Multisigs Involvement


I would like to share one of my concerns with you all. It has been few months now that we appointed 5 multisigs to manage the community fund : ethdev, @Justin_Bram, xgozzy, bt11ba and @Rezan. I strongly supported the creation of this fund and the election of active community members as its multisigs.
To my understanding, elected multisigs have to both:
1. Sign community fund txs according to the community wishes,
2. Bring concrete value to the community (e.g. coding or creating content).

At that time, the multisigs’ commitment to the community was strong, which justified the 100 TORN / month that is currently paid to each one of them.

However, I don’t feel like all multisigs are still committed the same way anymore (with some being completely inactive). My goal here is not to throw blame, just to hold these elected members accountable for their pledges. I am wondering if it wouldn’t be better to update the roaster of multisigs by replacing the least active members with more active and deserving ones? I would like to discuss this matter with you.

What do you think guys? Maybe the current multisigs can tell us what they concretely did so far for the community since they were elected, it would really help!



Thank you for your justified concerns @regerd. Due to my new obligations with another protocol and the regulatory climate in the US (I’m currently the only non-anon US-based member), I’m going to be stepping down.

It was a pleasure to serve with the other members and I truly wish them well! Thank you all for your support.

Justin Bram


I understand, would it be possible to have the exact list of what you have concretely brought in terms of added value to Tornado Cash since the moment you were elected as a multisig?


Hey @regerd, fair concern.
Keep in mind that anyone is free to start a Snapshot to get themselves elected or replace signers. The same rules will apply for new candidates.

I agree with you that it might not feel like it used to be. Growing a community organically is hard. I think Tornado is a bit of a special project on that front. The team is a lot more hands-off. This is great for decentralization and it is an amazing opportunity for anyone to come and add value. However, you can sometimes feel the lack of leadership and coordination.

On my side, my recent contributions are setting up the Immunefi bounty program, coordinate the anonymity research program. Setting up snapshots and prepare proposals.

To be honest, when we started this, I was expecting more inbound request for funding and community initiatives to pop up. In reality, these initiative have to come from us or not much will happen.

I am still committed to Tornado and enjoy contributing. However, I am willing to step down if the community wants. I am just a bit worried about finding good people to replace us. Last, if the issue is the pay, I don’t mind dropping/lowering that.


Thanks for sharing your opinion Regerd and feel no remorse in highlighting your concerns, this is the essence of decentralised governance. Whilst it may seem like not much is happening at the forefront there are instances behind the public discourse, that does shine further light on each signer’s commitment.

With the context here though, each actor should justify their own commitment and accomplishments under the role. As ultimately it’s governance that decides who and who is not ideal candidates for such role - and who has the power to exonerate or elect any individuals at any time.

Regarding my own commitments to the protocol and as a signer, I will adhere to admitting I feel I am falling short of what level of commitment I aspire to. I still feel my positioning as a transparent actor to the multisig brings forth a layer of accountability, alongside with @Justin_Bram’s previous presence. Unfortunately with his resignation, this trait is less prevalent and so that is why I preach that we should seek another viable transparent actor or actors, going forward to rebalance the demographic.

Nonetheless, here are some of the responsibilities I have been undertaking since deployment to the role.

  • Discord community management and support
  • Contribute to governance (see forum profile)
  • Help architect and moderate the bounty program (#1, #2)
  • Protocol documentation - Anonymity mining tutorial
  • Reoccurlingly assess pending requests to the multisig and approve if viable or rebut otherwise
  • Designing and developing an auction implementation to reimburse the actors who update the Merkle trees (ongoing)

@ethdev How are you doing so far? Let the community know what you have been working on


Hi @regerd

Thank you for this very fairly worded expression of concern.

My tl;dr sentiment is:

I am still committed to Tornado. However - at this time - I do not feel my 100 TORN per month is justified given the current demand of responsibilities.

This expresses my sentiment perfectly. I believed we were going to have a lot more outreach from the community, and I am disappointed we haven’t been able to award more community contributions.

If I being perfectly honest, I am not a fan of the private telegram channels we use among the multi-sig holders.

