Why single-signer treasuries fail
A treasury controlled by one private key on one person's laptop is one phishing email away from being empty. It also creates a personal liability for that staff member and a governance problem for the organization. Multisig wallets solve both.
What a multisig actually is
A multisig (multi-signature) wallet is a smart contract that requires M out of N authorised signers to approve any outgoing transaction. The most popular implementation is Safe (formerly Gnosis Safe). Setup choices include 2-of-3, 3-of-5, 4-of-7, etc.
•M too low → not much security upgrade over single-signer.
•M too high → operationally painful, freezes if one signer is unreachable.
•Sweet spot for small NGOs: 2-of-3 or 3-of-5 with geographically distributed signers.
Good signer hygiene
•Each signer uses a separate hardware wallet.
•Signers are on different physical devices and ideally different physical locations.
•Signers verify transactions on their hardware wallet screen, not just on the laptop.
•Signers communicate about transactions on a separate, E2EE channel (e.g. Signal group).
Roles and policies
Treat the multisig as a small piece of internal governance. Write down:
•Who the signers are, and how they are appointed / removed.
•What kinds of transactions are routine vs. require additional approval.
•What documentation is required before signing (invoice, partner approval, board minute).
•How a lost or compromised signer key is handled (rotate within X days).
Operational mistakes to avoid
•Adding the founder as 5 of the 5 signers via 5 different "test" addresses.
•Storing all signer hardware wallets in the same drawer.
•Approving transactions in a public Telegram group.
•Forgetting that the multisig contract itself is a piece of software — keep an eye on advisories from the vendor (Safe, etc.) and upgrade thoughtfully.
A well-configured 2-of-3 multisig with hardware-backed signers, across different staff and locations, is one of the highest-leverage controls a Web3-active NGO can adopt.