Migrate to SimpleMultiSig

[elenadimitrova]

• Remove multisig-wallet ethpm package as that repo no longer contains the source we use. Contract we use has been moved to https://github.com/gnosis/MultiSigWallet/blob/master/contracts/MultiSigWallet.sol
• Replace MultiSig implementation
  Considering Gnosis MultiSigWallet has unnecessary (for us) implementation complexity we chose to switch to a simpler, MIT licensed MultiSig from simple-multisig repo https://github.com/christianlundkvist/simple-multisig

Relevant EIPs to MultiSig standards:
ethereum/EIPs#763
ethereum/EIPs#191

SimpleMultiSig release article
https://medium.com/@ChrisLundkvist/exploring-simpler-ethereum-multisig-contracts-b71020c19037

[area]

If using this in production, then we can never (or rather should never) require unanimous agreement for the multisig - if someone lost their key with a unanimous agreement required to change to a new multisig, we would be snookered. I also worry about key 'rot' in this scenario - if we don't need the multisig for a long time, then maybe two people would have lost their keys, but not realised it. Even if we could have recovered from one losing the key, we didn't know until two had, and we're snookered again.

This applies to any multisig, it's just that there are fewer 'ways out' with the simpler one if something goes wrong. So long as we adopt it knowing that, I don't have an issue with it.

[jakzilla]

What are the ways out available to us if we use the Gnosis one?

[elenadimitrova]

With the Gnosis one you still need to get the required number of signatures to change anything, whether it's to add/replace an owner or the required number of signatures. It has additional functionality but not any more ways out than in the SimpleMultiSig.
It has higher max number of owners: 50 as opposed to 10 here which spreads the risk but that is a constant the can be raised if we choose to.

[area]

Yeah, Elena is right - I was mistaken in thinking that the threshold for adding/removing signatories was different from that required to do other things. So this applies with either implementation.

[area]

Other differences between the two implementations:

• With simplemultisig, the gas costs are placed on one person (though they are lower in total, I suspect)
• It will be (I believe) technically more difficult to use. We might need to cook up a (very) simple client.

[elenadimitrova]

Some concrete gas costs
SimpleMultiSig only ever needs one transaction (which contains all signatures)

multisig.execute -> 75,413 gas

MultiSigWallet needs an initial transaction submission and then as many confirmations as required, i.e. the confirmTransaction 50,110 gas cost should be multiplied by the required number of approvals -1.

multisig.submitTransaction -> 167,202 gas
multisig.confirmTransaction -> 50,110 gas (not enough signatures gathered)
multisig.confirmTransaction -> 79,857 gas (enough signatures gathered, execute the tx)

[elenadimitrova]

After a discussion between @area @jakzilla and myself we decided to shelve this and stay on the Gnosis MultiSig for now at least. Considerations include:

• gas costs aren't a concern as this will be used for the occasional contract upgrades only
• using a proven to be (so far) secure contract on the foundation network
  In future I believe EIP 763 will adopt the SimpleMultisig design as a standard which will drive adoption and encourage more work on formal proof and official security reviews. At which point we're likely to reconsider it.