They are useful for some short form conversation when it comes to coordinating multi-sig transactions. However, it seems that retaining so much of our useful community conversations in private channels may have unintentionally resulted in a well-founded sentiment from the community that the multi-sig holders are less active than they really are.

I can say for myself, I actually have become less vocal on both the forum and the telegram group as a result of the telegram channel. I’m not all that interested in participating in private messaging threads that I feel ought to be had out in the open in the first place. And now I am realizing I have felt less prompted to engage on the forum because my “role” of multi-sig holder is largely contained to the telegram group.

I would sincerely like to suggest we return a majority of the conversations concerning the Tornado Cash Community Fund to the forum. Not just our “official” statements that we coordinate in private before “public release.”

Among many benefits, I believe this will primarily (1) hold us more accountable to the community, (2) generate a more transparent record of our contributions, and (3) provide more jumping-in points for community participants who are interested in getting involved.

If he’s up to the task I would eagerly nominate @FrozenFire

Yup. This is always a fair request to make. Thank you for asking:

cc @rstormsf

Oh, wow. Sad to see you step down, Justin. But happy for your transition. Thank you for your leadership and contributions. Obviously, you’d have my support if you decided to re-apply for multi-sig or some other community role.

Moving Forward

My Renumeration

I’m open to suggestions here, but as I previously mentioned, I do not believe my 100 TORN/month is justified at this time.

I would be open to lowering this amount - potentially through a indefinite probationary period until community demands increase again to a level where a higher demand is justifiable once again.

Community Expectations

I’d also like to invite the community to more directly share what type of key metrics or milestones they’d like to see from the multi-sig holders.

This is (again) one of those conversation we’ve had in private among ourselves in our multi-sig private telegram channel. And I don’t believe the incentives are aligned for us to be picking our own metrics. We were voted upon by the community to follow the will of the community. And I’d like to see that exercised to its fullest extent.

It would be wonderful to have more direct community feedback, as you’ve already expressed @regerd

Additionally - although it hasn’t been explicitly expressed in too many places - I get the impression that the community would like to see the multi-sig holders take on the responsibility of community development, growth, outreach, etc. And while that would be a wonderfully useful role to fill, I’m not particularly certain we, the multi-sig holders, are entirely qualified for that. At least I can speak for myself and say I’m not. We have tried to search for a community manager, but have not hired anyone willing to step into the role.

To this point, I believe if the community were to request a reduction in at least my own renumeration that it be allocated to a community manager.

Looking forward to this continued conversation. Thank you once again for kicking it off @regerd


Hey @regerd, thanks for this post and you ask a very important question, the legitimacy of multisigs. I think we should continually question that legitimacy by doing a resume of what we did every 6 months for example.
You will find below my contributions since I have been elected multisig :slight_smile:

– WUTornado:

– Multisig:

– For Tornado Cash official medium & twitter:

I would like to thank the community for the trust they have placed in me. Your advice and support help me to contribute more and more to the Tornado community! Special thanks to @ayefda for the great work she is doing.

Regarding what you say @ethdev, it’s true that we haven’t seen you available lately, that’s why we were wondering if you still wanted to continue as a multisig, since you need to be available, especially to sign transactions. Personally, I don’t think the forum is an easy place to have quick discussions. Given the amount of time I spend working for the community, I don’t think I’d be able to have all the discussions about Tornado on the forum, i.e. multisig, WUTornado, team discussion. It would take up more time than necessary. But indeed, if the community ask for it, we could put more discussions on the forum, even if, as we can see, the forum is not at all active and would not especially have many more answers.

Regarding multisig’s salary, I think it depends on the involvement of each person. It remains to be defined if you want a multisig to be passive - active - very active.
For me, being very active, this salary does not cover the amount that would be paid in my sector of activity, considering the hours I spend working for the Tornado.Cash community, as you can see above. I think the amount paid to each multisig could either be:

  • Fixed, as it is today (100 TORN) without being able to remove/add a remuneration according to the real added value brought by the member, which might scare away some people and their necessary contributions to the community,if they bring much more than what they are paid,
  • Modular according to what the member brings, that is to say to have an amount relative to the activity of multisig, to which one adds an amount concerning what it brings in addition to this activity of multisig, like the creation of contents for my part/software development for some other potential new multisig ?..

