MultiSig only intended for experienced people?

[Bitcoiner2023]

Are MultiSig wallets insecure and only intended for experienced people?

I just read a post and wanted to ask what you thought about it.
wanted to set up a MultiSig wallet for my security, but after this post I'm afraid of it.

Is what he writes true?
Do you have to put in so much effort with a MultiSig Wallet?
Or is this just scaremongering?
Are there solutions to these problems?

I thought MultiSig wallets were very secure, and I thought if 1 wallet was hacked, then I still have 2 wallets that show me the correct address, for example.


1)
An address of a 2-of-3 setup therefore contains the public keys of all three cosigners. In order to generate a correct address, you have to be able to rely equally on all cosigners.

Despite using two hardware wallets, the software wallet from the example above could contribute a fake public key to generate the receiving addresses.
The hardware wallets ultimately have to simply accept the other cosigners' information and have no way to verify it.
The resulting address would no longer have anything to do with your own multisig wallet and would belong to another wallet to which you do not have access.

This would mean that the operator, or the person who compromised the software wallet, would be in a position where he could blackmail the user with a ransom in order to release the third key, which was foisted by the false software. A very unpleasant idea that no longer has much to do with “gained security”.

Such scenarios are of course quite contrived and seem unrealistic at first glance. But it is precisely against such sophisticated attacks that you want to protect yourself with a multisig wallet! Otherwise, you can just stick with a simple hardware wallet, which already provides sufficient protection against the vast majority of threats.

The security of a multisig wallet is always measured by the “most insecure” cosigner, i.e. the greatest vulnerability. Therefore, all cosigners should always have a comparably high level of security. Mixing hot and cold wallets is therefore contradictory and not recommended.


2)
With an “xpub”, an extended public key, all addresses of an account in a Bitcoin wallet can be derived. In a multisig setup, the cosigners have to exchange these keys with each other in order to be able to generate addresses. This exchange is forced to take place via a software wallet on a smartphone or computer, as the hardware wallets cannot speak to each other directly.

An individual cosigner receives information about the other cosigners indirectly via the software wallet, which simply has to be accepted. It is solely up to the user to ensure that the other cosigners' information has been correctly passed on by the software wallet. If this is not done, the software wallet can give you fake public keys, similar to the first stumbling block.

This either makes a blackmail attack possible, as above, or even worse: in this scenario, the software wallet can forge two of the three public keys and thus gain full control over the addresses generated by the hardware wallet.

To rule out this vulnerability, the user must first verify each extended public key individually on the hardware wallet displays. This means that each cosigner can be correctly assigned to an xpub.

In the next step, the user must verify the public keys of the other cosigners on the hardware wallet, which will later also generate addresses, by comparing them with each other. The software wallet theoretically has the possibility of passing on incorrect keys, which would be immediately noticeable at this point.

Only after this successful verification can the address displayed on the hardware wallet, here in the middle, be trusted.

With multisig wallets, it is not that easy to establish trust in receiving addresses, as this always depends on all cosigners and their secure communication with each other. Careful verification of the individual public keys, as well as mutual checking to see whether they were passed on correctly, are crucial in order not to endanger the security of the setup.


3)
The steps just described for verifying receiving addresses are easier said than done. Because some hardware wallets do not offer the necessary functions, such as displaying the cosigner xpubs, and therefore should not be used in a multisig setup.

Furthermore, a completely manual check is anything but practical in the long term. As a user, you are unlikely to go through the procedure described above over and over again for every address you want to use. Sooner or later, users are likely to become careless.

Hardware wallets that are used for a multisig setup should therefore be remembered by all cosigners after setup in order to remain trustworthy in the future without additional manual verification. This is also referred to as the “registration” of a multisig setup.

If you are looking for a beginner-friendly option for more security, you should think twice about whether Multisig is really your first choice. Many tripping hazards are not obvious at first glance and you quickly feel like you are feeling dangerously safe.

[vjudeu]

An address of a 2-of-3 setup therefore contains the public keys of all three cosigners.

In case of Taproot, it doesn't have to, because Schnorr signatures can be combined into a single signature.

he could blackmail the user with a ransom in order to release the third key, which was foisted by the false software

If you don't know the Script behind your multisig, then don't deposit coins there. Because if you have for example only your key to some P2WSH address, and you don't know the Script, then you don't know, if coins are yours or not (and then, this address could contain any keys at all).

If this is not done, the software wallet can give you fake public keys, similar to the first stumbling block.

