Secured ICO Asset Management with Ethereum Multisignature Wallet
Many of ICO teams acquire Ether, in the ICO process. The process of obtaining and storing a large volume of Ethers is not as simple and not secure enough, compared to getting an account from a bank, transmitting to it and withdrawing from it. A few of the important things should be prepared, considered, and decided. In this article, we will explore, in detail, the process and considerations.
Vulnerable Aspects of Ethereum Wallet
While you are using Ethereum Wallet, in case where you lose your secret key, you might not be able to retrieve the Ether or they can be hacked. Or, even a team member with a secret key can impersonate a hacker and pull out the Ether.
An ICO team, called Parity Technologies, has developed Multi-signature Wallet, working together with the Ethereum Foundation, and has used it. In this process, Smart Contract had been accidentally “deconstructed”. And it caused 51 million Ether to be locked out, even if the team possesses their secret keys. It is very unlikely that they can use it in the future.
What if I obtain an Ethereum Wallet at the cryptographic currency exchange? Well, the exchange may go bankrupt, or depending on the country, taxes and accounting issues may arise. Please note that the exchange has the secret key for the wallet address, so technically — you do not have an authority to control it.
Let’s consider various possible situations, and set up some goals to prevent the worst scenario, and try to figure out how to achieve each goal.
Detailed Goals for Secured ICO Asset Management
For simplicity, we would like to create a multi-signature wallet, where assets can be withdrawn, when two of three people signed.
- To prevent one person from withdrawing all assets, at least two persons must sign to withdraw all assets.
- Allowing key recovery even if the secret key is lost.
- Minimize the loss of assets even if a single secret key or wallet mnemonic is leaked, and allow all remaining assets to be withdrawn immediately.
- Even if two secret keys are permanently lost, the assets should be able to be withdrawn for a long time down the road.
- Use the hardware wallet to protect your account from malware or spyware that could collect private keys, key-store files/passwords, and mnemonics.
Understanding Ethereum Account and Multisignature Wallet
You do not need to know all of the mechanism to actually use the Multi-signature Wallet, but you can use it more safely once you know its fundamental principles.
The Ethereum account is one of the components of the Ethereum. The address might appear ‘0xDA0F0f540986B62783E89f1AF281C0b8654382bC’. To transmit the Ether that are included in this address, you should sign with the corresponding secret key.
Multisignature Wallet is not a component of Ethereum, yet it is a kind of DApp implemented in Smart Contracts. Under meeting a certain condition, it is programmed to withdraw the Ether that the Smart Contract possesses.
When you release a Smart Contract, an address is generated — the format is the same as the Ethereum account. And the Smart Contract can hold Ether. When the below simple smart contract is released and Ether is sent to that address, an unnamed fallback function is called and the attached Ether is to be owned by SinkContract.
contract SinkContract {
// fallback
function () payable {}
function transfer (address to, uint amount) {
to.transfer (amount);
}
}The ERC20 specification performs mapping process on the address and token quantity through the ‘balanceOf’ method, where address can either be an ‘account’ or a ‘Smart Contract’.
contract ERC20Basic {
uint256 public totalSupply;
function balanceOf (address who) constant returns (uint256);
function transfer (address to, uint256 value) returns (bool);
event transfer (address indexed from, address indexed to, uint256 value);
}contract BasicToken is ERC20Basic {
mapping (address => uint256) balances;
}
Hence, there is no difference between an account or Smart Contract from Ether or ERC20 token’s point of views. The withdrawal is executed when requested from the account along with the address and signature. Or, when the transfer request message is received from the Smart Contract of the corresponding address.
If the above is possible — in case where there is someone who’s using an account with the same address as my Multisignature Wallet — then, that person can withdraw my Ether asset? Yes, it is possible. But the possibility is extremely low. A uniqueness is not guaranteed when creating an account as well, so this can apply to the accounts.
