet, check out Gnosis Safe--it's got some great reviews!

Governance Design

When it comes to governance, it’s really about finding that sweet spot where everyone’s voice counts. It's important to ensure that people feel heard and valued in the decision-making process. Have you considered trying out a token-based model or maybe even quadratic voting? It could be a great way to keep any one person or group from having too much control. Just a thought! If you're looking for off-chain voting solutions, you should definitely take a look at resources like Snapshot. It's a handy tool that can make the voting process a lot easier!

Timelocks

Adding timelocks can really boost security. It's like having an extra safety net! By adding a little delay to important tasks, you're allowing your community some time to step in if anything feels off. It's a great way to ensure everyone stays in the loop and can react when needed. Think about adding timelocks to your smart contracts to help guard against making quick, impulsive choices. It’s a great way to give yourself some breathing room and make sure you’re making the best moves possible!

Upgradeability

And hey, make sure you keep upgradeability in mind! Smart contracts are pretty awesome--until you realize they need some tweaks! That's where proxy contracts come in handy. They let you make updates without losing any of your data. Pretty neat, right? This way, you'll be able to adjust and grow without missing a step.

Monitoring

It's super important to stay on top of what your DAO is up to. Go ahead and set up some monitoring tools to keep an eye on governance proposals, transactions, and anything that seems a bit off. If you're looking to get some real insights into how your operations are running, platforms like Dune Analytics can be super helpful.

Formal Verification

Finally, don't forget to think about formal verification for your smart contracts. It's a great way to ensure everything's working as it should. This step is super helpful for catching any bugs and making sure everything runs smoothly before we launch it for real. If you're looking to verify your code, check out platforms like Certora. They can really help you out!

In a nutshell, by sticking to these guidelines, decision-makers can really level up their DAO operations. This takes things from “safe enough” to something that’s seriously secure and on par with institutional standards. Let’s elevate our DAOs!.

Between 2023 and 2025, there have been some pretty significant changes in DAO security. Lately, we've been noticing governance takeovers popping up more often, along with a decline in the use of off-chain and on-chain execution plugins. Plus, there's been a real surge in the adoption of fresh verification and monitoring tools. It's definitely an interesting time in the space! Here's a simple step-by-step plan your team can follow over the next three months.

Why posture matters now

So, back in May 2023, Tornado Cash had a bit of a rough patch when a sneaky proposal temporarily hijacked its governance. This sneaky proposal was packed with some clever voting tricks that basically handed the attacker complete control over the DAO's governance contract. Luckily, the attacker handed back control just a few days later. So, even though this situation didn’t mess with the main contracts of the protocol, it definitely drained some governance tokens. It also showed us just how tricky proposal language can be--it can really throw people off, even though the actual code is what’s really in charge. (coindesk.com).

So, jumping ahead to April 2022, things took a pretty tough turn for Beanstalk. So, the platform's emergency governance path, along with a bit of flash-loaned voting power, made it possible for a harmful proposal to get pushed through on the very same day. Pretty wild, right? Wow, that's quite a hit--about $182 million gone! It turns out that the setup allowed for something called "emergencyCommit" to bypass the standard procedures as soon as a supermajority was thrown together quickly. Crazy, right? (medium.com).

So, back in late 2023, there was that KyberSwap incident that really hit home. It showed us that attackers can take their advantage after an exploit and actually try to seize control of the DAO or make some pretty serious demands in governance. When you're putting together a recovery plan, it's important to keep in mind that you might need to negotiate with the attackers. Plus, you'll have to navigate some social pressure that might come up within the DAO. (auditone.org).

These episodes really highlight that a DAO’s “security” is more like a chain with several key links: you've got treasury control, governance mechanics, upgradeability, monitoring and response, and of course, making sure the code is all good. Each part plays a vital role in keeping the whole thing secure! If just one link isn’t strong, it could really mess up the entire system.

---

Stage 1 -- Multisig treasury, but modernized

A lot of DAOs and on-chain businesses usually start by setting up a Safe, which you might remember as Gnosis Safe before they rebranded. It's a pretty popular way to manage funds together! You can think of it as your trusty "root of trust." "From there, you can really enhance it by using the latest modules and guidelines."