If you don't verify the Script behind your address, then how would you know, that the address in question contains any multisig at all? It is a must have, to check somehow, that your key matches a given address.

Because some hardware wallets do not offer the necessary functions

That's why I don't use hardware wallets. I have just another laptop, specifically assigned for handling Bitcoin, and nothing else. Then, I can install anything I want, and upgrade it when needed. Because hardware wallets are usually quite limited, and when new features (like Taproot) are released, then it takes some time, to get it supported properly. But if you use software wallets, then you can just upgrade your client, and even add some additional software, to handle special cases.

you are unlikely to go through the procedure described above over and over again for every address you want to use

That's why software wallets are better: it is easier to upgrade your software, when needed.

Also, you probably don't need fresh keys every time, because you can just use Silent Payments. And if you agree upfront on the way of deriving keys, then you can just increase your nonce, and everyone can derive his Nth key, for the Nth multisig address.

If you are looking for a beginner-friendly option for more security, you should think twice about whether Multisig is really your first choice.

Guess what: we already have the whole network, which is built on top of multisig. It is called Lightning Network. Just open a channel, and use 2-of-3 multisig, if you want, and then apply all rules of LN here. If multisig would be that hard, then LN wouldn't exist. And if you have a proper LN client, then it won't accept a fake public key.

So, to sum up: if you can handle Lightning Network, then you can handle multisig. You don't have to do everything manually, there are many ready to use clients. And if you feel more comfortable with 2-of-3 multisig, instead of 2-of-2, then just change it. Most rules will stay the same.

[satscraper]

1)
An address of a 2-of-3 setup therefore contains the public keys of all three cosigners. In order to generate a correct address, you have to be able to rely equally on all cosigners.

Please note that all cosigners can be yours. If you choose such option you will mitigate the risk of being break down  as the probability that two of three have became ^{(simultaneously)} malicious somehow equals to the product of the relevant probabilities for each cosigner. Let's say you have two hardware wallets (^{HW1 and HW2)} and one software wallet ^(SW) and afraid that during their upgrade one of them is infiltrated with malicious code that could steal you money. You may eliminate such risk by constructing multisig using HW1 , HW2 and SW as your cosigners.
 

[pooya87]

I thought MultiSig wallets were very secure,

Nothing Bitcoin related is just secure or insecure on its own. They are secure if you do it correctly and insecure if you don't.

1) An address of a 2-of-3 setup therefore contains the public keys of all three cosigners. In order to generate a correct address, you have to be able to rely equally on all cosigners.

It comes down to why you are doing this. Are the 3 cosigners 3 members of a company board? Or are you using something like what Electrum 2FA offers? These are different scenarios. For example the Electrum 2FA is a 2-of-3 multisig and you control 2 of the keys so there is no way the "server" that has one key to scam/blackmail you.

You see, it depends on how you use it and why.

With an “xpub”, an extended public key, all addresses of an account in a Bitcoin wallet can be derived.

Not all. Only keys at non-hardened paths.

As for the problems you are listing involving hardware wallets, the thing is you always want to use tools that are open source and trustable. Like @vjudeu I don't use hardware wallets either, I only stick to 100% open source software that can be verified. That way you know all the issues you described can not happen.

[Bitcoiner2023]

If you don't know the Script behind your multisig, then don't deposit coins there. Because if you have for example only your key to some P2WSH address, and you don't know the Script, then you don't know, if coins are yours or not (and then, this address could contain any keys at all).

I know the script, it is a 2 of 3 MultiSig where all 3 wallets belong to me.
This is more about the fact that 1 wallet out of the 3 was infected with a malicious code.

what do I do in this case?
Is my entire setup unsafe then?
Or do the other two wallets then show me the correct address so that I know that something is wrong and I can set up the MultiSig again

Please note that all cosigners can be yours. If you choose such option you will mitigate the risk of being break down  as the probability that two of three have became ^{(simultaneously)} malicious somehow equals to the product of the relevant probabilities for each cosigner. Let's say you have two hardware wallets (^{HW1 and HW2)} and one software wallet ^(SW) and afraid that during their upgrade one of them is infiltrated with malicious code that could steal you money. You may eliminate such risk by constructing multisig using HW1 , HW2 and SW as your cosigners.

All 3 are mine, and all 3 have been hired as CoSigners.
The problem here is based on:
If I install an update and that update infects my wallet with malicious code.

I thought that the 2 other wallets would show me the correct address, but the post I read says that all 3 wallets show the same address even if it is wrong.

