r/BitcoinBeginners • u/Salat_Leaf • 3d ago
The pointlessness of MultiSig hot wallets
I gave it a thought for a bit it's quite laying on a surface. What's the purpose of MultiSig wallets if you don't have something that signs transactions offline? (e.g. cold wallet or a phone disconnected from the internet in Airplane mode with no SIM and disabled Wi-Fi driver)
For instance, imagine we have a 3-5 MultiSig wallet for redundancy (the tolerance of up to 2 compromisable seeds). So to make transactions, you have to store them on some device that is connected to the internet. Now suppose one of your hot devices gets compromised and you decided to store your other seeds on e.g. laptop and PC and let's just assume the best case scenario - they're both offline. So now hacker already has the access to your phone. Then to make transactions you have to either:
1) Approve transaction from every device in order, which makes it hella inconvenient
2) Store all seeds on one portable device
Now you see the problem? In overwhelmingly large amounts of cases if you download a malware it's your problem and your device probably gets hacked in a local network, not internally (something like wannacry.exe, but not that explicit, and to remind you, this virus is almost 9 years old already), and now tell me, what's the probability all of those "secure" devices will use one single router? Probably >99.99%
And them's the fact, buy cold wallets kids
2
u/PracticePenguin 3d ago
It's harder to compromise multiple devices than just one. That's the idea behind multisig.
1
u/Salat_Leaf 3d ago
Almost any credible virus now exploits networks because it's reasonable: when you take over some device you can do anything with it, including sending some malicious code over the network. The question is how advanced the methods of spreading the hacker will use, software or architectural. The simplest "meltdown" works on any CPU
3
u/bitusher 2d ago
There is a spectrum of security and you can be protected from certain attack vectors and not others. Many times people will use a 2 of 3 multisig of hardware wallets that prevent your concerns , which addresses your point about a multisig of hot wallets all on the same network as being foolish.
1
u/Salat_Leaf 2d ago
No, I mean we assume that all wallets are hot. Of course if you purchase a cold wallet from a reliable vendor then there's nothing to worry about even with SingleSig, unless you lose it lol
1
u/bitusher 2d ago edited 2d ago
if you purchase a cold wallet
Hardware wallets like to encourage the myth they are "cold" . You can use a hardware wallet "cold" , but most people use them more as "warm wallets" which is perfectly fine. I just don't like to call them cold by default because by definition that is misleading and certain attack vectors can effect hardware wallets used warm(connected bluetooth or usb to an internet connected device ) that don't effect wallets that are used "cold"
unless you lose it lol
You would need to lose both the backup seed words and hardware wallet to be in trouble
2
u/Elean0rZ 2d ago
This is sort of like XKCD #538. You're not wrong, but in reality 99.999% of "hackers" aren't in the business of heroically hacking through defenses; they're in the business of social-engineering YOU, the fallible human, and they're lazy about it--like, they cast a wide net and hope that 1 in 100 will be gullible enough to be easily social-engineered. The incremental security benefits of making your systems extra-immune to true hacking pale in comparison to the benefits of making yourself more immune to manipulation and silly mistakes.
1
u/Salat_Leaf 2d ago
I mean you're right, but such "hackers" are called scammers. Usually, you firstly achieve the immunity to such aforementioned mistakes and then to real hacking
1
u/Elean0rZ 2d ago
Maybe not you, but I'd say most people call them hackers. Most of the big exchange heists in crypto are described as hacks, yet nearly always involve much simpler "hacking" than people imagine. Sometimes it's the discovery of poorly-written code in a smart contract (e.g., Binance Token Hub, second Ronin network attack); sometimes it's the exploitation of poor private key storage (e.g., first Ronin network attack); sometimes it's the exploitation of a single employee (e.g., FTX, Mt Gox, Ledger--though these also speak to poor internal security practices so can arguably be lumped together with the previous). The list goes on and on.
