On the XRP Ledger, multisig is a native protocol feature: a single account can be configured with a SignerList of up to 32 entries, each weighted, with a quorum required to sign any outgoing transaction. The Gopnik Academy issuer itself runs on a 3-of-5 multisig. This lesson teaches you how to set one up for your own holdings and which design choices matter.
The vocabulary you need
- SignerList — the on-ledger object that defines who can sign for an account.
- Signer entry — one address + a weight.
- Quorum — the sum of weights that must be present for a transaction to authorise.
- SignerListSet — the transaction that creates or updates the SignerList.
- Multi-signed payment — a regular Payment whose signatures are an array, not a single field.
Once a SignerList is set, the master key can be disabled (AccountSet with asfDisableMaster). After that, only multi-signed transactions are accepted. This is the strong configuration — losing the master key by itself can't drain you because the master key isn't valid anymore.
The four designs you'll actually consider
1. 2-of-3 — solo high-net-worth. Three keys, you control all three but in different places. Example: hardware wallet A at home, hardware wallet B in a safe-deposit box, key shard C with a notary. You can sign any transaction with the two keys you can reach. Loss of any one key still permits operation. Two-step physical access required to sign — eliminates single-key compromise.
2. 3-of-5 — small business / family trust. Five keys held by five different people or vaults. Quorum of three. Tolerates two key losses (death, emigration, dispute) before recovery requires action. The Bitcoin community calls this the gold standard for long-term cold storage. This is the right default for most 301-tier holdings.
3. 2-of-2 with a recovery escape — paired-device daily wallet. Two keys, both required. One on your phone, one on a hardware wallet on your desk. Loss of either locks the wallet. Acceptable only if you also have a separate cold-storage backup of the same funds — otherwise one lost device is total loss.
4. 4-of-7 — institutional treasury. For corporate use: seven board members, four sign. Tolerates three losses or rogue actors. Slower to operate; you only do this if compliance demands it.
For most retail readers, the answer is 3-of-5. The rest of this lesson assumes you're building one.
Picking the five signers
Three constraints to satisfy when you choose:
- No two signers should fail together. If two of your keys are both hardware wallets bought from the same vendor in the same batch, a vendor-supply-chain compromise drops you to 1-of-5. Diversify vendors.
- No two signers should be reachable through the same attack. All five keys at your house = one burglar takes everything. Three at your house + two off-site (safe-deposit box + trusted relative) breaks this.
- At least one signer should be reachable in an emergency without travel. If all your signers require a flight to access, you can't respond to a hack in time. Keep one signer local but well-defended (sealed envelope inside a fireproof safe, etc.).
Common pattern: 2 hardware wallets at your residence, 1 in a bank safe-deposit box, 1 with a trusted relative (in another city), 1 with an attorney (with sealed instructions only to be opened on death or incapacity).
The on-ledger setup
Gopnik's /multisig/create flow walks you through it. The on-ledger transaction is:
SignerListSet:
Account: rYourMainAccount
SignerQuorum: 3
SignerEntries:
- { Account: rSigner1, SignerWeight: 1 }
- { Account: rSigner2, SignerWeight: 1 }
- { Account: rSigner3, SignerWeight: 1 }
- { Account: rSigner4, SignerWeight: 1 }
- { Account: rSigner5, SignerWeight: 1 }
After that lands, run a small test transaction (€10 send-and-return) with three of the signers. Then disable the master key. The order matters: never disable the master key before you've verified that the signers can actually move funds. The reverse order is one of the canonical ways to lock yourself out.
What multisig does NOT solve
Multisig solves single-key compromise and single-point-of-failure recovery. It does not solve:
- A phishing site that asks you to sign a malicious transaction with three of your devices (you'd still authorise it).
- A coercion scenario (the "$5 wrench attack") — if someone is in the room with you, multisig doesn't help.
- Operational complacency — five keys held by five family members who all use the same Windows laptop is one compromised laptop away from a 1-of-5.
The next three lessons cover the things multisig leaves on the table.