Blockchain technology is about combining fundamental cryptographic primitives to build useful, trusted features like transfers and asset issuance. Defining a secure signing scheme for multi-signature offline wallets is no different, and happens to be one of the most important problems at a company like Paxos, where we custody stablecoin and cryptocurrencies for big players in the space.
A secure crypto wallet needs to protect against two scenarios:
- Access to the wallet by bad actors
- Loss of access for good actors
Multi-signature, or just multisig, wallets prevent these two unfavorable outcomes by having several people control individual signing keys. A typical multisig wallet can be described using two parameters:
- n is the number of independent signing keys
- m is the number those keys that must sign in order to authorize a transaction
We, in the industry, call this an “m of n wallet”.
Using large numbers, randomness, and linear math, Elliptic curve cryptography (really ECDSA) protects against impersonation by unauthorized actors, and is the basic way that authentication happens in the crypto world. A Multisig wallet combines n eligible signers and a threshold of m signers needed to authorize a transaction, which protects against the following challenges:
- Internal bad actors (up to m-1)
- The loss of good actors (up to n-m)
For example, let’s look at a 2 of 5 multisig wallet. This means there are 5 independent signing keys and to access the contents of the wallet at any time, you need a minimum of two keys. A 2 of 5 wallet can tolerate up to one bad actor of the five without authorizing bad transactions. The wallet requires two signers to verify any transaction. So, the wallet can also handle three people losing their keys without the contents of the wallet being lost forever.
Some blockchains, such as bitcoin, have a standard way for multisig wallets to work with the blockchain protocol. Because Ethereum doesn’t have a native multisig protocol, a smart contract is the only option for on-chain multisig. A multisig smart contract is a multisig wallet address created as a smart contract that has its own way to process transactions that requires multiple signatures.
There are several different types of multisig smart contracts on Ethereum. To describe the Paxos Simple Multisig smart contract we’ll need to discuss how authentication works on Ethereum, and how the multisig smart contract builds on that to require multiple signatures. Refer to the end glossary for any words you’re unfamiliar with.
An Ethereum transaction is a payload including an eth transfer amount, a nonce [See Glossary], a destination, gas limit, gas price, and a data payload. The sender signs (a hash of) the whole transaction using their private key, and is identified by the public key that can be obtained from the published signature. The “from” address is found by a hash [See Glossary] of the signature’s public key.
A smart contract transaction uses the data payload to include operations within the smart contract’s on-chain storage. The smart contract itself, which is created as a payload of a contract-creation transaction, can include authorization rules stating that only certain addresses can do certain operations on the smart contract. One can create a multisig contract by having smart contract operations for proposing a transaction, and approving the transaction, and limiting the addresses who can call those functions to only a small set.
The simple multisig smart contract uses a third type of auth by doing on-contract authentication. In a simple multisig transaction all of the multiple signatures needed to approve a transaction are included in a single data payload in a single Ethereum “network transaction”. The data payload also includes the whole “smart contract transaction”, like a submessage of the transaction. The smart contract has its own explicit protocol for how to verify those signatures, using a hash of the submessage as the contents that are being authorized by the multisig signers. That submessage can represent the action of an Ethereum transaction, including moving Eth that’s being held by the multisig contract or doing an operation on another smart contract, such as moving ERC20 tokens held by the multisig contract.
The adage, “never roll your own crypto” applies here since we have the opportunity to use any protocol as the signing scheme within the multisig smart contract. Luckily, the Ethereum community has had a well-received standard proposal for smart contract signing schemes in EIP712 for a few years now. The principle of the scheme is to use the same hashing algorithm and data that the ethereum network uses, and to also hash in context data about the function being called and the contract address itself to avoid unintended re-usability of submessage signatures.
Submessage signatures using the EIP712 standard offer other benefits, such as the ability to have one address pay the gas fee for another address, which is a feature that Paxos has implemented in it’s token smart contracts.
Paxos Simple Multisig
Paxos is using a version of the lundkvist simple multisig smart contract for internal wallets that was fully audited by Consensys. The biggest benefit of that smart contract is that the on-chain state is minimal, as are the features that the smart contract includes. This is in line with Paxos’ approach to token smart contracts which prefers to put as much state and logic off chain as possible. The reasoning for this approach includes that getting the smart contract right is difficult, bugs in a smart contract have led to big losses, and it is difficult to upgrade. (Note: We also had the contract audited by Consensys.)
The version Paxos is using has been modified to include the ability to change the set of signers, or owners, on the contract. Although this is a small addition to the feature set, the setOwners feature helps protect against access by bad actors by allowing a threshold of signers to remove old signing keys, and add new ones locally on the multisig contract without migrating funds or roles.
To execute a submessage transaction there needs to be a normal Ethereum transaction from a normal address that puts the transaction on the blockchain, with all of the submessage data in the “data”. In simple multisig that role is called the executor, and at Paxos the executor is a lower security single-signer address that holds some Eth for paying the gas for the transaction.
Operationally, the fact that the cold signing is done for submessage transactions offers a few benefits.
- Each signing member can securely hold one signing key to authenticate them as a signer, and reuse that key on multiple multisig wallets on which they are a member.
- The gas fees are chosen by the executor. This allows Paxos to quickly adjust the gas fee in response to gas price fluctuations without doing the operation of cold signing. Transactions are confirmed more quickly while still choosing a more competitive gas price. However, this benefit is reduced a bit by the fact that simple multisig transactions cost more in gas to begin with because of their multiple signature nature.
- The signing process for these multisig addresses can be the same, or almost the same, as the process for blockchains that have native multisig such as bitcoin.
What This Means for Paxos
Paxos Simple Multisig allows us to have simple key management that circumvents the unique risk of migrating tens of roles and assets on Ethereum – and it does so without opaque MPC protocols, or more complex off-chain key management that introduces single points of failure. It does so by leveraging the blockchain for authorization, which is already a central dependency. Above all, this technology is crucial because it provides a high level of security. Risk is inherent in our business, but this multisig process ensures we can protect our customers’ assets against all potential bad actors with state-of-the-art trustworthy ethereum wallets.
The Gas of an ethereum transaction is a measurement of its computational cost. Gas is not purchased on it’s own, but instead is paid for in Ethereum as part of the transaction, making up the transaction fee. Because the total gas spent can depend on the state of the blockchain when the transaction happens, there is a Gas Limit in each transaction representing the maximum gas the transaction can spend.
The Gas Price is also chosen for each transaction and represents how much Ethereum is paid per unit of gas spent in computing the transaction. Miners receive the fee as payment for mining the transaction. The gas price creates a gas fee market balancing mining supply and demand where there ends up being a going market rate to create an Ethereum transaction, with higher gas prices leading to shorter wait times. More on gas.
A cryptographic hash function is a mathematical algorithm that maps data of arbitrary size to a bit array of a fixed size. It is a one-way function, that is, a function which is practically infeasible to invert. The result of applying the function to a payload is referred to as the hash of that payload. More on hash.
A scalar value equal to the number of transactions sent from this address. The nonce must be set to the next value for every new Ethereum network transaction. The nonce protects against the same transaction being sent twice. More on the nonce.