Set up accounts with 3 signing people and prepare for Ether
For convenience of explaining the process, let’s make it possible for all of Ethers can be withdrawn, only when two out of three people sign.
Each of the three parties who will sign Multisignature Wallet should create an Ethereum account. MetaMask, hardware wallet, Ethereum wallet, Mist Browser, MyEtherWallet and many other tools are available for account set-up. The account provided by the Cryptocurrency Exchange should not be used.
After creating an account, only its address should be shared with each other, and the secret key or mnemonics should not be shared with others for security purpose. It should also be recorded on paper and stored in a safe place.
We will create a Multisignature Wallet in the Mist browser. To make it simple, we will have one person to create an account in Mist. An account created on different places can also be imported into Mist when creating the keystore file generated from the secret key.
Let’s say, the account created by Mist is A, and the rest of them are B and C.
To distribute Multisignature Wallet smart contracts, send tokens, or sign, each person should use some portions of Ether as Gas. However, since Mist needs to have more than 1 Ether to release the Multisignature Wallet, ‘A’ must have at least 1 Ether. Let’s send an appropriate amount of Ether to each account. In the case of Ropsten TestNet, you can search for “ether faucet” to find a website that offers free testing-purpose Ether.
Create Multisignature Wallet
Since Multisignature Wallet is a DApp made of smart contracts, you can create it directly by implementing your own Smart Contracts. But we want to take advantage of using the built-in Multisignature Wallet features of the Mist browser — safely provided by the Ethereum Foundation.
In Mist, select “Main Network” or “Ropsten — Test Network” from the Develop > Network menu section and you might need to wait several hours or several days, until the number of blocks becomes positive in the lower left corner. (If it is a negative number, it indicates the number that need to be read more.) If it takes too long, it would be better to re-start the program and wait instead of pressing “LAUNCH APPLICATION” button.
To create a Multisignature Wallet in Mist, you need an account. So, you need to import an existing account or create one here.
Please click the “Add Wallet Contract” button under the “Wallet Contracts” section and select the A account as the owner. Select “Multisignature Wallet Contract” as “Wallet Contract Type”. Thereafter, it is necessary to set the amount of Ether that can be transmitted by single signer, the total number of signers, and the number of necessary signers, which are set to 1 Ether, 3 people, and 2 people, respectively. Then, enter the B and C account addresses and release the smart contract. Sign-in would be done with the currently selected account, and the current account’s Ether is to be used as Gas .
Soon after, the Multisignature Wallet appears in the Mist and you can now see its address. Now you can open this address and ask them to send Ether to this address. If some Ether is sent to this address, the Mist will automatically update the balances.
The Multisignature Wallet address that we created is 0x0781C560B175923a43A0Ad4050a15337b6C31481 and you can see the transactions of the wallet on the page below:
https://ropsten.etherscan.io/address/0x0781C560B175923a43A0Ad4050a15337b6C31481
Withdrawal from Multisignature Wallet using Mist
Motion to Withdrawal
As it was possible to send 1 Ether per day, now let’s send 2 Ethers to the Multisignature Wallet.
Select Multisignature Wallet, press the ‘Send’ button, and write down the address you want to send. Then type 1.1 for the amount you want to send, and sign in along with A account. Since a sign from A is enough to send less than 1 Ether, it is necessary to send more than 1 Ether for more than 2 people to sign.
If you sign and release it in this way, it will automatically be approved by you, so we only need one additional approval.
Withdrawal Authorization
If you wait a little while, when you send 1.1 Ether, you can check that person A out of three people (A, B, and C) approved and “Approve”, “Revoke” buttons will appear. As B and C have to approve, B has to import his account from Mist onto his or her PC and also import the Multisignature wallet.
Click the Create Multisignature Wallet button, select “IMPORT WALLET” as the “Wallet Contract Type” type, and enter the address only.
