[2510 Grant] Timelock and Multisig Governance tool for Rootstock

Grants & Incentives
1

TRU Web3 Grant Proposal: Rootstock-Adapted Security Tooling

Project Name & Description

Section Details
Project Name Rootstock-Adapted Security Tooling for Timelock and Multisig Governance
Description The TRU Web3 team proposes to design, open-source, and maintain two critical security tools for Rootstock protocols. These tools are: 1) a user-friendly front-end for OpenZeppelin’s TimelockController adapted to Rootstock and 2) a multisig transaction-verification tool that decodes calldata and checks signer thresholds. Both will be open-source, network-agnostic, and compatible with Rootstock mainnet (Chain ID 30) and testnet (Chain ID 31).

Team Background

Section Details
Team TRU Web3 team (led by David Felipe Carvajal, CTO/Lead Engineer, and Damián Silva, Lead Strategist/Community).
Relevant Expertise The team combines deep technical development with targeted community strategy for Rootstock adoption:The team combines deep technical development with targeted community strategy for Rootstock adoption: David Carvajal (Technical Lead): The team lead, David Felipe Carvajal, is a Blockchain Infrastructure Engineer with over 6 years of blockchain experience. Currently he serves as CTO at Tropykus Finance Technical depth in full-stack blockchain infrastructure, including Solidity microservices, and user interfaces. Damián Silva (Strategy & Adoption Lead): Strong background in community management, having served as Community Lead at Tropykus, an Ambassador for Rootstock, and Community Manager for RootstockCollective. His expertise as a Content Strategist and certification in UX for DeFi ensures the tools are user-friendly, well-documented, and successfully adopted, directly supporting the project’s documentation and training deliverables.

Total Grant Amount

Section Details
Total Requested $9,900
Requesting for Milestone 1 $800 (20% of the $4,000 Engineering budget for Design & Architecture).
Budget Breakdown (Items) Engineering (core development): $4,000Documentation & Community Engagement: $500Maintenance and support (12 months): $3,600 (USD 300 a month)Marketing and training: $1,900

Timeline

The total development and launch period is 10 weeks, followed by a 12-month maintenance contract.

Milestones & Deliverables (KPIs)

Milestone/Phase Duration Key Deliverables & Acceptance Criteria (KPIs)
Milestone 1: Phase 1 - Design & Architecture 2 weeks Key Deliverables: Finalize user stories and UI mock-ups; define interfaces and Rootstock specifics; publish architectural diagram. Acceptance Criteria (KPI): Approval by Rootstock security reviewers.
Milestone 2: Phase 2 - Timelock UI Development 4 weeks Key Deliverables: Implement core UI functions (queue/execute/cancel, decoding, delay visualization); integrate simulation and EIP-712 signing; deliver beta. Acceptance Criteria (KPI): Automated tests (85% pass coverage); operations correctly scheduled and executed on Rootstock testnet.
Milestone 3: Phase 3 - Multisig Verification Tool 2 weeks Key Deliverables: Implement signer/quorum retrieval and decoding; integrate risk flags; release CLI & extension tool. Acceptance Criteria (KPI): Verifies transactions on Rootstock multisig wallets (Safe or custom), identifies high-risk functions, and produces signed reports.
Phase 4 - Documentation & Launch 2 weeks Key Deliverables: Finalize docs, tutorials, and demo; deploy demo dApp; host community workshop. Acceptance Criteria (KPI): Documentation published, community feedback session completed.

Technical Specs

Component Details
Front-end NextJS/TypeScript application using Ethers.js, adapted for Rootstock (Chain IDs 30/31).
Back-end NextJS service.
Dependencies OpenZeppelin Contracts for ABI definitions (TimelockController, Multisig, ERC-1967). Optional integration with OpenZeppelin Defender.
Rootstock Specifics Connect to public Rootstock RPC endpoints. Configurable Chain ID, RPC URL, block confirmation depth (e.g., waiting for two blocks given $\sim33$ s block time), and gas price display in RBTC.
Timelock UI (Tool A) Features Display operation lifecycle (Waiting, Ready, Done), function decoding and parameter preview, delay visualization, role-aware views, and audit logs with explorer integration.
Multisig Tool (Tool B) Features Calldata decoding (target contract, function, parameters, value), and identification of high-privilege functions such as upgradeTo, upgradeToAndCall, and transferOwnership.

