On Verifying Multi-Sig Wallet Signatures
I was intrigued by Cyfrin's article How To Verify Safe Multi-Sig Wallet Signatures: The Radiant Capital Hack Fix - Learn This or Lose $50M (and accompanying video1, see below). And after reading about the post-mortem of ByBit's $1.5B hack even more so!
However, after watching the video I cannot help to think how absurd the notion is that users should jump through these hoops to verify a transaction.
I understand the sentiment that if you handle (really) large amounts of money, then you should take the greatest care to verify if everything is okidoki. But these steps seem unreasonable to me, as an outsider looking in.
The proposed approach probably works in practice (and perhaps it is the only reasonably secure way of working for now), but I reckon this is user experience hell in reality. Even for experienced users.
(I like Patrick's suggestions to wallet providers to enhance the transaction verification flow, but it seems a moot point when zooming out)
To give an example, lots of large organizations move (really) large amounts of money, and they generally rely on the (implicit perhaps) security of the tools they are using. When initiating, approving or executing transactions (often supported by multi-factor authentication combined with four-eye or even six-eye approval flows) they do not question whether what the application UI shows them is correct.
Why should we worry about this then, when dealing with cryptocurrencies? (Hint: because crypto security is still dubious? Yes I know, traditional finance and other industries are not necessarily doing any better).
Analogy time
As an analogy (considering we all agree human safety is pretty important): people do not verify if the firmware of their car has been tampered with before taking it for a drive (You could die, right? The worst possible outcome).
Probably not the best analogy2, but I hope you get my point:
- People constantly make really important trust assumptions.
- Perhaps it is time for the crypto industry to live up to user's security expectations.
People deserve to be able to trust their crypto applications to be secure, and their funds to be safe.
To (not) trust middleware
Idem dito with the hesitance of relying on middleware providers such as Metamask. I mean at some point in the flow you will have to rely on third-parties (and their security). If you use a certain wallet, you rely on the provider's secure implementation (cue the discussion on closed-source versus open-source). You also trust in the protocols, applications you are using, don't you?
You can try to remove as many dependencies as possible, but often you are just moving / shifting your trust (boundaries). That is maybe a topic for another article.
End of rant
After consideration I realize this post has become a bit of rant. I admit it is easy to point out problems, but that it is much harder to come up with (great) solutions. I'll give it some more time to gather my thoughts, but everything starts with acknowledging there is a problem and what that problem is exactly.
[1] By the way Patrick, everyone: I genuinely dislike these click-baity video thumbnails with surprised faces on them. I know these drive engagement and traffic, but still. With such quality content, I'd hope these tactics are unnecessary.
[2] There are many different factors to consider: what is the threat model / risk scenario (loss of life versus loss of funds), car manufacturing is a regulated(!) industry, nascent versus established technology, etc.
Photo by Markus Winkler on Unsplash