I’m obviously biased, because I developed CWAP.
key differences & Casa critiques
- Physical Theft — It‘s easy to physically steal someone’s BTC when they’re using Casa’s basic strategy because these 3 vectors: (1) phone (2) home (3) office, are in close physical proximity. The Counter Wrench-Attack Protocol (CWAP) specifically addresses & protects against physical-attacks.
- Structure — Casa uses a 3 of 5 “multi-sig/multi-location” setup that is based on centralized infrastructure & private companies. CWAP is based on a P2P network of friends…
- Use — Casa uses Multi-Sig software. CWAP manages the 24 mnemonic seed-words.
- Cost — Casa charges a yearly fee. You will also pay for the travel costs to your locations, when you make a transaction. CWAP is free and requires no travel.
- Speed — To access your keys, Casa’s system requires that you physically travel to locations in meat space. Worse — if you don’t want 3 of 5 keys in the same local area, you must travel to distant locations — which is slow…CWAP can be lightning fast.
- Inheritance — Casa will somehow “assist with end-of-life recovery and inheritance procedures.” CWAP provides an easy method.
For the few of Casa’s multi-signatory users, there are additional risks —
- Privacy — signatories see the wallet’s balance
- Signatory Collusion — in an [m-of-n] multi-sig set-up, ‘m’ parties can conspire and steal all your bitcoin
- incentive Attackers to kidnap you, because each of your signatories provide an additional point of failure
For the majority of Casa’s users, whom use a single-signatory approach, note the opposite incentive —Attackers are forced to kidnap your loved-ones // as they can’t kidnap you & get your BTC…
these unpleasant possibilities exist and should, at least, be clearly addressed.
CWAP’s drawbacks
1. incentive to kidnap you
because each of your signatories provide an additional point of failure // although they could target your loved-ones as well
2. man-in-the-middle —
when using online communication channels, an attacker/malware could change the messages, distorting your keys and they could be lost // not stolen
BUT — with current technology, an attacker could NOT alter a live video-chat nor voice messages enough to fool you & all of your signatories — thus the 12 words can easily be given & retrieved on-line
you can avoid this risk entirely by using hand-delivery
3. travel collisions —
since your friends and loved ones are people that you probably often visit and spend time with, — one needs to plan and manage one’s keys, — so as to avoid bringing all keys together and creating a single-point-of-failure…
4. forced hypnosis —
funny & possible because you are exposed to all 24 words…
in Summary —
while Casa is very good,
CWAP is
- more secure
- more functional // with inheritance
- more decentralized
- cheaper
- faster
- creates more moral kidnaping incentives
Casa replied to some my questions, so I updated the article.
The remaining issues are -
- How does Casa’s new Account Lockdown feature protect against a Wrench-Attack ?
- How does Casa’s Inheritance system work ?
