Inquiry into Polygon multisig

Today, the following letter was sent by DeFi Watch to Jaynti Kanani of Polygon. Once a response is received, we will publish it right away. Follow Chris Blec on Twitter for updates.

Dear Mr. Kanani:

There is now a great level of concern amongst the DeFi community over the security of the Polygon network. The existence of a 5-of-8 multisig with the ability to upgrade the MATIC staking contract is seen as a significant liability not just to Polygon’s network, but to the entire DeFi ecosystem.

Unfortunately, my attempts to engage in rational discourse with your team via social media have not been received well. I certainly take some responsibility for the friction that has emerged. However, lack of engagement, transparency and communication from your team in a situation such as this poses an existential threat to the realm of decentralized finance. Therefore, I feel compelled to put the community’s urgent questions into writing, with hopes that you will feel more comfortable engaging in this format.

Answering these questions in a frank and unemotional manner will benefit the DeFi community in unquantifiable ways. It is critical that all DeFi projects, including Polygon, address reasonable security concerns as they arise, and answer questions from an adversarial point-of-view when required to achieve full transparency.

Does the security of the Polygon network rely on the skill, honesty and integrity of 5 of the 8 multisig keyholders?

What is the worst outcome that could result if the 5-of-8 staking contract multisig were to be compromised?

What evidence can the community consider as proof that each of the 8 signing keys is in the sole possession of a unique individual, and that 1 individual does not hold more than 1 signing key?

How can users be assured that the private keys and/or mnemonics underlying each of the 8 signing keys were generated in a secure fashion, have been secured properly throughout their existence, and were not compromised before being designated as a multisig signer? 5. Which jurisdictions govern the individual multisig keyholders, and are any keyholders breaking any local or national laws by participating in the multisig?

Where is Polygon’s managing corporation incorporated, and how many of the 8 keyholders are employees of said corporation?

How would the Polygon corporation or team react to a forceful government request to modify the staking contract or otherwise interfere with the continuity of transactions on the Polygon network?

How can users be assured that the multisig signers will not collude to intentionally compromise the security of the Polygon network, if financial incentives ever exist to do so?

Thank you in advance for your full cooperation in obtaining answers to these very important questions and any follow-up questions that may be asked based on your responses. While we fully expect your engagement on this issue, please understand that the lack of a clear response will likely result in further amplification of the issue within the community.

Feel free to answer in writing, or if you prefer we could schedule a time to hold a public voice chat via Twitter Spaces.

If you need additional information or clarity on any of the questions, please contact my office at [email protected] or on Twitter @ChrisBlec.


Chris Blec
Founder, DeFi Watch