中文

How Do You Set Up a Multisig with Safe? A 2026 Walkthrough for 2-of-3 and 3-of-5

Tutorials · 2026-05-30 · 比特三棱镜编辑部
Ask AI

The first time I migrated a DAO treasury to Safe I was nervous: one wrong threshold or a missing line in the signer list, and six figures of assets would freeze on-chain. So this post skips theory and lays out the exact checklist I run every time I onboard a project to multisig — how to pick signers, deploy the contract, set the threshold, do a first dry-run transaction, and finally bolt on a cold backup. If “multisig” is brand new to you, skim our wallet primer and security guide first.

End-to-end illustration of deploying a Safe multisig with three signers and one contract address

Step 0: Decide whether you actually want a multisig, and how big

More signers is not always safer. Coordination cost scales superlinearly — three people can sign a transaction in an hour, five take a day, seven need fully asynchronous workflows. My rules of thumb:

  • Personal long-term holdings: 2-of-3 is plenty, third key in a safe or with a trusted relative
  • Small partnership (2-3 people): 2-of-3, one key each
  • DAO treasury or multi-stakeholder project: 3-of-5, including at least one external independent signer
  • Institutional cold storage / whale: 4-of-7 minimum with geographic and device separation

If you cannot decide between 2-of-3 and 3-of-5, use the rule: signer count = core decision-makers + 1 external + 1 cold backup. Anything bigger is a political problem, not a technical one.

Step 1: Prepare signer addresses (the most error-prone step)

Safe signers are addresses, not emails or usernames. Each signer needs their own private key, ideally:

  • At least two hardware wallets (Ledger, Trezor, Keystone all fine)
  • One hot wallet for “daily signing” (MetaMask or Rabby)
  • One cold backup generated offline, etched on a metal plate, only retrieved during recovery drills

Never reuse a single mnemonic across signers — this is the most common rookie mistake. I once saw a team where three “signers” were all derived child addresses of the same MetaMask seed on one laptop. The laptop got compromised, and all three keys went together. Multisig security assumes the keys are independent.

Signer Device Derivation Backup location
Signer A Hardware wallet Independent seed 1 Home safe
Signer B Hardware wallet Independent seed 2 Office safe
Signer C Hot wallet Independent seed 3 Encrypted backup
Signer D (backup) Hardware wallet Independent seed 4 Bank deposit box
Signer E (external) Self-custody Third-party held Lawyer / trusted third party

Step 2: Create the contract wallet at app.safe.global

Open the Safe app (verify the domain app.safe.global), connect one of the signer wallets, and click Create new Safe:

  1. Pick a network. For newcomers, start on Arbitrum, Base, or Polygon — deployment costs a few dollars. Mainnet runs $20-40 today.
  2. Name the Safe (local-only label, not on-chain).
  3. Add signer addresses one per line. Double-check every character. Best practice: each signer posts their own address into a group chat and you paste it from there.
  4. Set the threshold — how many signatures are needed to move funds.
  5. Preview the transaction, sign, and deploy.

After deployment you get a contract address. That’s where the funds actually live. The signer wallet you connected with is just one of the signers — do not send funds to a signer EOA.

Safe deployment confirmation screen showing the new contract address, threshold and signer list

Step 3: The first transaction must be a dry-run

Never move serious money into a fresh contract. My standard two-step dry-run:

  1. Small deposit: send the equivalent of $5-10 in stablecoin from your hot wallet to the Safe, wait for confirmation, note the gas.
  2. Small withdrawal: initiate a transfer from the Safe to a test address and have every signer sign it in rotation — the point is not to move money, it’s to confirm each person’s device, network, and wallet app can actually sign.

Issues this regularly catches:

  • One signer’s hardware wallet firmware is too old to handle EIP-712
  • One signer is on a corporate network that blocks the RPC
  • One signer is on an incompatible browser (rare, but in 2026 certain Brave builds break WalletConnect)

Only after the dry-run passes should you move real funds — and even then, cap the first deposit at 10% of expected treasury and watch for a week before topping up.

Step 4: Add the backup signer

Deployment is not the finish line. The most common multisig failure mode is signer unavailability, not a hack — travel, illness, going dark, or interpersonal conflict can paralyze the treasury.

In Settings → Owners you can add or remove signers any time. Right after your dry-run passes, add a cold backup signer without changing the threshold.

Example:

  • Original: 3-of-5 with five core signers
  • After backup: 3-of-6, one extra backup, still 3 signatures to move funds
  • If a core signer disappears, the remaining four vote to remove them and the threshold stays at 3-of-5

The backup key should live on a geographically separated device — a bank deposit box in another city, retrieved only during the semi-annual recovery drill for validation.

Step 5: Daily signing discipline and monitoring

Running a multisig is harder than deploying one. Three rules I enforce on teams:

  • Before signing, at least two signers must independently verify the to, data, and value fields — never trust only the prettified label Safe shows
  • Any spend larger than 5% of treasury must be posted as a preview link in the team channel for 24 hours before signatures
  • A weekly reconciliation: pull all outbound execTransaction events from Etherscan and match them against approved proposals

Hook into Safe’s notification service or Tenderly Alerts on the contract address so every execTransaction triggers a webhook to Discord or Telegram. Any anomalous signature should get a human response within five minutes.

Signers reviewing outbound transactions and an alert dashboard floating around the Safe contract

Step 6: A recovery drill every six months

A multisig that “still works after a year” and a multisig that “rehearses every six months” are two different things. Every six months:

  • Have one signer simulate device loss and restore from backup
  • Test that the cold backup signer can still be retrieved and sign a small test transaction
  • Re-audit the signer list — anyone left the team, drifted away, swapped devices without telling you?
  • Update internal docs: addresses, threshold, backup locations, emergency contacts

You can fold this into a combined drill alongside the wallet recovery drill tutorial (coming soon) — single-sig and multisig together are the most efficient session.

Treat multisig as organizational design, not a technical install

The contract code is mature — Safe has had effectively zero exploits since 2018. What breaks multisigs is the organization around them: who holds which key, who can veto whom, how trust between signers gets maintained. Get those answers right and 2-of-3 will protect a treasury. Get them wrong and 10-of-15 will still get strangled by its own politics. Before you click Create new Safe next time, fill out the signer table from Step 0 first.