Regarding the withdrawal of @Justin_Bram, it was a pleasure to work with you, as I told you earlier by message, I have no doubt about your future given the multiple activities you have today!
I propose that we expand our field of vision by adding a non-European/American multisig this time, but rather a Russian one, who can represent the interests of the Russian community: @Ghost (creator of the Tornado Cash russian telegram group).

His telegram group contains many tornado members and he is quite active. He has also given a lot of his time to the community. So he could very well become a multi-sig in my opinion by continuing what he is doing today in a more active way if he wants to.


I just want to take a moment here to kindly differentiate between being active and being available.

While I have not been as active in text (messaging, posting, etc), I have been perfectly well available (and timely) for our group meetings, key deliverables (ex, drafting & posting Community Fund RFPs), and multi-sig txs…

We can actually look at some quick, ordered stats to measure the quality of my availability when it comes to signing txs. Which I would argue is on pace with or above the “average multi-sig holder”:


Note: I believe @bt11ba owns the wallet address 0xEA27…9115 and @xgozzy owns the wallet address 0x647e…300d. However, I don’t have this verified, yet, so I’ve just used their wallet addresses below. This can be updated upon confirmation


The number of tx signatures made by each key holder based on the number of txs for which they were part of the multi-sig sorted by %:


The number of times a key holder has paid the gas to execute the multi-sig transactions sorted by %:

  • @ethdev - 6/14 (42%)
  • @Justin_Bram - 4/14 (28%)
  • 0xEA27…9115 - 2/9 (22%)
  • 0x647e…300d - 0/10 (0%)

Note: @Rezan always creates the contracts and pays the initial gas, so he never needs to execute them

Longest Time-to-Execute

Because the person to execute is generally the last one to sign, it’s also worth measuring the longest time said person “waited” (eg, was “unavailable” for) from the timestamp of creation to execution to sign the tx. Sorted by fastest:


  • Signatures - It would seem that aside from @Rezan, everyone has shared nearly equal signatory responsibilities in the 4-of-5 quorum, ranging only slightly between 66%-57% participation (keep in mind, not everyone needs to or even can sign every tx). I fall into the “higher half” at 64%.

  • Executions - Among the key holders I’ve paid a majority of the gas for execution (next only to @Rezan for his contract/tx creations)

  • Longest Time-to-Execute - When I am the key holder to execute txs, I am the fastest to “close” (at only about 1.25 day). Which I have to say: I feel this is pretty reasonable given how far we’re all spread out across various global time zones, and that I do give the time and attention to read and confirm each tx detail before signing. I also have to admit that as a team, I feel that 4 days as the longest time to execute is not too bad (iirc, this individual actually communicated proactively that they were traveling during this time and that they’d be late to sign)

In summary, I’m quite comfortable with my availability. If we want to discuss my activity when it comes to messaging or posting on the forum as a separate topic, then I am open to that, as well.

I agree. I just mean: the telegram group gets pretty full of casual conversation. I’d rather keep those “quick discussions” regarding critical multi-sig decisions kept in a light chat.

Maybe we could move casual convo to a separate “Multi-Sig-Social” channel?

Yeah, we certainly don’t need to do this. It’s just a suggestion given how active our telegram group actually is vs. what the community might be inaccurately perceiving due to their lack of visibility into our internal communications (part of why this thread appears to have been created in the first place)

Oh, 100%. When I said:

I was only speaking for myself

Just as each person is elected independently, so too can each person be compensated independently. We just happened to start compensation levels all at the same 100 TORN amount. But nothing says we need to keep that the same for everyone

Ya. I might suggest you consider applying for additional renumeration for your extensive efforts

The 100 TORN per month multi-sig renumeration was originally intended to compensate for multi-sig responsibilities plus base community efforts that contributed to their nomination and subsequent election in the first place. It was not necessarily intended to cover any and all efforts by members. Those who continually go above and beyond are certainly entitled to additional compensation should the community approve a Snapshot vote.

