The Missing Multisig Standard
Today Shift Crypto and Nunchuk jointly disclosed a vulnerability affecting multisig wallet setups that use Coldcard. However, this vulnerability has implications for all current wallet vendors and multisig solution providers. For details, please check out Shift Crypto’s blog.
The quick summary is that prior to Coldcard firmware version 3.2.1 (released on Jan 8th, 2021), you can fool a Coldcard into accepting a multisig wallet that it is not a part of, including generating receive addresses that it does not control.
For details, you can read Shift Crypto’s blog. In this blog, we want to add a bit of our own perspective.
Despite the shortcomings of current multisig solutions, such as the one described in the report, the Bitcoin wallet industry has grown leaps and bounds in recent years.
Partially-Signed Bitcoin Transaction (PSBT) and output descriptors have made wallets increasingly more interoperable, which means more options and flexibility for the users. Multisig solution providers such as Casa, Specter and recently Nunchuk have relied heavily on some or all of these new developments to create state-of-the-art multisig applications. The multisig solutions of today look nothing like their cumbersome predecessors of yesteryear.
Hardware wallets also saw an incredible pace of innovation. Trezor introduced a built-in touch screen with the model T, which helps prevent the PIN/passphrase from being keylogged on the host computer. The larger screen also improved on the UX by making it easier to verify addresses and transactions. Cobo brought air-gapped QR signing capability to Bitcoin. Shift Crypto has been researching multisig security in hardware wallets, responsibly disclosed vulnerabilities to other vendors and significantly improved the security of the ecosystem.
Coinkite/Coldcard has also been a great innovator in this space. Specifically, Coldcard pioneered the following:
- Bitcoin-only firmware
- Bring your own entropy
- Two-step PIN entry
- Brick-me mode
- Native PSBT wallet
- Multisig wallet registration: script type, derivation paths, and cosigner information
Among other things.
Taken as a whole, hardware vendors have been pushing the envelope really hard. And this has greatly benefited the end users.
It is important to read vulnerability reports in this context. That these are understandable growing pains that will be addressed in the long run.
The Missing Standard: Secure Multisig Setup
Coming back to the vulnerability at hand, the underlying issue here is that a standard on secure multisig setup is sorely missing. It is not just Coldcard that suffers from this — in fact, Coldcard is ahead of others in this regard — but all wallet vendors do.
In the absence of good standards, vendors tend to roll their own ad-hoc solutions.
The fundamental challenge here is that in a multisig, each cosigner needs to be aware of all other cosigners. This is the only way to guarantee that the funds are sent to legitimate addresses controlled by the correct parties.
Coldcard, Cobo and BitBox02 are currently the only hardware vendors that try to solve this the right way.
Trezor recently implemented a workaround that, instead of registering cosigners at setup, embeds cosigner information in each PSBT. However, we believe that this is an inferior solution. Firstly, it increases the PSBT payload. Secondly, it adds cognitive overhead: the user will need to verify the cosigners for each and every Bitcoin transaction, instead of doing it once. Lastly and perhaps most importantly, embedding cosigner information in the PSBT (usually in the form of XPUBs) presents a privacy risk — as PSBTs are passed back and forth through a variety of media.
We strongly believe that cosigner registration on the device at the wallet setup phase is the right approach. To this end, we have been working closely with hardware vendors to come up with a new standard on secure multisig setup. You can read about our proposal on the Bitcoin mailing list.
In summary, we wish to see more cooperation and better multisig standards among wallet vendors and multisig solution providers in the future. The strength of the Bitcoin ecosystem comes from decentralization and diversity. Just like how having satellites, ham radios and mesh networks as fallbacks for Bitcoin connectivity is a good thing, we can’t afford having only one or two types of hardware devices or multisig solution providers, and risk losing it all if and when there is a catastrophic failure.
Thus, it is absolutely crucial that we keep improving multisig and the strength of individual software and hardware signers. Doing this is not a nice-to-have, but a necessity to ensure Bitcoin’s survival.