Anyone holding a non-trivial amount of bitcoin should consider multisignature security, including how to mitigate potential attacks.
This is an opinion editorial by Anant Tapadia, a computer engineer and contributor to Bitcoin self-custody projects Bitcoin Keeper and Hexa Wallet.
Multisignature security, or “multisig,” offers a different set of security guarantees than single-signature (singlesig) solutions cannot. While I believe that singlesig is a great form of custody when one is just getting started with bitcoin or managing small amounts, in my opinion, anyone holding a non-trivial amount of bitcoin for the long term should evaluate a multisig option.
Defining Multisig
It is imperative to understand what we mean by “wallet” before I lay my case for one type versus another. A multisig wallet is referred to as a “vault” in apps like Bitcoin Keeper and Blue Wallet, while some also refer to it as the “coordinator” or “coordinating software.” It is basically a wallet that can talk to multiple signing devices and coordinate between them for signing transactions (generally using the PSBT format). In comparison, a singlesig wallet talks to one signer only. The singlesig wallet is also often the signer, meaning the keys are hot.
So, the attack surface exposed due to a singlesig wallet and vault is similar as they both have similar roles. Having a signing device in both cases adds to the security and introduces new attack surfaces.
A multisig is often referred to as an “m-of-n,” where you need “m keys out of n” to sign a transaction. An output descriptor or bitcoin secure multisig setup (BSMS) is a format that is used to define the configuration of a multisig. This can be used to recreate your setup on other coordinators or to register the multisig with the signing devices.
Considerations For Bitcoin Custody
Minimizing Trust
The obvious advantages of having multiple signers are to reduce single points of failure and increase redundancy in your setup. With the help of the common examples of attacks on multisig included below, I will explain why those attacks are applicable, even with singlesig custody. However, with multisig, you can minimize trust in any one entity as multiple entities are involved.
Operational Effort
Setting up and using multisig can be operationally more time consuming and include more pitfalls if not done correctly. Therefore, I recommend that users only consider multisig for long-term HODLing, where regular transactions are not anticipated.
Setup Costs
A robust, multi-vendor multisig (such as one with three-of-five custody) can be achieved for anywhere between $250 to $600. So, if you have around 0.5 BTC (about $11,000 at the time of writing this piece), spending less than 10% on securing it is not a bad idea, because this bitcoin’s value can appreciate very quickly.
The costs of signing devices are also reducing, e.g., Tapsigner from Coinkite. Plus, using non-hardware-based soft keys gives you zero-cost options, but it is not recommended that these are used for more than one key in a multisig setup.
Mitigating Common Attacks
I will now look at some attacks that can happen if a custody key coordinator tries to act maliciously. Then, I will explain how this is no different from the threats in a singlesig setup and what multisig wallets can do to mitigate these risks. The ultimate responsibility inevitably lies with the user to ensure that they take the proper steps, as suggested below.
The Wrong Receive Address
The most direct attack I’ll outline is one where the user tries to receive funds, and the coordinator app shows an attacker’s address instead. In such scenarios, the software could still show that the funds were received where the user intended. This attack is theoretically possible with any singlesig wallet because the user is relying on the wallet to generate an address for them. There is no way to manually derive addresses from your 12- or 24-word recovery phrase.
In the case of a multisig wallet, this can be mitigated by checking the address on the signing devices where the multisig has been registered. You could also use another coordinating software, import the same configuration and check the address that way.
Send-To Address Replacement
Like in the previous attack scenario, a multisig coordinator can replace the address you are trying to send funds to while constructing the PSBT. The situation will be no different in the case of a regular singlesig wallet.
To mitigate this risk, the user is always advised to check for the address on the signing devices. Since the signing devices sign the transaction containing the recipient’s address (in PSBT format), it will show the address it is signing. Unless there is some collusion between the coordinator app and the signing devices, this is an excellent way to minimize trust in any one of them.
Changing The Change Address
A less-obvious attack is one where a coordinator app replaces the change address in your transaction. This means that the change from the transaction will go to an attacker’s address. Unlike the send-to address, the user may not check for the change address when sending funds, making this attack less obvious. Again, there is no difference when it comes to a singlesig solution.
This is where the registration of multisig on signing devices is highly necessary. If registration is done, the signing device will not sign the transaction if it does not identify the change address.
Altering The Registration
As the coordinator also coordinates the registration step, a different multisig may be registered such that the attacker controls “n” or more keys. In this case, the signing device will not be able to identify the receive address or change the address correctly. The user will see the same (the attacker’s) receive address on the signing device as well, and the change address will be passed as correct by the signing device as it has no way of confirming if the other cosigners were altered or not.
It is therefore recommended that there are “n” registered devices in your setup. Moreover, you confirm the setup details on all such devices during registration. Another way to verify proper registration is to set up the same multisig on other coordinator software and check if it shows the exact details.
So, you could have a multisig with one register vault signing device and two blind signers. Repeat the same process with another coordinator. Now, check for the configuration on both the coordinators and the multisig-registering signing device. You can add more coordinators to the mix to rule out collusion.
Ransom Attack
This type of attack is similar to the above one, but the attacker controls fewer than “n” keys, so it cannot control the funds. But in a situation where you lose some of the keys, the attacker can hold you for ransom, as now you do not have the minimum quorum needed. This attack can also be performed by key insertion, where additional cosigners are added to the setup. This has the same effect as replacing some of the cosigners.
Again, checking the cosigner details on multiple registration-needing coordinators will reduce the chances of these attacks.
Utilizing Multisig Custody For Your Bitcoin
To repeat: Having a minimum quorum of multisig-registered signing devices and checking transaction details (when you have to make them) would be a good rule of thumb when using multisig.
When checking for addresses or vault setup details, do not just check the beginning and end of the string, as the attacker may have a similar-looking string.
Checking if the custody app is open source and reviewing its code (if you can) is also a good idea for some. Support of common standards like BSMS and PSBT ensures that the multisig setup or transaction can be ported to other apps for verification.
I also believe one can never go wrong with testing the setup. Once you have your multisig ready, duplicate the setup on more coordinators. Receive a small amount on one app and send a part of it from another. Check that the balances are appropriately reflected across all the coordinators after each step.
References and further reading:
This is a guest post by Anant Tapadia. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.