Value Proposition for Rootstock

The tools directly address the main causes of Web3 losses in the first half of 2025: multisig wallet mismanagement and UI tampering.

  • Mitigate Security Risks: Aims for zero major incidents attributable to UI manipulation or signer mismanagement within one year of deployment.
  • Prevent UI Tampering: Provides an independent verification tool to decode transactions, reducing reliance on front-ends, and mitigating the risk of Bybit-style UI compromises.
  • Improve Governance Safety: The Timelock UI enforces a delay for review so users can cancel proposals, mitigating risks like the Beanstalk flash-loan exploit.
  • Increase Efficiency: Aims to reduce average time signers spend reviewing transactions by 30% through user-friendly UI and decoding.
  • Adoption: Targets 50% of Rootstock multisig transactions being validated via an ecosystem poll within six months.

Demo and GitHub repo

Component Details
GitHub Repo All code will be open-source under MIT or Apache-2.0 license. Repositories will be hosted on GitHub under the Rootstock collective organisation.
Demo dApp A demo dApp will be created as a deliverable to showcase the usage of both tools.

Video Pitch

https://youtu.be/bd9aKZk-gKA

6 Likes
2

Great initiative @dacarva

Timelock and multisig tools are definitely valuable for strengthening governance safety on Rootstock. Good to see experienced builders from the ecosystem working on something practical like this. Curious to see how the first version turns out and how it connects with existing Safe workflows.

2 Likes
3

Definitely two good resources that fit nicely with Rootstock’s Bitcoin-centric appeal.

Could you outline the values for Milestones 2 onwards as well?

1 Like
4

Thanks for the feedback!
The whole idea is to mix two products. One of the them is the Safe Hashes Tool (already deployed by ourselves) https://safe-utils--safe-utils-rsk.us-central1.hosted.app/

And the other one is the timelock app (OpenZeppelin - Access Manager Explorer)

By combining its features we can create a integral security suite

1 Like
5

Sure!
Our budget of $4,000 USD for Engineering is set to pay a part time engineer during 12 weeks.
Milestone 2 (Development) will use $1600 of that budget
Milestone 3 (Multisig Verification tool) $800
Milestone 4 (Documentation and launch) $400

6

This is looking like a low-value, low-risk funding request, to add two fundamental features to the ecosystem: multisig and timelock, which may suit well with Rootstock’s Bitcoin-centric approach, for applications like multisig security, family and inheritance setups, etc.

I’ll keep an eye on how the discussions can further expand here, but other than that I’d be satisfied and ready for this to move forward.

1 Like
7

Enhancing security is essential for strong governance on Rootstock. While Rootstock already relies on Safe multisig and timelock mechanisms, continuously improving security remains critical to protect the ecosystem and maintain trust.

Does the team plan to conduct an external, third-party security audit alongside internal Rootstock security reviews during deployment?

8

Hi! The core modifications on the OZ tools will be limited. We think that a security review from the Rootstock team will suffice.
If a third party audit is required we would have to adjust the budget

1 Like
9

Hey everyone!
Thanks for reviewing the proposal and for the feedback.
As a summary, we are going to build:

  1. An user-friendly front-end for OpenZeppelin’s TimelockController adapted to Rootstock and
  2. A multisig transaction-verification tool that decodes calldata and checks signer thresholds.

The total budget for this proposal is 9900 USDRIF

  • Engineering (core development): 4,000 USDRIF
  • Documentation & Community Engagement: 500 USDRIF
  • Maintenance and support (12 months): $3,600 (USDRIF 300 a month)
  • Marketing and training: 1,900 USDRIF

The engineering milestones are:

  • Milestone 1 (Design): 800 USDRIF
  • Milestone 2 (Development) 1600 USDRIF
  • Milestone 3 (Multisig Verification tool) 800 USDRIF
  • Milestone 4 (Documentation and launch) 400 USDRIF

With this we will open the onchain proposal for approval

3 Likes
10

I’m in favor of this proposal. It’s a very interesting initiative — having these timelock and multisig security tools deployed and ready to use on Rootstock would be great for the ecosystem. The sooner they’re available, the better.

11

Hi @dacarva Thanks for this proposal. Happy to see governance security enhancements. Can you please explain what you will use the marketing budget for? Also, will you request additional funding for maintenance and support after 12 months?