1. Pick a signer or threshold pattern that really fits how your operations work--don’t just go for one that seems “safe” on the surface. ".

• Try to get at least two or more signers, and make sure their threshold is greater than 1. Just remember, that threshold shouldn’t go over the total number of signers you have. That way, even if one signer disappears on you, you’ve still got some backup plans. If you're working with a smaller team, a common approach is to have three signers--maybe one MetaMask wallet and two hardware wallets. Then, you set it up so that you only need 2 out of those 3 to approve something. It's a pretty solid way to keep things secure! When it comes to organizations, you might want to consider using options like 3 out of 5 or 4 out of 7. If you're looking for more info, you can dive into the details here.

2) Turn on off-chain (gas-less) signature collection

With Safe, you can easily gather signatures off the chain. This means you can bundle everything together and handle it all in one transaction when you're ready to go. You’re in for some awesome perks with this! It’s quicker, keeps your stuff private, and you won't have to stress about gas fees for wallets with multiple signers. How great is that? If you prefer to keep things on the safe side, you can totally go ahead and self-host the transactions indexer. It's a great option if you want more control! If you want more info, just head over to this link: (help.safe.global). You'll find all the details you need!

3) Add “Defense-in-Depth” via Guards and Module Guards

• Safe Guards are here to provide you with a handy double-check system. They’ll run both pre-checks and post-checks on every transaction to make sure everything goes smoothly. If a guard doesn't do its job, it can really throw a wrench in the works and bring everything to a standstill. That's why it's essential to regularly check on your guards and have a solid backup plan ready to go. Oh, and just a quick reminder: make sure to use a Module Guard to filter calls from modules too, not just the ones from the owner! It’s an important step. Take a look at the info over at docs.safe.global. You'll find some useful stuff there!
• For instance, you can set up a “NoDelegatecallGuard” to help you avoid those risky delegate calls unless you give them the green light. There’s a super handy tutorial out there to guide you through the process! If you want to dive deeper, check out the info over at docs.safe.global. It’s got all the details you need!

4) Permission Routine Ops with Scoped Roles (While Keeping Treasury Secure)

• With the Zodiac Roles Modifier, you can easily create specific permissions right on the blockchain. This means you can control things like which contracts have access, what functions they can actually carry out, set parameter limits, and even cap rates. Pretty handy, right? This way, the operations teams can handle certain tasks with less red tape, using fewer signatures. However, for the bigger operations, they’ll still need to go through the whole process as usual. Take a look at this: docs.roles.gnosisguild.org. You’ll find some good info there!

Hey, I've got a neat idea for you! How about keeping your main Safe at a solid 3/5? Then, for those pre-approved "low-risk" calls, you can send them through a 2/5 Safe alongside Roles. This way, you'll speed things up when you need to! This is a pretty cool trick to make things quicker! If you want to know all the ins and outs, check it out here: (docs.roles.gnosisguild.org).

1. Introduce a delay (timelock) before actions triggered by the module are executed. So, the Zodiac Delay Modifier basically creates a little waiting period between when you throw out a proposal and when it actually gets put into action for module calls. At this point, owners can choose to cancel it if they want to. This setup lets your community jump in whenever there are any mistakes or security problems. It’s a great way for everyone to have a say and help out! Take a look at this: (zodiac.wiki). You might find it interesting!

6) Simulate and Scan Every Transaction

Safe brings together simulation and scanning--thanks to features like Safe Shield and those handy risk signals--so you can double-check everything before you hit that execute button. Don't forget to use this feature! Always remind signers to check out the human-readable call data and simulation traces. It’s super helpful for understanding what’s going on. Take a look at this: safe.global. You'll find some interesting stuff there!

Outcome

We're working on a multisig setup for our treasury and operations that’s really fast and efficient for our daily tasks. No need to stress! It's got some solid security features in place, including Guards, Delay, and Roles. That way, even if one key or interface gets hacked, it won't be a walk in the park for anyone to drain funds or make random calls go through.

