# Managing Privileged Accounts Securely

Many projects rely on externally owned accounts (EOAs) for managing privileged functions, such as pausing contracts, upgrading systems, or handling sensitive administrative tasks. However, using EOAs for such purposes introduces significant security risks, as they are susceptible to key compromise.

***

Below are actionable steps to handle these accounts securely.

## 1. Transition Away from EOAs

* **Use Multisigs:** Replace EOAs with multi-signature wallets like [**Gnosis Safe**](https://gnosis-safe.io/) to distribute control among multiple stakeholders.
* **Explore DAO Governance:** Implement decentralized governance where the community or stakeholders vote on critical decisions, ensuring long-term sustainability.
* **Consider MPC Wallets:** Leverage **multi-party computation (MPC)** wallets, which distribute key control among multiple parties without relying on a single device or location. Examples include [**Fireblocks**](https://fireblocks.com/) or [**ZenGo**](https://zengo.com/).

## 2. Secure Private Keys

* **Use Hardware Wallets:** Store private keys in hardware wallets (e.g., Ledger, Trezor) to protect them from malware and phishing attacks.
* **Backup Keys Properly:** Store encrypted backups of private keys in secure, geographically dispersed locations. Avoid cloud storage or email backups.
* **Enable Two-Factor Authentication:** When using wallet applications, ensure 2FA is enabled to add an extra layer of security.

## 3. Restrict Privileges and Access

* **Principle of Least Privilege:** Assign the minimum necessary permissions to privileged accounts. Avoid consolidating multiple critical roles under a single key.
* **Timelocks:** Introduce timelocks for high-stakes operations, allowing time for community scrutiny or intervention if suspicious activity is detected.

## 4. Monitor and Respond to Threats

* **Activity Alerts:** Set up monitoring tools to track privileged account activity. Receive alerts for any unexpected or unauthorized transactions.
* **Incident Response Plan:** Define a clear response plan for compromised keys, including pausing contracts, revoking access, and redeploying affected accounts.

## 5. Regularly Audit Privileged Functions

* **Review Access Controls:** Periodically audit the list of privileged accounts and their roles to identify unnecessary permissions.
* **Test Fail-Safes:** Ensure that the process to recover or replace compromised keys is well-documented and tested.

## Example Setup for Privileged Accounts

1. Deploy a **Gnosis Safe Multisig** for admin functions.
2. Use **Hardware Wallets** for each signer of the multisig.
3. Define a **Timelock Contract** for critical operations requiring community approval.
4. Consider transitioning governance to a **DAO Framework** like [**Aragon**](https://aragon.org/) or [**Snapshot**](https://snapshot.org/) for decentralized management as the project scales.
5. Evaluate the use of **MPC Wallets** to enhance security through distributed key management.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.optimumsec.xyz/ongoing-operations/securing-privileged-accounts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.