It comes down to why you are doing this. Are the 3 cosigners 3 members of a company board? Or are you using something like what Electrum 2FA offers? These are different scenarios. For example the Electrum 2FA is a 2-of-3 multisig and you control 2 of the keys so there is no way the "server" that has one key to scam/blackmail you.

All 3 CoSigners belong to me, but the post I read says that if 1 CoSigner was infected, then the security of the entire wallet is ruined, because the attacker can then display a false address to which I transfer money, and the 2 CoSigners have to accept it because they can't verify it, they can only verify their own xpub.

I thought that if 1 signer was infected and showed a wrong address, that the other 2 signers would show the correct address so I would know, okay, something is wrong here.
But the post says that all 3 signers then show the wrong address.

[vjudeu]

Is my entire setup unsafe then?

Partially. Because if one key is weak, then if another key is strong, then still: 2-of-3 multisig means, that you need two signatures. A single signature will not suffice. Which means, that the security will be simply downgraded to a single key in that case. So: it would be as safe, as 1-of-2 multisig on the remaining two keys.

Or do the other two wallets then show me the correct address so that I know that something is wrong and I can set up the MultiSig again

If you won't get exactly the same keys, then you will get different addresses, and you will then notice, that something is wrong, if one wallet gives you one address, and a different wallet gives you something completely different.

But obviously, if some wallet is compromised, then it won't need to send coins to any multisig at all, it could just be locked straight into the attacker's address.

all 3 wallets show the same address even if it is wrong

No, because if you use a different public key, then you will get a different address. Even writing the same public keys in a different order, will lead you to a different address.

and the 2 CoSigners have to accept it because they can't verify it

Why not? If you use HD wallet in all three wallets, and you imported xpubs into other wallets, then you know exactly, what is the previous public key, the current public key, and the next public key. Then, public keys are known by all wallets, and if any of them is compromised, then it will show you a different address. Each public key should be known by each wallet, the only difference is which private keys they have.

But the post says that all 3 signers then show the wrong address.

Why? Let's see some example:

Code:

deriveaddresses "wpkh(tpubDBVGXMP9pdYBa5S9yuCu1V3zDuBre1bsZhU6UVuQBXKqZsZaLzv9PwmCCLwvUE8b89WLW8uHxPjvWie5eoYnaeP6BJ5Fip5cU1mbmGSXFdU/*)#vrn3jpgp" '[0,0]'
[
  "bcrt1q8t7qh9352u2yr47rnnzyqqtq84wzzvtet7kx4s"
]
deriveaddresses "wpkh(tpubDBczqcKxSvrezSozjdv21fSfLXmEnyLCDxBb9A22yXcaFmkDcnVJP2syjrumiLKtQcEetEv6ZFPPovGqPE5bNrHRciSW6boYpuSbJDSfDdW/*)#3sg97vc2" '[0,0]'
[
  "bcrt1qlkhpgdpkyla20g93l584d3mqjdcu825xpk39ep"
]
deriveaddresses "wpkh(tpubDBGgPrhqnbqdWuUNXztnbJdH3iCK2AoS2MJj7bccVL8y3YSoraMPHA36hjHwxsksZEL3JSCTcqjxv9VsrDZPvUXx8xfE4R4qe5khzYQSAYm/*)#fezyzwky" '[0,0]'
[
  "bcrt1qxa5zyrzkl9e5uahmlldp6h0qf76e7t6s47apxu"
]
getaddressinfo bcrt1q8t7qh9352u2yr47rnnzyqqtq84wzzvtet7kx4s
{
  "address": "bcrt1q8t7qh9352u2yr47rnnzyqqtq84wzzvtet7kx4s",
  ...
  "pubkey": "03653c0ef54ee8804b3a8281715d65d4ab648ed211278fca83433ce8ec2e2df6e9",
  ...
}
getaddressinfo bcrt1qlkhpgdpkyla20g93l584d3mqjdcu825xpk39ep
{
  "address": "bcrt1qlkhpgdpkyla20g93l584d3mqjdcu825xpk39ep",
  ...
  "pubkey": "022b23244f6ff3614f808850e877338f301f6f7c2b64c418e9adb04327f39192ea",
  ...
}
getaddressinfo bcrt1qxa5zyrzkl9e5uahmlldp6h0qf76e7t6s47apxu
{
  "address": "bcrt1qxa5zyrzkl9e5uahmlldp6h0qf76e7t6s47apxu",
  ...
  "pubkey": "03beaf3cd36e0d4a2ed9b3c6065cc63725da644922f0a47d72a8105e7e75846fe4",
  ...
}
createmultisig 2 '["022b23244f6ff3614f808850e877338f301f6f7c2b64c418e9adb04327f39192ea","03653c0ef54ee8804b3a8281715d65d4ab648ed211278fca83433ce8ec2e2df6e9","03beaf3cd36e0d4a2ed9b3c6065cc63725da644922f0a47d72a8105e7e75846fe4"]' 'bech32'
{
  "address": "bcrt1qxxy0vyalwl889eyzdeq6m8l4tlfhj5jknkwa34wp4279ztwsrars36v26t",
  "redeemScript": "5221022b23244f6ff3614f808850e877338f301f6f7c2b64c418e9adb04327f39192ea2103653c0ef54ee8804b3a8281715d65d4ab648ed211278fca83433ce8ec2e2df6e92103beaf3cd36e0d4a2ed9b3c6065cc63725da644922f0a47d72a8105e7e75846fe453ae",
  "descriptor": "wsh(multi(2,022b23244f6ff3614f808850e877338f301f6f7c2b64c418e9adb04327f39192ea,03653c0ef54ee8804b3a8281715d65d4ab648ed211278fca83433ce8ec2e2df6e9,03beaf3cd36e0d4a2ed9b3c6065cc63725da644922f0a47d72a8105e7e75846fe4))#8fkrjns3"
}