Very thoughtful @bt11ba

@Ghost sounds like a wonderful candidate. If he is interested we can create a Snapshot to vote him in.


I think you misunderstood my message @ethdev.
Indeed, on the transaction signature there does not seem to be a problem, however what was raised with @Rezan was more related to the absence on the Telegram group. Group that we had initially made for the multisig and to obviously be able to discuss and advance together.

Regarding the transactions, there is nothing to say about anyone, we all sign these transactions, which is clearly not very difficult let’s be honest.

I have nothing to say about your commitment and motivation as a multisig, I was only explaining why we were wondering if you still had time to continue being a multisig, since you were not present during a long time on our Telegram group.

By the way, you had never discussed the fact that you were uncomfortable using a private multisig group for discussion, so I am wondering about this point, which is clearly interesting. If you want to set up a system where multisigs can for example suggest things or ask questions, I’d love to. This would add another place for discussion, as we already use the forum, the Telegram groups and the Discord.

Regarding the additional compensation, indeed I think that any work deserves a salary, so I would propose to the community some changes regarding this, as you proposed.
On the potential place of @ghost in the multisig, I will see with him to see if he would be interested and if yes, I would propose his candidature. As I pointed out, I think it’s important that the different Tornado communities can be represented.

1 Like

That’s fair. Well taken.

It’s not so much that I’m uncomfortable as much as I think about it like this: we each have a limited amount of time & energy to allocate to everything we do, and I feel if I have the choice - as a member of a DAO - between messaging privately or publicly, I would personally rather message publicly bc I believe it is more in the interest of the DAO to do so. Plus if we have a conversation privately and then we need to re-communicate it to the community in the forum or in a blog post or whatever, then we’re doing the same work twice, which I personally feel is redundant and a waste of our own time, which is currently a paid resource to the community.

Now that being said, all this is only my personal opinion, and I recognize others may feel differently. And I respect those differences.

On a more personal note: I also just generally enjoy open forum conversations more than private group chats. Unless, of course, the groups chats are high level and logistical, such as the relayers’ private tg channel to receive notifications for when to update relayer nodes.

Gotchya. Again fair. I can reply more often. FWIW I was actually present a majority of the “quiet” time and read through everything being posted, with the exception of when I notified the group I was ill + some time following that (which has been quite recent). Regardless, I appreciate the constructive feedback and will act upon it by increasing my level of that kind of engagement.

I really only just mean another tg group that’s more for the social, so as to keep one channel more “clear” for those high level notifications/meetings, similar to the relayer channel. Rather not to use another platform altogether. But this proposal is not critical or something I feel is high priority. Just a suggestion.

Yeah, I don’t want you to feel as though you’re not being fairly compensated for all the work you do. That’s literally the point of why the community voted upon having a Community Fund in the first place.

Cool. Will wait to hear back on your response from @Ghost

I think TORN is a functional, stable project providing real value. The team is mostly anon and the project is decentralized.

We should reward TORN holders with fees directly from the protocol, like a dividend, and call it a day. Then the more Tornado is used, the more TORN holders make. That is the end game if we don’t need more serious development. And then people would be truly incentivized to provide more value to Tornado if they held TORN and were earning fees.


Sorry but I don’t quite see how this could be related to the discussion about the multisigs involvement and the salary based on the involvement. Nobody has argued would not need the serious development or discussed the TORN holders as a whole.

Paying TORN as dividend looks to me the different matter which should be talked about on another thread, but I think collecting TORN as fee to distribute to existing holders does not incentivize further development or the usage of service, instead it would discourage both of them.

  • On development: If having TORN would earn more TORN, it could discourage further development. Think about a new developer from the outside who is skillful but does not have TORN. The person would naturally be unsatisfied with the fact that the existing holders were rewarded by doing nothing (except owing TORN, if you call it doing something) while it is developers which include him/her who actually dedicated time to improve the service. Think about a whale who bought almost all of TORN. If the most of fee would be collected by the person (who also would be incentivized to change the protocol through governance on his/her own will), nobody would participate with the development to be exploited after all.