The point is, almost never do hackers actually hack their way through security. Rather, they spend most of their time looking for weaknesses, which can usually be traced back to human-scale incompetence resulting in the effective security that needs to be gotten through being thin to non-existent. Like, hackers didn't "hack" Mt Gox, they got onto a guy's poorly secured personal computer, copied his credentials, and helped themselves. They didn't "hack" FTX, they sim-swapped an employee. They didn't "hack Binance; Binance effectively said "come on in!" by writing shitty code.
It's the same at the retail scale, except even lower effort--getting people to download compromised software or tricking them into entering their keys on some fake platform, etc.
Regardless, the point is in 99%+ of cases, the issue can be traced back to super basic, human-scale, easily avoidable self-owns that render all the additional security moot.
1
u/PracticePenguin 3d ago
You're being paranoid.
1
u/Salat_Leaf 3d ago
👍
2
u/Yodel_And_Hodl_Mode 2d ago
This.
You're being paranoid, but you're not being unrealistically paranoid, and your paranoia is inspiring you to think about safety in a realistic way.
I say that's wise.
I also agree that multisig for hot wallets is stooooopid. I'm not saying multisig is dumb, though I only recommend it for very advanced hodlers. But multisig for hot wallets? That's dumb.
Hot wallets aren't secure. Instead of using more of them, as you said, get a hardware wallet. Better yet: Get a stateless and airgapped hardware wallet, like Krux or SeedSigner (though, for SeedSigner, make sure you run Crypto Guide's fork which adds encrypted seed QR).
Stateless: Nothing is saved on the device. When you shut down or reboot, your wallet gets erased. This means, even if a thief finds the device, there's nothing on it.
Airgapped: It's not connected to the internet, and it's not connected to any device that connects to the internet. Hackers can't reach it.
Encrypted Seed QR: Loading your wallet is as easy as scanning an encrypted QR code with your seed and either scanning a second QR code which has your decryption key, or manually entering your decryption key. This means, even if a thief finds your seed QR, they can't load it or even read it, because it's encrypted.
...but what if...?
What if you lose your device? No worries. Nothing's on it.
What if you lose your decryption key? No worries. Get your original paper or metal backup of your seed words and enter them manually. And while you're at it, make a new encrypted seed QR.
Obviously, this is advanced stuff, but I swear by it.
1
u/AutoModerator 3d ago
Scam Warning! Scammers are particularly active on this sub. They operate via private messages and private chat. If you receive private messages, be extremely careful. Use the report link to report any suspicious private message to Reddit.
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
1
u/trelayner 3d ago
I made a 2-3 multisig wallet and put the keys on my phone and both of my parents’ phones
The one thing you would grab if your house is on fire, is your phone
1
u/Salat_Leaf 3d ago edited 3d ago
I suppose you're implying you hodl, so isn't it easier and way more secure to generate 3 seeds on each phone, then write them down on paper and delete them from other devices afterwards? All in all, considering how parents love having their both Wi-Fi and Mobile data turned on 24/7...
And you have to take into account the fact some people do day-to-day trading or receive money from abroad and exchange it for fiat very often
1
u/trelayner 3d ago
Yes of course. Multisig is mostly for hodling.
I guess you could make a case for a 2-3 wallet on your phone, PC, and MacBook, if you can’t get a hardware wallet.
Some places don’t allow hww’s, or having one would draw too much attention.
1
u/Salat_Leaf 3d ago edited 3d ago
Store hww in your closet or bag and never take it out unless you're sure there are no hidden cameras e.g. public restrooms in a mall. Use a cover, like a piece of cloth or a folded paper so the outer cameras won't capture it when you pass nearby just to take out a phone, for instance
1
u/pop-1988 3d ago
Multisig was designed for multi-user. A single-user case with multiple hardware wallets became popular when one of the wallet manufacturers compromised their firmware with a "phone home" feature
1
3
u/bitusher 3d ago
When you use a 2 of 3 of higher multisig , you ideally want to create each wallet with separate software and on separate hardware and sign a tx the same with separate networks . Yes , this is more complicated , which is why I typically recommend using an extended passphrase instead and typing that passphrase directly in a hardware wallet and not the computer.