TRU Web3 Grant Proposal: Rootstock-Adapted Security Tooling
Project Name & Description
Section
Details
Project Name
Rootstock-Adapted Security Tooling for Timelock and Multisig Governance
Description
The TRU Web3 team proposes to design, open-source, and maintain two critical security tools for Rootstock protocols. These tools are: 1) a user-friendly front-end for OpenZeppelin’s TimelockController adapted to Rootstock and 2) a multisig transaction-verification tool that decodes calldata and checks signer thresholds. Both will be open-source, network-agnostic, and compatible with Rootstock mainnet (Chain ID 30) and testnet (Chain ID 31).
Team Background
Section
Details
Team
TRU Web3 team (led by David Felipe Carvajal, CTO/Lead Engineer, and Damián Silva, Lead Strategist/Community).
Relevant Expertise
The team combines deep technical development with targeted community strategy for Rootstock adoption:The team combines deep technical development with targeted community strategy for Rootstock adoption: David Carvajal (Technical Lead): The team lead, David Felipe Carvajal, is a Blockchain Infrastructure Engineer with over 6 years of blockchain experience. Currently he serves as CTO at Tropykus Finance Technical depth in full-stack blockchain infrastructure, including Solidity microservices, and user interfaces. Damián Silva (Strategy & Adoption Lead): Strong background in community management, having served as Community Lead at Tropykus, an Ambassador for Rootstock, and Community Manager for RootstockCollective. His expertise as a Content Strategist and certification in UX for DeFi ensures the tools are user-friendly, well-documented, and successfully adopted, directly supporting the project’s documentation and training deliverables.
Total Grant Amount
Section
Details
Total Requested
$9,900
Requesting for Milestone 1
$800 (20% of the $4,000 Engineering budget for Design & Architecture).
Budget Breakdown (Items)
Engineering (core development): $4,000Documentation & Community Engagement: $500Maintenance and support (12 months): $3,600 (USD 300 a month)Marketing and training: $1,900
Timeline
The total development and launch period is 10 weeks, followed by a 12-month maintenance contract.
Milestones & Deliverables (KPIs)
Milestone/Phase
Duration
Key Deliverables & Acceptance Criteria (KPIs)
Milestone 1: Phase 1 - Design & Architecture
2 weeks
Key Deliverables: Finalize user stories and UI mock-ups; define interfaces and Rootstock specifics; publish architectural diagram. Acceptance Criteria (KPI): Approval by Rootstock security reviewers.
Key Deliverables: Implement signer/quorum retrieval and decoding; integrate risk flags; release CLI & extension tool. Acceptance Criteria (KPI): Verifies transactions on Rootstock multisig wallets (Safe or custom), identifies high-risk functions, and produces signed reports.
Phase 4 - Documentation & Launch
2 weeks
Key Deliverables: Finalize docs, tutorials, and demo; deploy demo dApp; host community workshop. Acceptance Criteria (KPI): Documentation published, community feedback session completed.
Technical Specs
Component
Details
Front-end
NextJS/TypeScript application using Ethers.js, adapted for Rootstock (Chain IDs 30/31).
Back-end
NextJS service.
Dependencies
OpenZeppelin Contracts for ABI definitions (TimelockController, Multisig, ERC-1967). Optional integration with OpenZeppelin Defender.
Rootstock Specifics
Connect to public Rootstock RPC endpoints. Configurable Chain ID, RPC URL, block confirmation depth (e.g., waiting for two blocks given $\sim33$ s block time), and gas price display in RBTC.
Timelock UI (Tool A) Features
Display operation lifecycle (Waiting, Ready, Done), function decoding and parameter preview, delay visualization, role-aware views, and audit logs with explorer integration.
Multisig Tool (Tool B) Features
Calldata decoding (target contract, function, parameters, value), and identification of high-privilege functions such as upgradeTo, upgradeToAndCall, and transferOwnership.
Value Proposition for Rootstock
The tools directly address the main causes of Web3 losses in the first half of 2025: multisig wallet mismanagement and UI tampering.
Mitigate Security Risks: Aims for zero major incidents attributable to UI manipulation or signer mismanagement within one year of deployment.
Prevent UI Tampering: Provides an independent verification tool to decode transactions, reducing reliance on front-ends, and mitigating the risk of Bybit-style UI compromises.
Improve Governance Safety: The Timelock UI enforces a delay for review so users can cancel proposals, mitigating risks like the Beanstalk flash-loan exploit.
Increase Efficiency: Aims to reduce average time signers spend reviewing transactions by 30% through user-friendly UI and decoding.
Adoption: Targets 50% of Rootstock multisig transactions being validated via an ecosystem poll within six months.
Demo and GitHub repo
Component
Details
GitHub Repo
All code will be open-source under MIT or Apache-2.0 license. Repositories will be hosted on GitHub under the Rootstock collective organisation.
Demo dApp
A demo dApp will be created as a deliverable to showcase the usage of both tools.
Timelock and multisig tools are definitely valuable for strengthening governance safety on Rootstock. Good to see experienced builders from the ecosystem working on something practical like this. Curious to see how the first version turns out and how it connects with existing Safe workflows.
