Introduction to Multisig Contracts
What is a multisig and which multisig should I use? Here’s your answer.
In a world where proper key management is a requirement, not an option, one solution for storing Ether and Ethereum-based tokens is by having multiple people hold ownership of one address or set of funds.
A common way of going about this is with a multi-signature contract. This storage method is often used by companies, organizations, and partners. The reason such smart contracts are called ‘multisigs’ is because multiple signatures from different addresses are needed for a transaction to be executed. Often times, these addresses are owned by different people, and can be stored on a hardware wallet, private-key-based wallet (keystore file, mnemonic phrase), cold storage, MetaMask, etc.
Multisig contracts have a number of use cases.
- Avoiding a single point of failure, which makes it significantly harder for funds to be compromised.
- Splitting responsibility of ownership of an address and its funds between multiple people.
- If multiple keys are used and only a set percentage for consensus of a transaction has to be met, a lost key/seed wouldn’t render the wallet useless or inaccessible.
This article describes how multisig contracts work, and gives an overview of various popular multisig contracts.
Multisig wallets were first introduced for Bitcoin in 2013, and this standard has since been embraced by a large number of companies and organizations. As an example, a commonly used multisig contract in Ethereum, the Gnosis MultiSig wallet, is estimated to be holding a total value of over $1 billion worth of Ether and tokens across all its contract instances.
Why not store all your funds in a wallet that’s just a single key?
If multiple people in an organization have a say whether certain transactions will be permitted to go through, there is less chance that a malicious individual in the group would be able to send out funds. Using a multisig contract also greatly reduces the chance of losing access to funds in the event that a key is lost. In a scenario where there are multiple keys attached to a multisig contract and only a majority share of key owners need to approve a transaction, it doesn’t matter whether one individual loses their key, as there will be other individuals that can approve the transaction instead.
How does it work?
Generally, a multisig requires either a set number of signatures/approvals before a transaction is sent, or a majority share of owners need to approve the transaction that is to be sent.
Let’s say we have a team containing five people. Everyone on this team has their own hardware wallet containing their own address. The team decides to set up a multisig contract, so funds can be stored on this address and there won’t be a single point of failure, as opposed to simply using one wallet instead. All the addresses of everyone in the team will be added as owners of the multisig address.
The team decides to configure this multisig contract to require a majority share of approvals, which means that at least three people need to approve a transaction before it is sent from the multisig.
Sending a Transaction
One individual of the team wants to send a transaction from the multisig contract. They tell the multisig contract to send 1 ETH to 0x64ce8[…], but since this contract requires a majority share of approvals, the 1 ETH is not sent right away. They ask three others in their team to approve the transaction and afterwards, the 1 ETH is immediately sent to the address that the first individual chose.
Another individual of the team appears to have lost access to the address they used to confirm transactions for the multisig contract (backup your hardware wallet). Fortunately, as only three people need to approve a transaction for it to go through, the funds stored in the multisig aren’t lost and transactions can still be sent from it. Depending on the multisig contract that is being used, the individual’s address can be removed from ownership, and a new one that the individual does have access to can be added and used to approve transactions in the future.
Different Multisig Contracts
Mist’s Multisig Wallet
The Mist multisig wallet was created by developers of the Ethereum Foundation (EF) and is one of the first multisigs that was made for Ethereum. The Foundation uses this solution themselves for their development wallet, as can be found here.
Initially, this multisig was meant to be used with Mist, a now-deprecated wallet application for Ethereum also made by the EF. It provided an interface to deploy and interact with multisig contracts, and made it possible to easily send transactions.
However, since Mist is no longer supported by the EF, it’s no longer recommended to use the Mist application. It is still possible to deploy new multisig contracts with the original multisig source code, but one would have to interact and send transactions from the multisig by manually calling its functions through the use of an external tool like MyCrypto. This makes usability rather difficult, and hard to recommend, especially as other solutions with well-maintained interfaces exist.
Mist source code: github.com
Multisig source code: github.com
ConsenSys’ Multisig Wallet
The Consensys multisig wallet is a simple but cleanly-written implementation of a multisig wallet. Its code is easy to understand and use, and contains all the common functions a multisig contract would need. However, this wallet is not regularly maintained and development has since continued under the Gnosis multisig wallet. The Consensys version is still widely used, and its biggest wallet deployment contains over 150,000 ETH at the time of writing.
Multisig source code: github.com
Gnosis’ Multisig Wallet
Gnosis’ multisig wallet is vastly considered to be the go-to Ethereum multisig wallet by many, and is used by a large number of organizations in the Ethereum space. It’s based on the Consensys multisig wallet, but has had many improvements and continued active development.
It provides an easy-to-use interface and supports various hardware wallets like Ledger and Trezor, and also allows for optional email notifications. As this is one of the only multisig solutions that comes with an intuitive interface and is maintained regularly, it’s rather popular within the community.
Wallet interface: wallet.gnosis.pm
Wallet source code: github.com
Gnosis Safe is separate from the Gnosis Multisig. It has the same concept and core features but is positioned differently — you manage your own funds via multiple devices instead of having other parties manage for you. There’s also a Gnosis Safe Multisig available.
Gnosis Safe: https://safe.gnosis.io/
Gnosis Safe Multisig: https://safe.gnosis.io/multisig
Argent takes a unique approach with their “Guardians” feature. Argent allows you to select other Argent users (ideally friends and/or family members) and notes them as your guardians who can freeze your funds in case of emergency, unlock frozen funds, help you recover your wallet, and authorize transfers.
Argent Guardians: https://www.argent.xyz/security/
BitGo’s Multisig Wallet
The BitGo multisig wallet functions as a 2-of-3 multisig, meaning that it always requires three owners, and two approvals for a transaction to be sent. It has numerous features that make it unique, like a ‘Safe Mode’ that can be set on the multisig contract that prevents ETH and ERC20 tokens from being sent anywhere other than the multisig owners. It also includes a test suite through the use of Truffle.
Multisig source code: github.com
Parity’s Deprecated Multisig Wallet
The Parity app used to have an interface similar to Mist’s that allowed deployment and interaction with a multisig contract written by the Parity team. However, in November of 2017, this implementation was ‘accidentally’ killed, leaving over 150,000 ETH permanently frozen as a result.
Some of the logic in the multisig source code, including the withdraw function that would be used to take funds out, was placed in a library. This library already existed on the Ethereum blockchain, and would be used by any instance of the Parity multisig contract. This has some benefits, like saving gas costs for every deployment of the multisig contract. However, as in the case of the Parity multisig, it can also have some major downsides. If the library contract is broken in any way, it would also affect any contract that depends on it.
Such was the case with the Parity multisig library, and when the library was killed by a bug a user discovered, it rendered all existing instances of the Parity multisig contract useless, and funds frozen. For this reason, using this multisig is no longer recommended.
Parity postmortem: parity.io
Multisig contracts are a great solution for sharing ownership and control over funds, as well as preventing single points of failure. Uses of multisig contracts continue to evolve. Their utilization for governance has brought us projects such as Aragon, and some Ethereum users have even turned to them for marriage contracts.
This article only listed a few of the more commonly used multisig solutions for Ethereum, and there are undoubtedly more out there. When choosing your multisig solution, be sure to do your due diligence, as human error is still possible while these contracts were written, as was the case with Parity.