---

Stage 2 -- Add on‑chain governance safely (Governor + Timelock)

If your organization is looking to ramp up participation and be more transparent, it might be the perfect moment to dive into on-chain governance. If you're looking for a solid solution, the combo of OpenZeppelin Governor and TimelockController is definitely a great choice! Alright, here are a few important decisions you’ll need to tackle:

1. You might want to consider using a timelock executor. Hey there! If you're looking to set up a delay for your proposals, a great option is to pair your Governor with a TimelockController. You could even use the Compound Timelock if that suits your needs better. It's a solid way to add that layer of time before proposals get the green light! So, in this setup, the timelock basically acts like the owner of the asset. Hey, just a friendly heads up! Don't forget to link the permissions to the timelock instead of the Governor. Thanks! (docs.openzeppelin.com).

2) Configure the Vote Clock Deliberately (EIP‑6372)

• Now, the Governor aligns with your token's "clock," whether it's tracking block numbers or timestamps. Don't worry, Tally’s got you covered for both! Hey there! If you're diving into Layer 2 solutions and notice that block times can be all over the place, take a moment to double-check your clock mode. It's super important to make sure those voting windows run smoothly in your UI. Trust me, it'll save you some headaches down the line! If you’re looking for more details, check it out here. It's a great resource!

3) Pick Quorum and Counting Modules that Suit Your Token

If you're on the hunt for quorum and counting modules, there are definitely some favorites out there that you should check out! When it comes to supply-based quorums, GovernorVotesQuorumFraction is definitely a great choice! If you're diving into vote counting, GovernorCountingSimple is a solid choice for handling the Against/For/Abstain votes. It gets the job done without any fuss! Oh, and with version 5, they've rolled out some pretty neat features! For instance, you can now do fractional counting, which is great for things like split votes. Plus, there are super-quorum options that let you wrap things up ahead of schedule if you reach your goals before the deadline. Pretty handy, right? Take a look at this: docs.openzeppelin.com. You’ll find some really useful info there!

1. Prevent last-minute steamrolls The GovernorPreventLateQuorum extension is designed to ensure that even after the quorum is met, there's still some time to spare. This really helps prevent that frustrating “quorum sniping” that always seems to pop up right before the deadline. Check it out here!.

5) Plan for UI Support and Migrations

Hey, just a heads up--Tally's here to help you out with OpenZeppelin Governor! They've also made it clear how v5 compatibility works. Pretty cool, right? Just to give you a little context, Compound transitioned from using GovernorBravo to a more updated OZ Governor around January to February of 2025. They even created a public moratorium window that kicked off with a 2-day delay. After that, there was a 3-day voting period, and once that wrapped up, they added a 2-day timelock. Feel free to take these timelines and use them as a jumping-off point for your own rollout plan! Hey! If you want to dive into the details, just head over to this link: docs.tally.xyz. It’s all laid out for you there!

1. Consider how guardian and veto patterns play a role in upgrading protocols. So, it looks like a variety of ecosystems are getting pretty inventive with things like guardian veto windows, security councils, and those legal-veto periods you see in zkSync governance extensions. They're doing this to slow things down when it comes to upgrades, without sacrificing that all-important decentralized control. Cool, right? (openzeppelin.com).

Outcome: We've set up on-chain governance that features a defined delay, so everyone knows what’s happening. Plus, the execution is all out in the open, and we’ve added some solid safeguards to keep any last-minute funny business at bay.

---

Stage 3 -- Off‑chain voting with trust‑minimized execution (know what’s changing)

Hey there! Just a quick reminder: if you're using Snapshot for gasless off-chain voting, make sure you remember that you still need to take care of safe on-chain execution. It’s an important step!

Hey there! Just wanted to give you a quick heads up: UMA oSnap, or Optimistic Snapshot Execution, is being phased out. Mark your calendars--support will officially end on December 15, 2025. Hey there! If your DAO is still using oSnap, it might be a good time to take a peek at the official migration guide. It could really help you out! You can check it out here.

Hey, if you're on the hunt for some alternatives, you might want to check out the Zodiac Reality Module. It could be a great fit! It lets you bring real-world results onto the blockchain with Reality.eth, and they've also got arbitration options to make sure everything stays fair. Be sure to take some time to thoughtfully plan your bond, challenge period, and pick the right arbitrator. It’s super important! If you’re looking for more details, you can check it out here.

