Release of new Multisig Wallet
Multisig wallets have been available since Ethereum’s launch. However, still over 13% of all Ether in total existence is held by just 2 single keys. The reason for this is that existing solutions have it’s own problems and do not address all needs of secure storage. We have addressed this need and are proud to publish an audited multisig contract with an easy to use interface. This wallet has been developed from the ground up to improve security for transactions by combining multisig transactions with cold storage.
The source code has been released on GitHub under GPLv3 license: https://github.com/ConsenSys/MultiSigWallet
A live version is avaialable here: https://wallet.gnosis.pm/
Why did Gnosis develop a new wallet?
The purpose of multisig wallets is to increase security by requiring multiple parties to agree on transactions before execution. This can easily be done with smart contracts on Ethereum. A smart contract owns the assets (e.g. ether and other tokens) and defines addresses of Ethereum accounts that own the multisig wallet. Transactions can be executed only when confirmed by a predefined number of owners. This removes the single point of failure associated with private key-controlled accounts, where losing or compromising the private key results in a loss of all funds controlled by the account.
Multisig wallets were developed early on by the Ethereum Foundation (EF) to protect their own funds. Gavin Wood wrote the first implementation, which can be found here. Until today no severe vulnerability has been found and the EF has not lost any of its ether. The instantiation used by EF can be found here.
Why did we decide to develop a new version if there is already a battle tested version that has been running for years? There is one main limitation which motivated us to redevelop the multisig wallet code: the EF wallet only allows multisig transactions for transactions sending ether from one address to another. Any other transaction like sending tokens or triggering any smart contract function can be done by any of the owners without additional confirmation. In other words: There is no multisig in place. Our new wallet fixes this issue by requiring multisig for all transactions.
Holding assets other than ether becomes increasingly important as the number of valuable tokens on the Ethereum network grows almost monthly. Our GNO token will soon be added to this list and we want to ensure that our token is secured and we have taken the initiative to do so.
Smart Contract Functionality
There are two versions of the multisig contracts available. The basic version (here) offers all necessary functionality to facilitate secure multisig transactions and wallet configurations, like ownership management. The daily limit version (here) extends the smart contract with the option to withdraw a certain amount of ether every day without multisig confirmations. This is especially useful if you have to pay for regular expenses but don’t want to ask everyone to sign transactions every few days.
Security
To ensure that smart contracts are safe, several audits have been conducted. The first audit was internally done at ConsenSys over several weeks, primarily in collaboration with Joseph Chow. This process was designed to make sure that our smart contracts follow best practices. An additional audit was initiated by the EF and conducted by Martin Holst Swende. Recommendations were reviewed and implemented and we want to thank them both for their support.
The wallet is also part of two bug bounty programs: Gnosis and Weifund. Both bounty programs are still running and any submission will be reviewed carefully. Attention: Rewards will be the same whether you submit the report to Weifund’s or Gnosis’s bug bounty. There is only one reward per vulnerability, not per bounty program ;)
It is also important to note that an earlier version of our multisig wallet was used in the Golem crowdsale.
User Interface
Security is not only a matter of secure smart contracts but also of user interfaces. Security can be ensured only if a user is aware of the result of his own interactions. This has not always been the case for Ethereum. In the beginning, when there w little to no user interface to interact with Ethereum clients, many users unintentionally executed incorrect transactions. Over 460 transactions with over ~$70,000 worth of ether were sent to address 0x0 which is now forever lost. This issue occurred because users were not sure how to send a transaction. That is why we put significant effort toward creating a comprehensive user interface. This interface allows users to understand the state of multisig transactions and the implications of their transactions. Every transaction of a known contract, like configurations of the wallet itself or interactions with any tokens, is decoded and displayed in a legible way for humans.
For every other transaction on a contract with an unknown interface, the contact’s ABI is loaded automatically via Swarm if available (not yet included in this version), and transactions are decoded accordingly. If no ABI can be found, an ABI can be added manually. Every contract and every owner can be named to make interactions as transparent as possible.
Cold Storage
Cold storage refers to keeping a reserve of ether or other assets offline. This is often a necessary security precaution, especially when dealing with large amounts of ether. Even when using a multisig wallet, the accounts used to control the multisig have to be protected. The best protection is to keep the private key on a device that never touches the internet. In order to use the multisig wallet with cold storage we developed an interface that enables offline signing of transactions. Our wallet UI detects if the user is on an offline computer and will adapt the interface accordingly to allow offline signing of any transaction. The signed transaction can then be transferred to an online computer and be sent to the Ethereum network.
Most users are using private key controlled accounts to secure their assets or still depend on centralized exchanges like Poloniex and Kraken to maintain their funds. However, even the biggest exchanges don’t secure their funds with multiple keys. Looking at the list of Ethereum accounts holding most Ether, cold wallets owned by Poloniex and Kraken are at the top, which are not secured by a multisig smart contract but a regular Ethereum private key.
Until now, one important reason for keeping funds on centralized exchanges was the lack of easy-to-use applications to manage funds. It was more convenient to keep funds on a managed exchange. We hope this wallet will help users take more responsibility for their funds, increasing security and distribution of ether in the network.
Besides the lack of personal security, centralization of ether will become more of an issue once Proof of Stake is implemented. If centralized exchanges still hold vast amounts of ether, they might be the main influencers in a Proof of Stake consensus.
Please try the wallet youself. Feedback is highly appreciated and can be sent to stefan@gnosis.pm or denis@gnosis.pm.
The source code is released on GitHub under GPLv3 license: https://github.com/ConsenSys/MultiSigWallet
A live version is available here: https://wallet.gnosis.pm/
Please consider running a local version for real funds and only use the hosted version to read the current status.
