Multisig derivation paths and xpubs

[aesthete2022]

The relevance is that unhardened levels can be derived only using public keys, while hardened levels require the private keys. In short, they are entirely different numbers and will derive entirely different addresses.

Right. So after doing a little digging, it seems that the unhardened path can compromise all the coins in a wallet if the xprv of one address is compromised. However, this seems less of a risk for a multisig wallet?

[1715302525]

1715302525

[1715302525]

1715302525

[nc50lc]

Right. So after doing a little digging, it seems that the unhardened path can compromise all the coins in a wallet if the xprv of one address is compromised.

If it's the xprv that's compromised, it doesn't matter if it's unhardened or not, hacker can just derive the private keys from it.
You must be talking about the parent xpub and one of its xprv pair's child private key.
Basically, the wallet's "extended public key" and a "private key".

Of course in MultiSig, it needs the "N" number of cosigners, not just one.
And the other cosigner's xpub and private keys are unrelated to each other, that unhardened derivation vulnerability isn't applicable to each cosigner's keys.

[aesthete2022]

Of course in MultiSig, it needs the "N" number of cosigners, not just one.
And the other cosigner's xpub and private keys are unrelated to each other, that unhardened derivation vulnerability isn't applicable to each cosigner's keys.

Thanks for the above. So ultimately unhardened vs hardened doesn't matter a great deal in multisig?

[o_e_l_e_o]

Which one you choose matters less when it comes to this particular attack vector for multi-sig wallets, yes.

However, I would highly recommend sticking to the standard of using hardened paths for the first three levels if you are using 49 at the purpose level, not least of all to make your life easier when recovering your wallet in the future.

[aesthete2022]

However, I would highly recommend sticking to the standard of using hardened paths for the first three levels if you are using 49 at the purpose level, not least of all to make your life easier when recovering your wallet in the future.

Forgive my ignorance, but how does a hardened path help wallet recovery? I have the output descriptors and Sparrow and Electrum wallet files backed up on multiple media.

[nc50lc]

-snip-

Thanks for the above. So ultimately unhardened vs hardened doesn't matter a great deal in multisig?

Yes, safer than SingleSig.
The difficulty on getting the necessary number of xprv keys is harder,
but it still depends on how the cosigners handle their individual private keys.

For example:
Since each cosigner wallets contain (e.g. 2-of-3) all three xpubs, if one cosigner wallet is compromised, the attacker will need to get one private keys from one of the other two cosigners.
Still good since it's still safe as long as the other two cosigners are secured.

In case that the attacker is one of the cosigner, all he need to do is "ask" for a single private key from either cosigner to get full control of their funds.
By saying "ask", I mean mislead the cosigners into giving him a private key like of a used address which seem harmless if the person doesn't know the risk.

[o_e_l_e_o]

Forgive my ignorance, but how does a hardened path help wallet recovery? I have the output descriptors and Sparrow and Electrum wallet files backed up on multiple media.

Simply because it is the standard. I am not aware of a single wallet which derives P2SH address at m/49/0/x by default, while there are hundreds which follow the BIP49 standard of m/49'/0'/x'.

Just like there is nothing stopping me deriving a single sig wallet at m/3894329'/284760'/1609266' and backing up my derivation path, it is much safer to just stick to the standard m/84'/0'/0'.

[aesthete2022]

Simply because it is the standard. I am not aware of a single wallet which derives P2SH address at m/49/0/x by default, while there are hundreds which follow the BIP39 standard of m/49'/0'/x'.

Just like there is nothing stopping me deriving a single sig wallet at m/3894329'/284760'/1609266' and backing up my derivation path, it is much safer to just stick to the standard m/84'/0'/0'.

Ah ok, yes that is a fair point. However, I think so long as I backup the derivation path I should be ok. This thread will serve as an extra back up

[o_e_l_e_o]

However, I think so long as I backup the derivation path I should be ok. This thread will serve as an extra back up

I was thinking less about forgetting your derivation path and more about if you ever needed to use some different piece of software.

As I said above, you can easily back up your derivation path alongside your seed phrase, and therefore have no additional risk of losing your coins. The issue would come if you want to import your multi-sig in to a different piece of software for whatever reason that does not let you specify arbitrary derivation paths.

If you back up your full descriptors and always use the same version of Sparrow then of course there will be no problems. But it is fairly easy to imagine a scenario where you need emergency access to your funds and you are forced to recover the seed phrases using different software, perhaps on a different OS, perhaps on mobile instead of a computer, and so on. In such a case it is always going to be an easier process if you have used the widely accepted standards rather than done something unique.

It is of course up to you - just explaining my rationale behind preferring to stick to standard practices.

[aesthete2022]

I was thinking less about forgetting your derivation path and more about if you ever needed to use some different piece of software.

As I said above, you can easily back up your derivation path alongside your seed phrase, and therefore have no additional risk of losing your coins. The issue would come if you want to import your multi-sig in to a different piece of software for whatever reason that does not let you specify arbitrary derivation paths.

If you back up your full descriptors and always use the same version of Sparrow then of course there will be no problems. But it is fairly easy to imagine a scenario where you need emergency access to your funds and you are forced to recover the seed phrases using different software, perhaps on a different OS, perhaps on mobile instead of a computer, and so on. In such a case it is always going to be an easier process if you have used the widely accepted standards rather than done something unique.

It is of course up to you - just explaining my rationale behind preferring to stick to standard practices.

I appreciate that. I have Electrum back ups too and a watch only Blue Wallet, but I know what you're saying.