Free Demo

Multisig technology adds another layer of security to hot and cold wallets. But is it the answer to crypto's custody challenges?

Qredo_vs_Multisig_A_Step_by_Step_Comparison_720p

Just like cold storage, the concept of multi signature transactions is not new, and can be traced back to ancient times when several keys were needed to open crypts holding precious relics. This meant no single monk was able to access the relics without the assistance of others —making theft less likely.

Back in 2014, multisig was the word on the crypto street. After the fatal Mt Gox hack in which 850,000 bitcoin was lost, multisig wallets were quickly adopted by exchanges. These require designated parties — people, institutions or programmed scripts — to cooperate by providing their signatures together in a coordinated way to make transactions.

Despite the extra layer of security offered by multisig however, the technology is still vulnerable to human error, technical failures, and the same weaknesses of the wallet it is attached to — hot or cold.

 

Security

Before any transaction is made with a multisig wallet, confirmation is required from multiple people. Just like a padlock that requires more than one key to open.

To be secure, this multisig process must be supported by sanity-checking services — carefully audited operational processes, and separate security options like secure passwords, 2FA and email confirmation.

Ultimately the security of a multisig wallet depends on the rigor of these processes, which must be carefully considered as a trade off between ease of use, and protection against theft and human error.

Even with secure processes in place, problems can arise when custodians are involved in multisig transactions.

Signatory collusion: Although possessing one key won’t allow a signatory to get through security measures, two signatories could collude to steal funds.

Signatory safety and reliability: A signatory may lose the private key, or have it stolen from them in a targeted theft like a 'five dollar wrench attack'.

Technical vulnerabilities can also lead to losses from multisig wallets — when a hacker found a flaw in the Parity multisig wallet in July 2017, they managed to steal $32 million in Ether before being discovered.

Find out how Qredo offers a new way to secure decentralized digital assets in our white paper.

Get the white paper

Liquidity

The slow, human-driven withdrawal policies of multisig wallets stall liquidity, meaning that investors must tolerate long waiting times for withdrawals, and are likely to miss time-sensitive trading and commercial opportunities.

To remedy this, some exchanges place different withdrawal requirements on wallets that serve different purposes — hot wallets holding smaller amounts have easier and quicker multisig requirements to ensure funds can be quickly withdrawn, and cold wallets holding larger amounts are subject to more stringent access requirements.

The problem with this arrangement is that greater accessibility is always accompanied by greater risk: The fewer multisig security processes that are placed on the wallet, then the easier the accessibility of the funds, but the greater the risk of hacks or losses.

All multisig services are also vulnerable to denial of service due to unresponsive custodians.

To maintain a constant service, the multisig custodian must always be online and available to sign transactions, which means censorship events or service outages can stall liquidity.

 

Privacy

Multisig wallets are often used by parties who have already established a close relationship, like a CEO and CFO. Having such a trusted cosigner is essential, because when funds are moved in a multisig transaction, all of the parties involved will know what wallet address the funds are being sent to.

Disclosing this address information to an external multisig service bureau, who could potentially prevent the transfer, represents a breach of privacy and makes the service vulnerable to censorship.

Find out how Qredo offers a new way to secure decentralized digital assets in our white paper.

New call-to-action