Skip to main

How the Cosmos SDK Group Module Reinvents Multi-Party Authorization

How the Cosmos SDK Group Module Reinvents Multi-Party Authorization
Notch subtract mid iconNotch subtract mid icon

The history of how organizations share authority over something valuable is a history of compromises. Skeleton keys gave one person all the power. Dual-control vaults required two officers in the same room. More recently, blockchain's multisignature wallets require N specific people to coordinate, sign the same transaction, and broadcast it within the same window. For a small team managing a treasury, that level of coordination is fine. For an enterprise consortium managing cross-border settlement, it's not.

The Cosmos SDK Group module is the next step in sharing authority on a digital ledger. It replaces the question of "who has the key?" with "what are the rules for making the decision?" It answers that question on the ledger with programmable policies, weighted voting, structured processes for members to propose actions, creating an immutable record of every decision ever made.

Consider a banking consortium approving cross-border settlements, where each counterparty holds different authority over different transaction types; a compliance committee that must sign off on counterparty onboarding through a structured review with mandatory waiting periods; or a multi-party trade finance workflow where the threshold for releasing funds depends on the value of the deal. These types of processes require human and organizational coordination and operational overhead. The Group module replaces this type of manual coordination with programmable, automated, auditable governance that saves time and reduces operational cost.

What the Group Module Does

The Group module enables on-chain multisignature accounts with configurable voting policies baked in at the protocol level. Any set of accounts can form a named group, attach one or more decision policies to it, and collectively authorize the execution of arbitrary on-chain messages. This happens through a proposal-and-vote workflow. Let's unpack what makes this different from both traditional governance modules and standard multisignature wallets.

System Layers Overview

A group is a collection of accounts with associated voting weights. Think of it like a roster: a list of who's at the table and how much their vote counts. Each group has an administrator who manages membership. This administrator does not need to be a member, allowing external governance handlers, such as a compliance officer, to manage participation without themselves participating. This enables the management of access control and cybersecurity requirements in alignment with the organization’s policies.

A group policy is where the group's authority actually lives. A policy is an account on the ledger associated with both a group and a decision policy. Groups and policies are decoupled. A single group can have multiple policy accounts, each with different rules. For example, your compliance team is one group, but the rules for approving a routine operational transfer might require two votes, while the rules for upgrading the ledger's codebase might require unanimity and a 48-hour review window.

Decision Policies: The Rulebook

The group module ships with two built-in decision policy types, and the interface is extensible if you want to add custom logic.

Threshold decision policies define a minimum total weight of yes votes required for a proposal to pass. If your five-member group has weights of 3, 2, 2, 1, and 1, and the threshold is 5, then you need some combination of members whose weights sum to at least 5 voting yes. Abstain and veto votes are treated as no.

Percentage decision policies define the threshold as a percentage of total group weight rather than an absolute number. This is the better choice for groups with dynamic membership, because the acceptance criteria don't break when you add or remove members. A 66% threshold means 66% regardless of whether the group has five members or fifty.

Both policy types include two timing parameters that enterprise system architects will appreciate. The voting period defines how long members have to vote after a proposal is submitted. The minimum execution period specifies how long the system must wait before a proposal can be executed, even if it has already passed. Set this to zero for operational decisions that need to move fast. Set it to 24 or 48 hours for high-stakes decisions that warrant a review window to give stakeholders time to raise objections before execution becomes possible.

Software engineers who manage the ledger will configure an app-wide maximum execution period: the window after voting ends during which an accepted proposal can still be executed. After that window closes, the proposal expires. This prevents stale approvals from lingering indefinitely.

The Lifecycle for Proposed Policy Changes

Any group member can submit a policy proposal to a group policy account. The proposal includes the messages to execute if accepted, along with a title, summary, and metadata.

Members vote one of four options: yes, no, abstain, or no-with-veto. Voting continues until the voting period expires or until someone triggers a tally by attempting execution. If yes votes already exceed the threshold, the proposal can pass without waiting for the window to close. If the remaining undecided votes do not mathematically reach the threshold, the proposal is rejected early.

Proposal lifecycle

Once a proposal is accepted, any account on the ledger, not just group members, can submit an execution transaction. This means execution can be automated, delegated to an operations bot, or handled by different teams within the organization.

Proposals can also be withdrawn by the proposer or policy admin before voting ends, or automatically aborted if the group membership or policy changes mid-vote. This is a safety mechanism. If the rules change while a vote is in progress, the proposal created under the old rules is invalidated to eliminate the risk of it potentially executing under conditions that no longer apply.

Where This Fits in the Enterprise Stack

The Group module occupies a niche that neither ledger-wide governance nor traditional multisignature accounts can fill.

Ledger-wide governance is designed for protocol-level decisions like software upgrades and parameter changes to the core ledger functionality. However, it does not address day-to-day business decisions like a consortium of banks approving a cross-border settlement requires controlled counterparty management and clear decision-making workflows that do not modify the core ledger.

Traditional multisignature accounts give you equal-weight, fixed-threshold signing without process structure. They work for small teams with simple needs. But the administrative overhead and day-to-day burden of managing these decisions becomes costly when your use case requires weighted voting across stakeholder classes, multiple policy tiers, and time-bounded execution windows.

The Group module sits between these two. It gives organizations the ability to define ledger-based governance rules with the flexibility to model real-world authority structures, such as counterparty participation in complex decisions and tiered approval committees. It offers these functions natively through programmability, reducing the operational overhead of managing these decisions day to day.

For financial institutions, the on-chain vote history provides an immutable compliance audit trail. For consortia, the weighted voting and multiple policy accounts model the reality of unequal stakeholders with different authority over different decision types.

Conclusion

The Group module replaces the overhead of counterparty coordination with programmable governance. It does this by offering a resilient, programmable, and flexible tool that allows teams to easily set up decision-making processes that reflect their business reality, with key automation features that save enterprises time and money. Features of the Group module include weighted voting that reflects real stakeholder structures, decision policies that can vary by action type, a proposal lifecycle with built-in review windows and safety mechanisms, and an immutable on-chain record of every vote cast and every decision made.

The skeleton key opened every door. The multisignature account required N signatures in the same transaction. The Group module asks a better question: what process does the organization follow to make this decision? And it enforces the answer in code.

The Group module is available through Cosmos Enterprise. Contact institutions@cosmoslabs.io to learn more.

Further Resources

Source code: https://github.com/cosmos/cosmos sdk/tree/main/enterprise/group

Docs: https://docs.cosmos.network/enterprise/components/group/overview

Notch subtract corner iconNotch subtract corner iconEric GorskiNotch subtract corner iconNotch subtract corner icon

Eric Gorski

Technical Program Manager

https://x.com/cosmoslabs_io
This website uses cookies to enhance user experience and to analyze performance and traffic on our website, including with session replay technology. By clicking “Accept All”, you agree to the use of these cookies. Privacy policy