Security at Multis

Théophile Villard
Jul 2 · 6 min read

We’re building the first Cryptobank for companies. The thing is, crypto-land hasn’t always been the safest place. Here’s a few pointers to help you form an educated answer as to why you can trust Multis with your company’s crypto.
TL;DR: .

Self-custody

Private keys

Multis takes pride in being a decentralized application. We don’t hold any private keys and will never be custodian of your funds.

Individual wallets

We support several solutions built into Multis to handle your keys, all of which have become industry standards: MetaMask, Portis and more to come (WalletConnect!).

app.multis.co/create

Why it matters

  • simple: we don’t want the hassle of providing custody so we’re delegating key management to appropriate services.
  • plural: being agnostic on individual wallets will allow users to use different services, reducing the single point of failure.

Multisig

The right thing

It’s the backbone of Multis but it’s worth saying it again: multisigs are the proper and robust way to manage crypto as a group. And no, splitting the private key of an individual account is not the answer!

The purpose of multisig wallets is to increase security by requiring multiple parties to agree on transactions before execution. Transactions can be executed only when confirmed by a predefined number of owners.
https://github.com/gnosis/MultiSigWallet

Exact same contract: audited, used & insurance coming

First off, Multis isn’t introducing a new multisig smart contract. We use the exact same contract written and deployed by Gnosis. Take the contract address used when deploying a new company account:

app.multis.co/create

The destination address is 0x6e95C8E8557AbC08b46F3c347bA06F8dC012763f which corresponds to the multisig’s factory contract:

https://etherscan.io/address/0x6e95C8E8557AbC08b46F3c347bA06F8dC012763f#contracts

The Gnosis multisig smart contract is community-approved and thoroughly-audited:

We found the code under scrutiny to be elegant, robust, and secure. The wallet’s features are implemented with a minimal amount of code, resulting in a reduced attack surface. Despite such minimalism, its well-thought-out design allows for a surprisingly large feature set.
https://blog.zeppelin.solutions/gnosis-multisig-wallet-audit-d702ff0e2b1e

In the long term, we’ll provide a decentralized insurance that would cover our clients should something happen to the Gnosis multisig contract. More decentralized peace of mind 😌

Why it matters

  • simple: we’re building on top of solid foundations which have already proven their worth.
  • plural: a hacker will need to compromise “n out of m” owners in order to steal funds out of an instance of the multisig.

Static website

Server-less, backend-less & password-less

As explained on this blog post Multis is a static website. It’s basically a folder with html, css and js files. To be a bit more precise, thanks to Firebase, Multis has a server-less, backend-less and password-less architecture. It’s worth adding that Firebase is certified under major security standards.

DNSSEC

With Cloudflare acting as our proxy we activated DNSSEC for our domain multis.co.

Why it matters

  • simple: we reduced the attack vector so that the only way to compromise Multis is to hack into our Firebase accounts. In this unlikely event it would only compromise the metadata of our user’s accounts as we’re not storing private keys.
  • plural: our Multis bundle is hosted on Firebase’s DNS, but also on Cloudflare’s DNS. We’re planning to host the bundle on IPFS as well in the future.

Code

ClojureScript & spec

We’re committed to building robust software and as such we chose to use the ClojureScript programming language: it has a strong reputation for making simple and strong codebases (functional programming). We’re writing specs to ensure the correctness of our data at the edges of our systems.

Audit & bounties

Multis’s code is “interface” code and changes with every new release (multiple times a day) — in that sense it makes less sense to audit it (than immutable smart contracts). Nonetheless, we’re in the process of running bounties to help stress-test our service.

Note: We’re still pondering whether to open source Multis’ code but as of now the code is not open-source, making it harder to copy (and create phishing websites).

Why it matters

  • simple: we’re using a simple language, making our code easier to reason about, which naturally improves software quality.
  • plural: thanks to bounties we will experiment with different attack strategies.

Challenges

Now that you have a better picture of Multis’ architecture and approach to security, let’s see how this would play out in these three challenges.

💀 The Death Challenge: what happens if Multis disappears?

That’s the question we should all ask before using any service!

Let’s say you have an account on Multis, the address of your company account looks like this: 0x4729ea9389……

If Multis dies, . Multis never had your private keys in the first place. Your company funds will still be under that address, and you could still access these funds from another interface. You can think of it as if your email client shuts down: you can still access your emails from another client. You will just have lost access to a superbly convenient and crisp interface called Multis 😉

🤷‍♂ The Dumb Owner Challenge: what happens if one owner loses their private keys?

That’s the question we should all ask before working with anybody!

Well in that case it really depends on how you set up your Multis account. We’ve always been preaching for a “n out of n+1” policy (n confirmations needed for a multisig of n+1 owners). Meaning that if one owner loses their individual wallet/private key, the other owner can remove that previous owner and add them again with another address.

If you’re in a “n out of n” policy, your only chance is if you have a daily threshold strictly greater than zero: you’d be able to move ETH out of your account little by little and create a new one with the proper policies.

If you’re “n out of n” and you have no threshold (or you have ERC-20 tokens), in that case there’s one thing to say “sorry for your loss” 😢

Note: Multis is thinking about preventing people setting a “n out of n” policy.

💠 The Transparency Challenge: how can I verify at any time that Multis is doing the right thing?

That’s the question you should ask before delegating any actions!

Turns out this Blockchain technology stuff isn’t such a bad thing after all:

You can take your company account address and go to any Ethereum block explorer and verify that transactions are the same as the one displayed on Multis. You can even read the contract, verifying the addresses of the owners or the threshold.

Consider this analogy: it’s as if you wanted to check the time and your watch doesn’t work. The other clocks still do. In a way, the blockchain behind all the watches in the world is the most immutable of all: time itself ✨


Multis is the first crypto wallet designed specifically for companies. A user-friendly and secure wallet built on top of a multisignature smart contract to help them access, manage and make the most of their crypto as a team. You can sign up for a Multis account here.

Multis is also hiring in multiple positions (growth/design/engineering): if you’re keen to join our team of crypto dreamers and contribute to our mission to democratize companies’ access to crypto, send us an email at team@multis.co.

Multis

Stories from the humans who buidl Multis

Thanks to Nizar S..

Théophile Villard

Written by

Blockchains, Chatbots and Mountains.

Multis

Multis

Stories from the humans who buidl Multis