If you change anything, then you will see a different address, even if you just shuffle your keys:

Code:

createmultisig 2 '["03653c0ef54ee8804b3a8281715d65d4ab648ed211278fca83433ce8ec2e2df6e9","022b23244f6ff3614f808850e877338f301f6f7c2b64c418e9adb04327f39192ea","03beaf3cd36e0d4a2ed9b3c6065cc63725da644922f0a47d72a8105e7e75846fe4"]' 'bech32'
{
  "address": "bcrt1qny6hxj8kkuxfrqxrj2k0cy47za5585pkj46p3daeg8qxl9jtelpsepqaan",
  "redeemScript": "522103653c0ef54ee8804b3a8281715d65d4ab648ed211278fca83433ce8ec2e2df6e921022b23244f6ff3614f808850e877338f301f6f7c2b64c418e9adb04327f39192ea2103beaf3cd36e0d4a2ed9b3c6065cc63725da644922f0a47d72a8105e7e75846fe453ae",
  "descriptor": "wsh(multi(2,03653c0ef54ee8804b3a8281715d65d4ab648ed211278fca83433ce8ec2e2df6e9,022b23244f6ff3614f808850e877338f301f6f7c2b64c418e9adb04327f39192ea,03beaf3cd36e0d4a2ed9b3c6065cc63725da644922f0a47d72a8105e7e75846fe4))#ju9j3xhz"
}

As you can see, the address is different, even if you just put the same keys in a different order. So, if all wallets will have all xpubs, then they will know upfront, that on index zero, they should get bcrt1qxxy0vyalwl889eyzdeq6m8l4tlfhj5jknkwa34wp4279ztwsrars36v26t. If they will get something else, then they will reject it. So, you can only compromise the system by having a weak xprv. But then, it will be just as safe as 1-of-2 multisig on remaining keys.

[Bitcoiner2023]

Then, public keys are known by all wallets, and if any of them is compromised, then it will show you a different address. Each public key should be known by each wallet, the only difference is which private keys they have.

What if you can't store the public keys of all cosigners on the hardware wallet?
Or can this be stored at every HWW?
Would you then see the wrong address on all devices?

[garlonicon]

What if you can't store the public keys of all cosigners on the hardware wallet?

You should. If you cannot, then you can see, why hardware wallets are worse than software wallets.

Would you then see the wrong address on all devices?

If you cannot store all xpubs, then you cannot verify a new address. More than that: you cannot even create it, because how are you supposed to do that?

And then, the question is: how this hardware wallet can support multisig properly, if it doesn't have required features?

[Zaguru12]

All 3 are mine, and all 3 have been hired as CoSigners.
The problem here is based on:
If I install an update and that update infects my wallet with malicious code.

I thought that the 2 other wallets would show me the correct address, but the post I read says that all 3 wallets show the same address even if it is wrong.

If I get your question correct you ask of there is exploit on one of the co-signer’s public what will happen to the address, if this  I think the address of that wallet will change. It is the combination of all the public keys that actually generate that address so one of them Changing simply means it is not the same again. It is the major reason why you even safe or backup the public keys of other co-signer with your own seed phrase or private key. The wallet is restored with the three public key wallets and as such an exploited public key is different from the original public which means it will create a different address