Lately, I’ve been looking into a protocol that needs to upgrade its multi-signature, and a bunch of people in the group are asking, “Is it reliable?”

I’m not an expert either, so I follow my detective instincts and check three things: GitHub, audit reports, and how the multi-signature is being changed.

I don’t look at the star count on GitHub; mainly I check if the commits are maintained by someone long-term, if the key changes have proper explanations, and if issues are responded to. I get a bit wary of those who only push a bunch of code right before a major release.

For audit reports, don’t just look at the cover that says “Audited.” I care more about whether high-risk issues have been fixed, if the fixes have been verified twice, and whether the scope of the audit excluded the most vulnerable modules… Basically, reports are meant to find what was missed and whether the fixes are superficial.

Upgrading multi-signature is even more practical: who are the signers, whether they are independent, what are the thresholds, whether there’s a timelock, and if there’s an open change process. Recently, cross-chain bridges have been hacked again, and people are back to “waiting for confirmation” consensus. I now prefer to be a bit slower, at least I want to see changes traceable on-chain; otherwise, it’s just praying.