If you wait a little while, you will see, on the imported address, the event that 1.1 Ether has been asked to transmit previously and also be able to check that the “Approve” and “Revoke” buttons to appear. Press this button and sign with B or C and wait a little bit. Then, you can see that 1.1 Ether has been transmitted.
Withdraw Ether from the Multisignature Wallet with using MyEtherWallet
When all 3 people are using Mist or EthereumWallet, you can use a user-friendly GUI. However, to import accounts into Mist or EthereumWallet, you need the keystore files, and the corresponding passwords, which are the main collecting target of malwares. Therefore, let’s initiate and approve the transfer of Ether using MyEtherWallet (https://www.myetherwallet.com), which allows you to sign with a secure hardware wallet.
Note: Use of two types of hardware from Trezor and Ledger Nano for Ethereum trading
Motion to Withdrawal
Connect to MyEtherWallet and go to Contracts. Enter the Multisignature Wallet address, which has been generated, into Contract address. For the ABI / JSON interface, select the Mist’s Multisignature Wallet and copy and paste the JSON text that appears, when clicking “Show Contract Info” and “Show Interface” buttons in order.
Please choose ‘execute’ on Read / Write Contract. Enter an address (the the Ether should be received) on ‘_to’ , and Ether to send (in wei units) on ‘_value’.
Caution! To send 1.1 Ether, enter 1100000000000000000. If you enter 1.1, no further approval is required because it is below the 1 day limit .
_data can be omitted. Later, you can select a Wallet containing one of the accounts A, B, or C and sign and distribute it. Ledger Wallet, TREZOR, Digital Bitbox, and Sacalot are hardware wallets.
Confirmation of Withdrawal
Once released, let’s connect to https://etherscan.io or https://ropsten.etherscan.io (for the Ropsten test net) for checking the Smart Contract’s transactions.
At this address : https://ropsten.etherscan.io/tx/0xc7149583f3100d0e813a38724323a73f41f04cc5d1c8a7d7b15046a7ae40c41e , you can see ‘execute’ that runs as follows.
Function: execute (address _to, uint256 _value, bytes _data) ***MethodID: 0xb61d27f6
[0]: 000000000000000000000000cc8d141d60d29b62e7448961e592e2930677f879
[1]: 0000000000000000000000000000000000000000000000000f43fc2c04ee0000
[2]: 0000000000000000000000000000000000000000000000000000000000000060
[3]: 0000000000000000000000000000000000000000000000000000000000000000
[4]: 0000000000000000000000000000000000000000000000000000000000000000
If you click on the Event Logs (2) tab at the top of this page, you would be able to see the two events that occurred when the function was executed/called.
At this time, the second event is the ConfirmationNeeded, and the first parameter is either the operation, _h or _r value. The third parameter is 1100000000000000000, which is 1.1 Ether. The fourth parameter is the address to receive the Ether. This means that the first parameter of this event (0x64e35c3e7d29950c50c28ef0c0bf8b0a43e6dbd6ad76adaf263ab1fa46d24f92 from above) needs an approval from another signer.
Next, in the Multisignature Wallet smart contract code, if it is below the 1 day limit (underLimit), it immediately sends to ‘_to’, otherwise it makes a signature (confirm (_r_)) and generates the ConfirmationNeeded event.
function execute (address _to, uint_value, bytes _data) external onlyowner returns (bytes32_r)
{
// first, take the opportunity to check that we're under the daily limit.
if (underLimit (_value)) {
SingleTransact (msg.sender, _value, _to, _data);
// yes - just execute the call.
_to.call.value (_value) (_ data);
return 0;
}
// determine our operation hash.
_r = sha3 (msg.data, block.number);
if (! confirm (_r) && m_txs [_r] .to == 0) {
m_txs [_r] .to = _to;
m_txs [_r] .value = _value;
m_txs [_r] .data = _data;
ConfirmationNeeded (_r, msg.sender, _value, _to, _data);
}
}Withdrawal Authorization
Connect to MyEtherWallet and go to Contracts. The values, same as before, should be entered into Contract address and ABI / JSON Interface.