Best Practice

When you're working with off-chain to on-chain bridges, just think of them as “optimistic” systems. They really aim to make the process smoother and more reliable! It’s a good idea to create some meaningful challenge windows--around 48 to 96 hours is usually a sweet spot. Oh, and definitely set up a timelock on the target Safe. Also, keep an eye on monitoring and alerting--it's super important! This way, challengers can easily spring into action whenever they need to.

---

Stage 4 -- Upgradeability and admin safety you can prove

Many DAOs are opting for upgradeable contracts these days. If you screw this up, just one phone call could completely throw your governance off track or even bypass your timelock altogether.

1. Make sure to use those ERC‑1967 storage slots and really get a handle on those UUPS and transparent proxies! Just a quick reminder to get a solid understanding of the admin and implementation slots. And don't forget to send out those events when you need to! Make sure you don’t mix up those proxy patterns! When it comes to UUPS setups, it’s really important to lock down those upgrade entry points and get the right permissions for any upgrades. Don’t just assume that “the proxy’s got me covered.” Stay on top of it! ” (eips.ethereum.org).
2. It’s best not to reuse the ProxyAdmin from your old setups. Hey, just a quick heads-up from OpenZeppelin: if you're thinking about reusing an old pre-v5 ProxyAdmin, be careful! You could run into some upgradeability problems. Just a heads-up--when you're migrating your fleets, make sure to follow the latest plugin guidance. It’ll help keep everything running smoothly! (github.com).

3) Queue Upgrades with a Timelock and Simulate on Forks

Whenever there's an upgrade on the table, here's how we usually roll: first, we throw out the proposal, then we put it in the queue, giving it a little time to marinate. After that, we run a full end-to-end simulation to see how everything plays out. Finally, once we're happy with the results, we go ahead and execute it. If your Governor is the one making the proposal, just make sure that only the timelock has the special ownership rights, and not an externally owned account (EOA). (docs.openzeppelin.com).

4) Learn from L2 Security Councils

Arbitrum and Optimism have established multi-signature security councils to handle different types of situations. They’ve got a system in place that sorts actions into “emergency” and “non-emergency” categories, with specific thresholds and delays curated for each type of action. It’s a pretty smart way to keep things secure! They've also got liveness checks in place, and they're working towards some gradual decentralization goals. You might want to think about picking up some of their strategies for handling those important admin keys. If you want to dive deeper into this topic, just hop over to their proposal here: forum.arbitrum.foundation. It’s got all the juicy details!

Outcome: So, now we can track upgrades better, they're a bit behind schedule, and we've got a clear idea of what's authorized. This change is great because it really helps reduce the chances of an admin path messing with your governance.

---

Stage 5 -- Adopt formal verification where it pays off

If you want to get started, you'll definitely want to cover the basics like static analysis and fuzzing. These days, formal verification has really become an option for those crucial paths in decentralized autonomous organizations (DAOs). It's totally achievable!

1. Let’s go ahead and integrate Slither and Echidna into our continuous integration process. Hey, how about we add Slither, which is a static analyzer, and Echidna, the property-based fuzzer, into our CI pipeline? I think it could really enhance our testing process! They really know how to catch those pesky bugs and ensure that our code performs well, no matter what conditions it's put through. Let's make sure to run them on every PR. Check out Slither here.

2) Use Foundry for Scenario and Invariant Tests; Add Cross-Tool Parity

Foundry's invariant testing has really started to pick up steam in the community lately! With tools like Chimera, you can write your invariants just once and then run them on a bunch of different platforms, like Echidna, Medusa, and Halmos. It’s a great way to really expand your coverage! Take a look at it here: (github.com). You’ll definitely want to check this out!

3) Introduce Formal Verification for “Governance-Can-Change-Everything” Paths

Hey, guess what? Certora Prover just went open-source in 2025! It’s really starting to gain traction as a reliable tool for proving important properties backed by some solid math. How cool is that? You can easily set up rules like, "The Governor or Timelock can't go ahead with a call unless there's a delay of at least X," or "No function can lower the quorum below Y unless it gets Z approvals," and even "Only the Timelock is allowed to manage proxy upgrades." "Take a look at it here: certora.com. You won’t want to miss this!"