Sure!
Our budget of $4,000 USD for Engineering is set to pay a part time engineer during 12 weeks.
Milestone 2 (Development) will use $1600 of that budget
Milestone 3 (Multisig Verification tool) $800
Milestone 4 (Documentation and launch) $400
This is looking like a low-value, low-risk funding request, to add two fundamental features to the ecosystem: multisig and timelock, which may suit well with Rootstock’s Bitcoin-centric approach, for applications like multisig security, family and inheritance setups, etc.
I’ll keep an eye on how the discussions can further expand here, but other than that I’d be satisfied and ready for this to move forward.
Enhancing security is essential for strong governance on Rootstock. While Rootstock already relies on Safe multisig and timelock mechanisms, continuously improving security remains critical to protect the ecosystem and maintain trust.
Does the team plan to conduct an external, third-party security audit alongside internal Rootstock security reviews during deployment?
Hi! The core modifications on the OZ tools will be limited. We think that a security review from the Rootstock team will suffice.
If a third party audit is required we would have to adjust the budget
I’m in favor of this proposal. It’s a very interesting initiative — having these timelock and multisig security tools deployed and ready to use on Rootstock would be great for the ecosystem. The sooner they’re available, the better.
Hi @dacarva Thanks for this proposal. Happy to see governance security enhancements. Can you please explain what you will use the marketing budget for? Also, will you request additional funding for maintenance and support after 12 months?
Rootstock Timelock Management App: Phase I Completion Report
Date: November 2025
Project: Rootstock Timelock Management App
Phase: Specification and Architectural Finalization
Key Deliverable Status: COMPLETE
Executive Summary
The initial planning phase for the Rootstock Timelock Management App is successfully complete. We have finalized the core User Stories, defined the Interface Specifications, confirmed alignment with Rootstock’s Branding Guidelines, and published the comprehensive Architectural Diagrams.
The resulting technical specification is a hybrid model, extending the robust OpenZeppelin Access Manager Explorer to integrate TimelockController functionality. This app will serve as the essential tool for decentralized autonomous organizations (DAOs) and multi-signature groups operating on the Rootstock network, ensuring secure, transparent, and delay-enforced transaction management.
The critical security requirement—the need for accurate Application Binary Interfaces (ABIs) for encoding and decoding—has been prioritized and solved with a resilient, proxy-aware resolution strategy.
@dacarva we noticed the grant requests are following this structure (which we support and we think it makes sense:
But where would this budget fit into? Are you planning to request additional funds besides the $3600 for engineering? Or the funds would come from somewhere else?
Also, we noticed the design document has been largely written with the use of AI tools.
Are you also planning to use AI tools for development and documentation writting?
hi! This 1600 USDRIF budget is part of the $3600 USD allocation for engineering. We are not requesting any additional funding.
The document was written as a formal report using AI led by a process of Requirements Engineering and design.
We are using AI to speed the coding process, specially in terms of frontend engineering but are are being very careful on each task to be reviewed and tested before proceeding to the next one
Sorry for being late on reviewing your deliverable for your grant’s milestone 1.
The Key Performance Indicator (KPI) for this phase—Approval by Rootstock security reviewers—has been satisfied by the detailed documentation of security-critical flows:
Where was this KPI defined and did review and approval by “Rootstock security reviewers” happen?
Milestone 1 deliverables appear sound and meet expectations, although there is concern about the heavy use of AI to create them.
It appears that taking Milestone 2 to a vote right now may be premature (although the vote may very likely pass!) The reason being that since a TimelockController and a Multisig transaction verification tool would become core components of Rootstock’s governance infrastructure, it is critical that RLabs is involved in the technical review.
Apologies in advance if there was any communication lapse between you and the Collective regarding the timing and expectations for Milestone 2. At this point, as far as I know, Rootstock Labs has not confirmed whether they will be able to serve in this technical-reviewer capacity. @tobyj@tamlerner
On a final note, can you please respond to our earlier question here about what you intend to use the marketing budget for?
Thanks for understanding. Looking forward to further clarity around the technical review of your deliverables by Rootstock Labs.
We voted against the milestone 2 proposal as stated in our delegate thread below. We hope the team will address the questions from the delegates and tackle the upcoming milestones incorporating the feedback.
We are pleased to share with you the alpha version of the product, still some work to do an documentation improvement but this is a fully functional product usign the Graph for mainnet and testnet:
Hi @dacarva , thanks for sharing the Alpha version; it’s good to see the project moving to a functional product. as you can see we have voted FOR for both milestone 1 and milestone 2. However we expect the next phase to strictly prioritize the quality control issues and the suggested technical reviews (regarding the AI-generated documentation errors; for governance tools,) . We want to see this succeed, but please ensure the written deliverables match the standard of the software going forward.
Thanks @dacarva for providing the alpha version of the product. It’s great to see the development in progress as planned.
At a quick glance, the alpha app works well in the UI. We have two requests:
Would you provide a comprehensive walkthrough of how it can be tested? We see some operations in queue in the explorer, but we would like to try it out by ourselves.
Would you provide the test coverage report as you promised 85% coverage at the completion of the milestone 2 as below?