Setting Up a THORChain Multisig

To instantiate, store and deploy contracts on Rujira, teams need to setup a multisig on THORChain. There are currently three ways to setup a multisig on THORChain:

DAODAO
Keplr Multisig
Thornode Multisig Key

1. DAODAO

The preferred option to setup a multisig is using daodao.zone because it let's teams not just sign off on transactions, but contains a whole library of actions that satisfy all the needs a decentralised team will ever need:

You can create a DAO on DAODAO using this link: https://daodao.zone/dao/create?chain=thorchain-1

2. Keplr Multisig

THORChain is available on Keplr Wallet and hence Keplr Multisig, allowing teams to create simple multisigs to sign off on THORChain transactions:

You can create a Keplr Multisig using this link: https://multisig.keplr.app/account/register/create

Consider using only individual Keplr wallets that are connected to Ledger hardware wallet to add an extra level of security to the Keplr Multisig.

3. Thornode Multisig Key

This guide walks you through the complete process of creating and using a multisig wallet on THORChain, including the installation of thornode, setting up the multisig key, generating and signing transactions, and finally broadcasting them.

This guide has been prepared with love by the AutoRujira team ❤️

Special Instructions for macOS Users

If you're on macOS, you may encounter issues with default versions of tools like awk, sed, and find, which are not GNU-compliant. To fix this:

Install the GNU versions of the required utilities using Homebrew:

brew install coreutils binutils diffutils findutils gnu-tar gnu-sed gawk grep make

Add the GNU versions to your PATH. Add the following lines to your shell config (~/.zshrc or ~/.bash_profile):

# GNU utils for macOS
export PATH="/usr/local/opt/coreutils/libexec/gnubin:$PATH"
export PATH="/usr/local/opt/findutils/libexec/gnubin:$PATH"
export PATH="/usr/local/opt/gnu-sed/libexec/gnubin:$PATH"
export PATH="/usr/local/opt/gawk/libexec/gnubin:$PATH"

Then run:

source ~/.zshrc  # or source ~/.bash_profile

Update Go to the required version (at least Go 1.23.4):

brew upgrade go

Verify with:

go version

Once all is set up, you're good to go with make install.

Prerequisites

Each member of the multisig must:

Have access to a local terminal.
Install thornode.
Share their public key with the group.
Be able to sign and submit transactions individually.

Step 1: Install `thornode`

Install the Thorchain CLI binary on your machine:

git clone https://gitlab.com/thorchain/thornode.git
cd thornode
TAG=mainnet make install

This installs the thornode binary in your $GOPATH/bin. Make sure it's in your system path.

Each participant should create a new key (if they don't already have one):

thornode keys add <your-key-name>

Then export your public key:

thornode keys show <your-key-name> -p

Share this public key with all other members.

To import a public key shared by another participant, use:

thornode keys add <other-key-name> --pubkey <their-public-key>

Once you have everyone's pubkeys imported, you can create the multisig key.

Step 3: Create the Multisig Key

Each participant must locally create the multisig key with the same set of public keys and threshold:

thornode keys add <multisig-key-name> --multisig=<comma-separated-pubkeys> --multisig-threshold=<N>

Example:

thornode keys add multisig-xx --multisig=pubkey1,pubkey2,pubkey3 --multisig-threshold=2

⚠️ This must be done identically by all participants.

Step 4: Generate the Transaction (Only Once)

One participant prepares a transaction to send 1 RUNE and exports it to JSON (leave some RUNE for paying the fee):

thornode tx bank send <multisig-key-name> <destination-address> 1000000000rune --generate-only --chain-id thorchain-1 > tx.json

This transaction file is then shared with all multisig participants.

Step 5: Each Participant Signs the Transaction

Each participant signs the transaction using their own key and the multisig key:

thornode tx sign tx.json \
  --from <your-key-name> \
  --multisig <multisig-key-name> \
  --node https://rpc.ninerealms.com:443 \
  --chain-id thorchain-1 \
  --output-document sig-<your-name>.json

Everyone sends their sig-<your-name>.json file to the coordinator.

Step 6: Combine Signatures and Broadcast

One person aggregates the signatures and broadcasts the final signed transaction:

thornode tx multi-sign tx.json <multisig-key-name> sig-1.json sig-2.json ... --chain-id thorchain-1 --node https://rpc.ninerealms.com:443 > signed.json

thornode tx broadcast signed.json --chain-id thorchain-1 --node https://rpc.ninerealms.com:443

Final Step: Test It

Once the multisig address is finalized and funded, you can test the setup by executing a multisig transaction that sends 1 RUNE to a known address as shown above.

Summary

Every member installs thornode, generates their key, and shares the pubkey.
All members must create the same multisig locally.
One person creates the transaction; everyone signs.
The final signed transaction is broadcast by one member.
The process ensures security and collective review before execution.

PreviousReview and Audit Guide NextMainnet Deployment Guide

Last updated 4 months ago