Skip to main content

Architecture

System Overview

Kleidi is built on top of Gnosis Safe, adding multiple layers of security through a guard contract and timelock. Each component works together to significantly increase the difficulty of being coerced into actions you don't want to take.

Core Components

1. Gnosis Safe Multisig

The foundation of Kleidi is a Gnosis Safe, a battle-tested multisig wallet that has secured hundreds of billions of dollars of cryptocurrency.

Role in Kleidi:

  • Holds the signing keys (cold signers)
  • Initiates timelocked transactions
  • Can only make changes through the Guard

2. Guard Contract

The Guard restricts what the multisig can do, preventing it from undermining its own security.

Restrictions enforced:

  • No atomic delegate calls
  • No self-calls (prevents bypassing restrictions)
  • Cannot rotate owners directly (must go through the timelock)
  • Cannot add/remove modules (except through the timelock)
  • Cannot disable the guard itself (except through the timelock)

Key Point: With the Guard active, it's impossible to remove security measures without a timelocked transaction.

Learn more about the Guard →

3. Timelock

The Timelock is where your funds actually live. It enforces delays on all sensitive operations.

Features:

  • Configurable delay between 1 and 30 days
  • Proposal expiration
  • Anyone can execute a transaction after the delay period

Learn more about the Timelock →

Security Model

Defense in Depth

Kleidi uses multiple overlapping security layers:

  1. Timelock delays all sensitive operations
  2. Guard prevents the Safe from removing security measures

Wrench Resistance

The key insight: Time is a security primitive.

For an attacker to succeed with a wrench attack, they must:

  • Compromise your cold signing keys
  • Force you to schedule a malicious transaction
  • Prevent you from canceling it for the entire delay period
  • Do all of this without being detected

This makes the attack impractical in most scenarios.

Deployment

Kleidi wallets must be deployed through the InstanceDeployer contract to ensure atomic, secure setup.

The InstanceDeployer:

  1. Deploys a Timelock with your configuration
  2. Executes a Safe transaction that:
    • Initializes the Timelock
    • Adds the Guard
    • Adds the Timelock as a module
    • Removes the deployer as an owner
    • Sets your owners and threshold

After deployment, the InstanceDeployer has no permissions.

Deployment Guide →

Trade-offs

Slower Operations

All sensitive operations require waiting for the timelock delay. This is a feature, not a bug—it's what provides security under duress.

Complexity

Kleidi is more complex than a simple multisig. Make sure you understand the system before using it with significant funds.

Simplicity

Kleidi keeps security simple with just two core components: Guard and Timelock. This simplicity makes the system easier to understand and reduces potential attack vectors.

Next Steps

Dive deeper into each component: