Multisig wallets (storing $300M+). Is it the best way to store your millions raised during an ICO?
You create a Bitcoin or Ethereum wallet with a click of a button. Then you share a wallet address publicly and keep the private key within your computer. Seems to be secure? But how about storing over $1 M worth of Crypto currency you raised during an ICO or after profitable month of Crypto Currency trading?
What can go wrong if you store the funds in a simple Ethereum wallet?
As private keys are not recoverable, once you lose it, all your funds are locked and you cannot click forgot password, or ask someone to do a refund. Your computer got hacked? Single transaction performed by hacker can take over all of your funds. Due to irreversibility, your funds have been gone forever!
A hardware wallet with a backup seems to be a good idea. For single owner — yes. Most secure crypto currency hardware wallet is Ledger Nano. It provides hardware security for every user only for €59. Find out more here. However, if you conducted an ICO and want to manage funds securely all together with a few founders, the best way to proceed is to use Multisig wallet.
A multisig wallet support much more complicated transactions that require the confirmation of multiple people before the funds can be transferred from it.
I will be focusing on Ethereum as most of the ICOs accept investments in ETH currency. A multisig wallet on Ethereum Blockchain is a Smart Contract with a list of owners and rules (usually number of confirmations needed and daily limits) defined to control the funds. Let’s take a closer look at the most common options that are currently in use.
Issues: The multisig wallet code was hacked several times due to bugs left in the Smart Contract by developers and resulted in millions of USD stolen (the first time) and locked (the second time): http://paritytech.io/the-multi-sig-hack-a-postmortem/ , http://paritytech.io/parity-technologies-multi-sig-wallet-issue-update/
Bug bounty program: https://paritytech.io/bug-bounty/
Recommendation: Security experts usually say: once something gets hacked, everyone starts auditing it and looking for security vulnerabilities of that particular thing. Therefore, while most of the people run away to another alternative, Security advisors recommend to be using that thing, as it is now fixed, audited and more secure than ever before. However, probably this rule did not apply to this case.
Description: Consensys multisig wallet was developed by Consensys (Top Ethereum development company, https://new.consensys.net) and Gnosis (Predictions Marketplace project built on Ethereum, http://gnosis.pm).
Wallets with significant funds at the time of writing: https://etherscan.io/address/0x9937dbb2128b55c44d8af7bf36fd76796a814cf4 (EOS wallet, USD 170M+), https://etherscan.io/address/0x851b7f3ab81bd8df354f0d7640efcd7288553419 (Gnosis wallet, USD 100M+)
Issues: No critical issues found at the moment of writing.
Bug bounty program: https://github.com/bokkypoobah/ConsenSysMultiSigWalletAudit (Initiated by Ethereum Smart Contracts and Security expert Bokky Poobah)
Ethereum foundation multisig
Description: Multisig wallet was developed by the Ethereum Foundation (EF) with the goal to protect their own funds. Developers from Ethereum foundation wrote the first implementation.
Wallets with significant funds at the time of writing: https://etherscan.io/address/0xde0b295669a9fd93d5f28d9ec85e40f4cb697bae (Ethereum Foundation development wallet, USD 340M+)
Issues: Until today, no severe vulnerability have been found and the EF has not lost any of its ether. However, you cannot update, remove or add owners and change some of the other paramters within them multisig and should deploy a new wallet to proceed with other parameters. https://github.com/bokkypoobah/EthereumWalletMultisigTest#results (Thanks to Bokky Poobah for noting this!)
As there are various options to choose from, history proved that there is no 100% secure smart contract and issues can be found any time as the Solidity is still a new language and Ethereum Smart Contract development have a lot of specifics. Only auditing and testing can make code a more secure. At the moment in my opinion, the way to go is with Consensys multisig in case there are several owners who wish to control the funds together.
Need professional consultation, smart contract audit, or help with setting up the multisig wallet? Let me know by sending an email to firstname.lastname@example.org or connect with me on LinkedIn https://www.linkedin.com/in/lkairys /!