This time, please selects ‘confirm’ on the Read / Write Contract. The first parameter of the event should go into ‘_h’.
Caution! ‘_h’ value must be preceded by 0x.
After signing and releasing the transaction, you can see below capture, it confirms the execution and 1.1 Ether transfer history. In the middle of the figure, you can see that the 1.1 Ether is pulled out from the Smart Contract from the address at: 0x0781C560B175923a43A0Ad4050a15337b6C31481.
https://ropsten.etherscan.io/tx/0xad377495ace187827340d524e3f1acf1c47458c9faae7f20ab437bff8aca088f .
Use of MyEtherWallet mixed with hardware wallet and Mist
Hardware wallets would be safest for security, because it does not need to digitize the mnemonic and secret keys outside the hardwares. To create a Multisignature Wallet in Mist, you need to digitize the secret key from the mnemonic and the wallet path, and you need to generate the keystore file.
Also, we’ve realized that we need to use Mist to clearly identify with the GUI and to transmit as well as approve it.
Therefore, only 1 out of 3 people need to use Mist to release smart contracts, confirm contents and then approve them.
The other two people can initiate a transfer from MyEtherWallet and sign with hardware wallets.
Two people don’t have to digitize the mnemonics and secret keys at all.
Confirmation of achievement on detailed goals of safe/secured ICO asset management
- To prevent one person from withdrawing all assets, at least two people must sign to withdraw all assets. → In case more than 1 Ether per day, you need signs from two people.
- Allowing key recovery even if the secret key is lost. → I did not explain it in detail, but you need to keep the generated mnemonics written on paper when you use the hardware wallet. Mist users can back up the keystore file and the password. Or can create accounts in MetaMask, and back up Seed Words, then, you can then use ‘geth’ to create the keystore file from the secret key and import it from Mist to use that account.
- Minimize the loss of assets even if a single secret key or Wallet mnemonic is leaked, and allow all remaining assets to be withdrawn immediately. → One person can fetch at most 1 Ether per day, so the remaining 2 people can either withdraw or execute the smart contract’s removeOwner and addOwner methods to replace the leaked one.
- Even if secret keys from the 2 people are permanently lost, the assets should be withdrawn later, for a long time. → You can withdraw 1 Ether by a private key of the remaining one person, every day.
- Use a hardware wallet to protect your wallet from malware that could collect secret keys, keystore files / passwords, mnemonics, and more. → The two person used MyEtherWallet to initiate and sign a withdrawal with hardware wallets, without ever digitizing the mnemonics and the secret keys.
Additional Security Treatments
- Let’s make it a little bit convoluted in case of not using a lot of common/general Wallet routes. It reduces the chance of losing assets because of the fact that the route is less likely to be checked, even if the mnemonics have leaked out.
- After releasing the Multisignature Wallet, it would be good to format the PC and all three people had better use a hardware wallet. To make it possible, you need to generate a keystore file from the mnemonic and import it from the Mist browser.
- Let’s use hardware wallets from the different manufacturers’ products (for a safety reason). If you create a new Wallet in a hardware wallet, that hardware wallet must be trusted. The feature of creating a new wallet usually creates a mnemonic combination, which is safe as it uses a full random features and the number of combinations is large enough. Now, let’s assume that they randomly generate mnemonic combinations within the range of about 10 billion, by the rule that only the manufacturer knows. The manufacturer will pre-fetch and store account and secret key combinations (for about 10 billion), also monitor the Ethereum blocks and look for their matching accounts. If you have some Ether on these accounts, the manufacturer could withdraw them in bulk with the secret keys that they already know.
- The mnemonic/wallet should be backed up on paper should not be photographed, but it would be a good practice to make multiple copies and inform the family about their storage location.
So far, we have explored the secured ICO asset management techniques by using Hardware wallet, Mist browser, and Ethereum Multisignature wallet.
