Custody & multisig
YLDX's cold treasury is engineered for zero single point of failure. No individual — and no machine — can move treasury funds alone.
Cold treasury structure
The treasury is held across 5 sector-based multisig vaults:
| Vault | Purpose |
|---|---|
governance_treasury | DAO-controlled treasury (the locked 20% / 200M YLDX) |
yldx_core | Core protocol operating treasury |
liquidnow | Liquidity provision sector |
moonrock_capital | CEX/routing sector (L2) |
lifeyield | RWA / LifeYield sector |
Each vault is segregated by function, so a problem in one sector cannot drain another.
Signing policy
| Parameter | Value |
|---|---|
| Threshold | 4-of-6 signatures required |
| Time-lock | 24 hours on cold-wallet movements |
| Signers | 6 designated holders |
A movement requires four of the six signers to approve, and then waits out a 24-hour time-lock before it can execute — a window in which any anomalous transaction can be caught and cancelled.
Signers
| Signer | Role | Status |
|---|---|---|
| Andrej Bärg | CEO | Active |
| Pavel Mokrov | — | Active |
| Vladimir Vitushenko | — | Active |
| Alex Hein | CFO | Active |
| Mattia Milani | CIMO | Passive |
| Scott Page | Co-founder | Passive |
Active signers handle routine authorization; passive signers provide additional security depth and recovery quorum.
Key hygiene
- Each wallet uses a unique private key; keys are never shared across wallets.
- Operating wallets above a defined capital threshold are bound to hardware signers (Ledger / Trezor) — no hot keys for material balances.
- Treasury private keys are never transmitted through chat, code or any front-end. Deployment keys are single-use and generated locally.
The execution boundary
The AI Operator and the human operator can prepare transactions (unsigned calldata, routing recommendations), but only the 4-of-6 multisig can authorize a movement. This is the structural guarantee that compromise of the agent, the operator, or any single signer cannot drain the treasury. See Security model.