4) Example Properties to Verify (Sketches)

When you're trying to check out some properties, sketches can really come in handy! Here are a couple of examples you might want to take a look at:

• Continuity: Really pay attention to how the function acts. A continuous function is one that flows smoothly, without any sudden jumps or breaks. Go ahead and draw a smooth line or curve, making sure it flows without any breaks.
• Symmetry: So, there are these functions that have this really neat symmetry thing going on. Take a look at whether a function is symmetrical around a specific line--like the y-axis for even functions. This means you want to see if it looks the same on both sides of that line. Why not try sketching a few things to see if you can pick up on that symmetry? It can be a fun way to really get a sense of what you’re looking for!
• Roots: There's something really thrilling about figuring out where a function cuts across the x-axis! Go ahead and sketch the function, and make sure to mark the spots where the function equals zero. Those points are really important!
• Asymptotes: Think of these as those tricky boundaries that a function gets super close to but can never actually touch. They’re like the finish line you can see but never cross! Could you whip up a quick sketch that shows how your function gets super close to those horizontal or vertical lines but doesn’t quite touch them? Thanks!

If you're curious and want to dig a little deeper into these properties, go ahead and check out some specific examples or tools!

• There's a timelock delay on every operation in the queue.

rule all_executions_are_delayed(method exec) {
  env e; calldataarg args;
  // Only allow Timelock to execute
  require e.msg.sender == Timelock;
  // Assume a queued operation exists at id
  // (model your queue data structure; omitted for brevity)
  // Assert the operation's eta <= now
  exec(e,args);
  assert block.timestamp >= queued_op_eta(args.proposalId),
    "Timelock delay must elapse before execution";
}

Hey, just wanted to let you know that only the Timelock has the ability to change the proxy implementation. The Governor and EOAs can't make those changes. Just keeping you in the loop!

rule only_timelock_can_upgrade() {
  env e; address newImpl;
  require e.msg.sender != Timelock;
  try Proxy.upgradeTo(e, newImpl) {
    assert false, "Non-timelock cannot upgrade";
  } catch {}
}

• So, here’s the deal: proposal parameters hashing is a great way to stop something called “parameter smuggling.”

rule execution_targets_match_queued() {
  env e; calldataarg args;
  // On execute, targets/calldatas must equal the hash queued at queue time
  exec(e,args);
  assert keccak256(args.targets, args.values, args.calldatas)
         == storedProposalHash(args.proposalId),
    "Executed payload must equal queued payload";
}

Don't forget to use Prover’s coverage and multi-assert modes! They really help you check if your specifications are actually hitting the real code paths in your project. It’s a great way to ensure everything lines up as it should. If you’re looking for more info, check out the official documentation right here: docs.certora.com. It’s got all the details you need!

So here’s the deal: when it comes to the riskier routes you might take, like managing governance and making upgrades, you’ll get solid, machine-checked guarantees. No more just hoping for the best or thinking, “It should be okay.” ”.

---

Stage 6 -- Monitoring, detection, and incident response

When you have real-time alerts and straightforward emergency procedures in place, it can really help turn a scary situation into something much more manageable. This way, you can avoid potential losses and keep things under control.

1. Go ahead and sign up for the Forta bots that work best with your protocol, and don’t forget to set up alerts so you can take action when needed! Hey, have you had a chance to check out Forta’s awesome community-driven bots? They’ve got some cool ones, like the Scam Detector and the Attack Detector 2. You definitely won’t want to miss them! Zero, together with stablecoin and DeFi kits. These bots are like hawk-eyed watchdogs, keeping tabs on all the phases of funding, prepping, exploiting, and laundering. They’ve got a knack for catching any suspicious patterns that pop up, often just minutes before something goes sideways. This gives you plenty of time to take a breather or adjust roles with your timelock if needed. (docs.forta.network).

2) Define auto‑response hooks

• Link your Forta alerts to an "emergency runbook." You might need to hit the pause button on a module, throw in an extra guard, or maybe even crank up the timelock delays a bit. If you’re still using OpenZeppelin Defender, it might be a good idea to start planning a switch over to a self-hosted, open-source Relayer/Monitor. You should think about making that change before July 1, 2026. Just a quick heads-up--Defender will be wrapping things up in October 2023. If you want to dive deeper into this, just take a look at the official announcement here. It’s got all the info you need!

3) Keep an Eye on Governance Events Related to Treasuries and Timelocks

Check out Forta's templates for setting up alerts! You can use them to keep an eye on important Safe events, any privileged function calls, or transactions involving those sanctioned mixers, like addresses funded by Tornado Cash. It’s a handy way to stay in the loop! Hey, just a quick reminder to send these alerts over to PagerDuty or Slack for the signers and the security council team. Thanks! Take a look at the details right here: (docs.forta.network). You might find it super helpful!

Outcome: Your multisig and governance setup isn't just safe; it's also super transparent. We've set up some pre-approved emergency levers that are linked to alerts, so you’ll always know what’s going on.

---

Lessons from recent governance migrations and councils

Compound has officially put a hold on its migration plans until 2025. Right from the start, they laid out the proposal delay, the voting process, and the timelock windows. This really helps clear up any confusion and avoid those annoying race conditions. When it comes to governance upgrades, I think it makes sense to treat them kind of like we handle protocol releases, especially when we consider those crucial freeze windows. (comp.xyz).

Hey everyone! Exciting news--security councils are making some big moves! Arbitrum has raised its thresholds to 9 out of 12. This gives us the flexibility of both instant and delayed upgrade options. How cool is that? In the meantime, Optimism has rolled out some liveness modules and bumped up their thresholds. They've also shared some insights into their design choices, which could be super useful for you! (forum.arbitrum.foundation).

Hey, so zkSync governance is really leveling up lately! They've introduced new guardian veto periods and made the fixed quorums adjustable. Pretty cool, right? This approach really finds a sweet spot between being flexible and maintaining that decentralized feel. It clearly shows that “one-size-fits-all” governance is hardly ever the best route to take. (openzeppelin.com).

---

Putting it together: a 90‑day roadmap

Week 0-2: Baseline and Quick Wins

Alright, let’s kick things off! Start by rounding up all the signers, thresholds, and modules that you have across your Safes. Hey, just a quick reminder to get those simulation and signer SOPs sorted out. It's super important to run a simulation before you sign anything, and don’t forget to double-check those human-readable decodes! You can find more info over at safe.global.

• Alright, the next step is to throw in a Guard to prevent delegatecall. You'll also want to set up a Module Guard for any module that has the ability to run on your Safe. Oh, and let's not forget to add a Zodiac Delay. We're looking at a cooldown period of 48 to 72 hours for any actions that kick off from the modules. (docs.safe.global).

Alright, now it’s time to get your Forta subscriptions going for your important contracts. Make sure to connect them to your incident channels too! This way, you'll be up-to-date on all the important stuff! (docs.forta.network).

Week 3-6: Governance Hardening

Hey there! Just a heads up--if you’re using Snapshot with oSnap, it’s a good idea to start thinking about your migration plans. Support for both will officially end on December 15, 2025, so you've got a little time, but it’s best to get ahead of it! Have you thought about the Reality Module? It could be worth your time, or you might also want to look into going for a full on-chain Governor instead. Just a couple of options to keep in mind! Take a look at the details right here: docs.snapshot.box. You’ll find all the info you need!

Alright, let’s get into setting up the OpenZeppelin Governor and the TimelockController. Here’s how to do it:

• A voting schedule that matches the vibe of your community.
  • QuorumFraction and PreventLateQuorum,
• We've got Tally integration covered, along with some handy documentation explaining how your token’s clock mode operates. If you want to dive deeper, check out more details at this link: docs.openzeppelin.com. It's got a ton of great info!

Week 7-10: Upgrade Path and Verification

Alright, let’s kick things off by moving our upgrade process over to ERC-1967 proxies. We need to ensure we’ve got a solidly managed ProxyAdmin in place, or we could go with UUPS and keep things streamlined using _authorizeUpgrade. Plus, let’s make sure it’s all backed up by the timelock for that extra layer of security. Hey, quick reminder--seriously, don’t even consider using that old ProxyAdmin from before version 5. It’s just not worth it! Alright, it's time to shake things up! And hey, don’t forget to check out those upgrade proposals on the forks to give everything a good test run. If you want to explore this further, just click here.

