Hey @SEEDGov! Apologies for the slow reply - thanks for sharing your feedback!
I would like to start by saying that the guidelines shared above are not enforceable. The purpose of the guidelines is to provide a starting point for Token Program leads/proposal authors to reference when designing a program that may require a multisig. Program leads and proposal authors can choose to add additional layers of security depending on the amount that the multisig controls or the importance of the contract they are the admin of.
Good observation. We will reach out to our security advisors and ask for a list of hardware wallets.
We can add these two suggestions to the “For high-risk multisig, here are additional measure to consider:” list under the Signer Guidelines Checklist.
Agree. This is included under the Signer Guidelines Checklist.
Multisigs may have to change the number of signers for a variety of reasons throughout a program. We’ve added in the guidelines that any changes of multisig signers should be communicated publicly on the governance forum.
In addition, all multisig signers in relation to a Token Program will be contractually bound to deliver the scope of each Token Program through ZKGPS. The Token Assembly is allowed to “pull the plug” on a Token Program at any time by passing a TPP to remove the minter role from all relevant capped minters if they do not agree with the changes to a multisig.
In most cases, multisig signers for Token Programs will never have custody of minted tokens. Rather, they will be managing capped minter contracts / minting rights to capped minter contracts.