  • On usage: Based on voting you could modify it so that using the service requires a specific amount of TORN as fee, hoping it would increase its demand. This, however, would increase the downward pressure of the price instead because anyone can freely fork the service to provide another one based on it with much cheaper fee, or just without fee like the original service, which should decrease usage of the modified service. Without new developers and enough deposits to secure anonymity, it would be eventually abandoned, and demand of TORN would be going to zero.

1 Like

I personally think remuneration within the duties of a multi-sig signer (including additional duties of being a key contributor) - should be static. Each contributor varies in their skillsets committed to the protocol and if they feel like the remuneration is not sufficient to what value they have provided, they can request further reimbursements for their efforts upon completion - which of course is dictated by consensus (the community).

Furthermore, if the community feels the incentives for being a contributor are insufficient and need to be modified, the floor is always open to discussion on this topic. This also extends to discussing the resignation of any signers if they fail to meet their duties or adding additional parties to such roles.

I suggest authoring a proposal if you strongly feel like your efforts extending past the duties of being a multi-sig signer - such as your ongoing commitment to document tornado’s governance and write primers on new features - are being under-compensated.

While I’m in approval of adding furthermore signers to the multi-sig to decentralise the community fund even further, given the current 4-of-5 structure and @Justin_Bram’s departure. Only one select individual can be substituted right now, unless another three viable actors are identified, which would bring the safe’s sufficient signature count to 6-of-7. Ghost indeed seems like a fine future candidate but with the current situation, this would only dismiss my previous concern regarding the lack of transparent signers.

I think he would too be a fine candidate, he has shown an interest in tornado and is actively researching and developing with zero knowledge. If of course, he is willing to take up the role. This would distinguish my concerns regarding the demographic of the other signers.


I really appreciate your confidence in me. I’m certainly interested to contribute in this way if I can be of use. I feel compelled to offer a bit of a bio, if my name’s up for serious consideration as a multisig signer.

I’m a Canadian engineer currently working under a grant from the Ethereum Foundation’s ESP, specifically with their Zero Knowledge & Privacy team. My primary focus is working on a project to bridge Auth0 OIDC identities (Google, Twitter, Facebook, etc) to Ethereum using Circom-based zero knowledge proofs of JWT identity attestations. I’m also trying to contribute broadly toward education, community, and opportunity creation when it comes to zero knowledge technology.

I got into ZK development in large part because privacy is a core passion of mine. Back in July I quit my full-time position as a Principal Engineer for a major US telecom, in order to pursue this interest without distraction. was the most accessible project that I was aware of in this space, and so I set myself to learning how it worked, down to the nuts and bolts.

In the time since, I’ve become well-versed in every bit of open source code TC has to offer, especially its Circom circuits and smart contracts. I’ve been picking away at a contribution toward the circuit documentation bounty, though for a few weeks now I’ve had to put my full focus toward my grant work.

My primary contribution to TC to date has been my participation in the Discord server. I provide support where I can, and try to keep a handle on the constant cycle of scammers that the server deals with.

In terms of how I might contribute toward TC as a multisig signer, I think that I have something to offer in terms of a broad knowledge-base when it comes to decision-making, as a moderating influence (being a very moderate person), and as someone with a solid background in community management and governance.

I would strongly echo @ethdev’s sentiments regarding transparency. With respect, it has been my experience with that the community is often the last to know about important decisions being made. I try to follow TC’s goings-on with interest, but I sometimes find myself at a loss as to what’s actually happening in the project. A good amount of that is probably due to my infrequent binge-reads of this forum, but there have been some major developments that seemed to come out of nowhere fully built and decided.

Case in point - Nova. The first public mention of Nova on this forum seems to be the proposal to deploy it to mainnet.

I would encourage someone to disabuse me of this notion, but the sense I get is that there’s a small, somewhat secretive group of “core devs” quietly making decisions for the project, and open governance is only used when the smart contracts need upgrading or funds need to be disbursed. I’m not actually entirely opposed to that being the case, but it would be beneficial to make that council-esque project governance structure more transparent.

Insofar as being a multisig signer would make me privy to such workings, I would be advocating for lifting the veil somewhat on private discussions, documenting the governance process more, and funding work to make the project more accessible to contributions from outside of that core group.

On the note of transparency, I’ll also mention that despite my passion for privacy, I made a decision early on that I’d make my crypto contributions under my real identity, for better or worse. I’m pretty fully doxxed with the Ethereum Foundation, and since I imagine that part of the trust involved in being involved in the multisig is that we need to know that signers are distinct people, and are traceable in the case of misconduct, that’s perhaps something in my favour.

If anyone has any questions of me, please ask. I’m happy to answer.


Hello FrozenFire,

I would like to respond to this particular point. Nova’s features (arbitrary amounts & shielded transfers) were mentioned on the forum way before the deployment post. They were even the subject of one of our first posts on WUTornado Medium from the beginning of June (What’s Up Tornado — Buy the Rumors & the News…). We wrote this post after a screening of the main forum discussions. Our intention was to gather & share what could be read on the forum to keep the community as informed as possible.

I feel that the name “Nova” is just a way to market these features that were planned and (as far as I am concerned) well-welcomed by the community, it’s just a way to make a mark. It’s not because we never heard this name before that all these features came from nowhere.

We can just take a look to the two last proposals to see that anyone who wants to make a dev contribution to improve the project is more than welcome to do so. However, unfortunately, it’s a rare thing, not because it’s not possible, but because nobody wants to do it.

Without great step forwards such as Nova, the protocol will never concretely evolve and we would stagnate and pass by a lot of missed opportunities. I don’t see it as the result of a “secretive group of “core devs” quietly making decisions for the project” as you present it, but as improved versions of the protocol that are suggested by the core dev team to adapt the usage to the current need of the community.

I see these deployment ceremonies as ways to the dev team to present to the community features that were previously requested by community members. As they are add-ons & don’t impact at all current versions of TC, even if one member feel it could be useful to him/her, he/she can deploy it & use it on its own. It’s not about governance at all. In my opinion, transparency is absolutely not violated here.


While it may be easy to assume this upon hearing there are some forms of internal communication portals. The aim for these contact points is purely so signers can communicate privately to coordinate each actor’s signature for executions - and at times extends to discussions on governance, which I agree would be a good aspect to publicise, incubating more proactive and widespread discussions. Although, one could argue signers could be susceptible to victims of timed phishing attacks if signatory requests were public.

An aspiration of furthering the transparency of the inner-working of the role is something I’m fully supportive of. Tornado governance (and all decentralised protocols) de facto aspire to be “flat” organisations, shaping alignment towards that I would argue is more often than none, beneficial. The more potential exposure towards constructive and destructive feedback across all actors of the system, the better.

I propose signers should meet bi-weekly in a public channel on the discord for alignment, unveiling all discussions outside signatory requests and allowing the community to observe and pitch in on the conversations.

Skepticism should not be frowned upon, it can be easy to assume such a theory. I can only comment on my own opinion, I think there are no problems in original contributors of the protocol to propose or accelerate further iterations when it doesn’t particularly cause any breaking changes to the current instances of the protocol, here only an additional instance. Although the process wasn’t fully opaque, such as the official announcement of its development (teased and previewed more than once as @ayefda has stated). I’m sure there are reasons relative to the personal context of such contributors. That said, if the community did contest such a metaphorical iteration of the protocol (that was conflictual), I’m sure it would be easily boycotted and redacted eventually because of lack of demand.

There are aspects of the protocol such as development of the frontend that is managed internally and for what seems to be good-natured, at least right now. To offhand some responsibilities that could be orchestrated maliciously, only 1 year into the shaping of governance would seem inadequate (eg. phishing attacks). I hope they eventually can be or be abstracted entirely to the point where it is permissionless (in case non-minified open-source, ipfs hosting is already a great start).