• Now, we're getting ready to set up Continuous Integration (CI) with Slither, Echidna, and those Foundry invariants.
  It's finally time to get started on a Certora Prover proof of concept! We're going to focus on around 3 to 5 key properties. One of the main things we'll look at is ensuring that "no execute happens without the proper delay." Seems simple, but it’s super important! Want to dive deeper into Slither? You can find all the info you need right here. Enjoy exploring!

Week 11-13: Security Council and Runbooks

Alright, let’s break down what the emergency roles will be like. Imagine something like council or guardian positions. We should definitely establish some thresholds and set up liveness checks. Once we’ve got that sorted out, we should definitely put together some public documents that explain our response procedures and the timelines we’re working with. Oh, and don’t hesitate to grab some parameters from Arbitrum or Optimism if it fits the situation! Hey! If you're looking for more info, take a look at this link: (forum.arbitrum.foundation). It’s a great resource!

• Running a live incident drill is a smart move, too! Imagine this: we get a Forta alert, hit the auto-pause button, and then whip up a proposal for unpausing it after a quick check.

---

Checklists you can lift into your runbooks

• Treasury Multisig
• Make sure there are at least 3 signers involved. The threshold needs to be lower than the total number of signers, and you’ve got to have at least 2 hardware keys in the mix. Hey there! Just a heads up, off-chain signatures are all set up and ready to go. If you think you'll need one, you might want to look into using a self-hosted indexer. It's worth considering! (help.safe.global).
• Just a quick reminder: make sure you've got both the Guard and Module Guard switched on. And hey, don’t forget to jot down the recovery path too! (docs.safe.global). Hey! Just a heads up that we need to set up the Zodiac Roles for certain operations. Just keep in mind that there might be a bit of a delay when it comes to the module calls.
  (docs.roles.gnosisguild.org).
• Governance
• First things first, let’s get the OZ Governor set up alongside the TimelockController. We also need to make sure we’ve got PreventLateQuorum and QuorumFraction sorted out too. (docs.openzeppelin.com).
• I double-checked the EIP‑6372 clock mode and ran a few tests to see how it works with Tally. (docs.tally.xyz).
• Made sure that if we're doing any off-chain voting, we've got everything in place: a challenge window, a bond, and an arbitrator all set to go. Plus, we’ve got a solid plan to help oSnap users migrate smoothly. (docs.snapshot.box).
• Upgradeability
• Just a heads up, make sure it aligns with ERC‑1967. It’s important to have a definite owner for either your ProxyAdmin or UUPS authorization. (eips.ethereum.org). So, here's the plan: we’ll line up those upgrades using a timelock feature. First, we’ll give them a spin on a fork to see how they work out. Once we’ve gone through everything, we’ll put together a post-mortem to share our findings.
• Verification and monitoring
• I've managed to get Slither and Echidna up and running in our CI! We’ve also launched a baseline invariant suite to get things rolling. (github.com). I’ve been running the Certora Prover to check out our governance and upgrade options. We’re also keeping a close eye on any rules that aren’t passing. (certora.com). I signed up for Forta’s attack and scam detectors, and I've been working on setting up the auto-response actions. (docs.forta.network).
• We’ve nailed down the plan for moving Defender over to the open-source Relayer/Monitor, with a target to get it done before July 1, 2026.
  (openzeppelin.com).

---

Final thought

When it comes to DAO security, it’s really more than just using the right tools. It's all about adopting the right mindset. Start off with a solid multisig setup to ensure your security is tight. Then, make sure to weave in some smart governance practices--think clear timelocks and veto options to keep things smooth and accountable. Finally, when it comes time for upgrades, stick to that well-planned process you've mapped out! Make sure to use formal methods to check the risky elements, and don’t forget to have people involved for real-time monitoring. It's also a good idea to have practiced runbooks ready to go! It's not just all talk--over the last couple of years, we've actually seen these layers put into action through various protocols. Your next quarter can totally crush it, too!