~/treasury $ dao-keys --threshold=3-of-5

SESSION 04 / 2026

DAO & protocol treasury

Treasury keys are protocol keys.

Multisig recovery phrases, governance admin keys, the credentials behind the credentials. Split the off-chain backup across the people who should hold it, with the threshold you choose. We never see the words.

See plans → Try it free

01// loading treasury bundle...

02scheme = "shamir"

03threshold = 3

04holders = 5

05cipher = "aes-256-gcm"

06// encrypting in browser...

07> ok: bundle encrypted

08> ok: shares generated

09> server state: 0 bytes

10// awaiting distribution...

§ 01 · Incident log

How protocol treasuries actually die.

Pattern · recurring

Vector Failure mode Magnitude Status

0x01.PERSONNEL2023 · recurring

The signer who went dark

A multisig with five signers, three required. Two signers move on, one becomes unreachable. The remaining holders cannot reach quorum. Funds are stranded.

funds frozen

unrecoverable

0x02.HOT-KEY2024 · observed

The admin key on a single laptop

The recovery phrase for the upgrade key, stored on one founder's machine. Phishing, malware, or device loss converts protocol risk into existential risk.

full control loss

irreversible

0x03.VENDOR2025 · observed

The custodian that stopped existing

A custodial backup service for institutional treasuries shut down. Customers had ninety days to migrate. Many learned about the deadline after it passed.

vendor exit

forced migration

§ 02 · Asset inventory

What this protects.

asset.01Critical

Multisig recovery phrases

The seed words behind the signing devices in a Gnosis Safe or Squads treasury. The off-chain backup that quietly determines whether the on-chain quorum can rebuild itself.

0x4f...c2a9

asset.02Critical

Protocol admin keys

The upgrade key. The pause key. The fee-switch key. Credentials that, in the wrong hands, can drain or brick the protocol. In the right hands, only with a threshold.

0x8b...91d3

asset.03Critical

Governance execution keys

The accounts that execute on-chain governance once a proposal passes. Small in number, large in consequence. Often held informally by one or two people.

0x1d...7ec0

asset.04High

Domain & DNS controls

The registrar and DNS provider that point the protocol's domain to the right interface. Hijacked or lost, users land on imitators or nowhere at all.

ns.protocol.eth

asset.05High

API & RPC credentials

The master tokens for infrastructure providers, indexers, and oracles. Lost, services degrade silently. Stolen, attackers feed false data into the protocol.

api.0x...key

asset.06High

Cold treasury backup

The deep-cold backup of the treasury wallet itself, off every machine, off every cloud. The last-resort key that no individual signer alone should reach.

cold.0xff...01

An on-chain multisig is only as resilient as its off-chain backup.

// threshold-vault · principle.txt

§ 03 · Execution sequence

Bundle, encrypt, split, distribute.

01BUNDLE

Assemble the treasury bundle

Multisig seeds, admin key recovery phrases, registrar logins, RPC tokens. Whatever the protocol cannot afford to lose, bundled as plain text in your browser, briefly.

Inputseed words, recovery codes, tokens

02ENCRYPT

Apply AES-256-GCM

Authenticated symmetric encryption, performed in your browser. The encrypted blob is meaningless without the key. The key is what gets split.

Stageaes256-gcm.encrypt

03SPLIT

Shamir K-of-N share generation

The encryption key is divided into N shares with threshold K. Typical for a DAO leadership group is 3-of-5. Below K, a share reveals nothing about the key.

Outputshamir.shares = N

04DISTRIBUTE

Hand out the shard cards

Each signer or trusted party receives a shard card and a protocol folder. They are prepared, with a written agreement, for the day someone may try to coerce or deceive them into recovery.

Statusdistributed · offline

§ 04 · Protocol stack

Open. Auditable. Verifiable.

The cryptographic primitives are the same ones your security team already knows: a symmetric cipher you can verify against test vectors, and a 1979 threshold scheme with a half-century of analysis.

Layer I · Cipher

AES-256-GCM encrypts

Authenticated symmetric encryption. GCM mode detects tampering on recovery. Without the encryption key, the ciphertext is meaningless and indistinguishable from random output.

algorithmAES-256

modeGCM, authenticated

tamper-evidenttrue

Layer II · Scheme

Shamir splits the key

Each share is a point on a polynomial over GF(256). K points reconstruct it. Fewer than K reveal zero information about the key. Provable, not promised.

schemeShamir K-of-N

fieldGF(256)

test vectors51 verified

Source on GitHub → Security model →

§ 05 · Server state

Query the server. Receive nothing.

fieldstored valuestate

treasury_bundle[ NULL ]not stored

encryption_key[ NULL ]not stored

shamir_shares[ NULL ]not stored

recovery_words[ NULL ]not stored

holder_identities[ NULL ]not stored

ceremony_idlocal-onlyclient-side

§ 06 · Multisig roster

Five signers. Three to reconstruct.

Threshold 3 / 5

# Role Custody Share

Core contributor

Day-to-day operations

0x4f...a2c9

ii.

Founding member

Long-term steward

0x8b...91d3

iii.

Independent signer

Outside the core team

0x1d...7ec0

iv.

Counsel / advisor

Off-chain legal record

0xab...44ff

Cold backup

Sealed deposit box

cold.box.0x05

§ 07 · Block log

Questions from protocol teams.

Multisig solves on-chain authorization. Threshold Vault solves the off-chain backup. Most multisig failures are not on-chain failures, they are losses of recovery phrases or signer devices. The two layers complement each other.

MPC custody is operationally convenient and adds a vendor to your threat model. Threshold Vault adds no vendor and runs entirely client-side. Different tradeoffs. For some treasuries, both apply; one for hot operations, the other for the cold backup behind it.

No. This protects the off-chain recovery layer only. On-chain operations continue at on-chain speed. Recovery is the rare event the scheme exists for.

Yes. The cryptographic core is open source with 51 published test vectors. The recovery tool runs offline from your archive. Every share can be independently verified against the reference implementation.

Below the threshold, a share reveals nothing. A single adversarial signer cannot reconstruct alone. They would need K-1 collaborators willing to break the same trust. The Extortion Response Protocol prepares each holder for the conversation that tries to overcome this.

protect.treasury --keys=all

Protect the keys behind the keys.

Try the cryptography on a throwaway phrase. No signup. When you are ready, the plans are one step away.

Try it free → See plans →