Multisig is not safe, what’s the best alternative?

Intro

With the rise of cryptocurrency as a form of managing assets in the current day and age, came a huge concern with this methodology — security. Regular currency is held in banks that are long-standing and protected institutions. There are established mechanisms for guarding both personal assets and grouped assets like companies and organizations. On the other hand, the holding of funds on the open internet can definitely pose a major security risk. Having such a risk prompted the need for security measures, some of which are cold storage, multisig wallets, multi-party computation (MPC), and other types of wallet and key backup methods.

However, as the crypto world adapts to the ever-growing threats to its safety, more and more different methods have sprung up to solve flaws in the current practices. The ever growing risk of rug-pulls (learn how you can stop them here with our ‘Stop Rug-Pull’ article!) demands that more safer and accessible methods be used to protect asset safety in web3, especially community owned assets as known as treasury, which we will discuss more in this article.

Let’s start with a little background on what the industry standards are right now, and what the issues are with these approaches.

What is Multisig?

Like the name suggests, a multisig or multi-signature wallet requires multiple signatures or keys in order to access the wallet. The first multisig wallet was launched by BitGo in 2013, where it was then followed by other companies such as Circle, Coinbase, Armory among others. The basics of the security system is that it was made to work as a safety deposit box, where no one entity could hold all the keys. This means that the keys are held by different parties, and there can be no “single point of failure”.

In practice, multisig wallets can have something called M-of-N which indicates the number of signatures needed in order to access the wallet. For example, a 2-of-2 wallet requires both keys to access the wallet, while 1-of-2 only requires one. With this, a multisig wallet doesn’t depend on a single device, that single point of failure, and instead is distributed across different devices and sometimes people. This method is often used by existing companies, organizations and DAOs to manage their treasury. One notable platform providing multisig service is Gnosis Safe.

While this may sound great in theory, there are a number of setbacks that take away from what this method may offer.

Setbacks of Multisig

1/ Inflexibility

Multisigs may seem like all that, but in actuality, are difficult to create when it comes down to it. Creating a multisig wallet takes immense skill and knowledge to make and get right. Having spent this time and effort, it turns out that coding multisig wallets are quite inflexible! Multisig contracts rely on a set of instructions that execute once the right number of “votes” are put in for the transaction. However, this is difficult to change, and if one decides to change their M-of-N preferences, it can take immense skill in order to fix. In the case of a decentralized organization, they might ease the situation by using Gnosis Safe. However, with new members entering and leaving at will, switching the signers will need the approval of existing signers, which is ironic in many cases.

2/ Inefficient to Execute

With an M-of-N approach, it is evident that a massive flaw may come into play, especially with a higher number of ‘M’s. Since each key to unlock the wallet requires a different device, it can become extremely inefficient if one party doesn’t hold all the keys. Each party would have to access the wallet and approve transactions within a certain period, which can take days in order to coordinate. With the key man or key person risk, the efficiency of the transactions are all based on the few keyholders who are critical in approving them.

This kind of operation is not ideal in both small scale or big scale. While for small scale transactions, you won’t want to waste precious time gathering all signers to approve small transactions on the Gnosis Safe. On a larger scale, an organization will suffer from an efficiency bottleneck for just waiting signers to approve transactions – what madness!

3/ Multisig is not safe

The biggest concerns with multisig are its security risks, with the possibility of rug pulls being imminent. Depending on the multisig itself, it can mean that only a few key individuals are able to access the entire treasury and conduct transactions with full control, leaving the treasury or their Gnosis Safe vulnerable to rug pulls.

Upcoming alternatives to Multisig – are they safe (MPC)?

So if multisig is not safe, then what is? A new alternative, Multi Party Computation or MPC is a new alternative in dealing with the private keys. Googling “Multisig vs MPC”, you will get many technical explanations of how MPC break up private keys into different compartments. (When a transaction is needed, the separated keys never join together, but rather use mathematical algorithms to validate the transaction.) All in all, MPC is trying to innovate how keys are separated, and minimize the single point of failure of private keys.

However, “minimize” isn’t elimination, both multisig and MPC are still running the M-of-N scenarios. Rug pulls and goes against the treasury owners’ will are still very possible. Thinking in first principles, should we just guard a treasury with mere transaction signatures? Is Gnosis Safe really safe with multisig? Is this how humans should interact for a treasury? Is the inefficiency affecting productivity in humans? Definitely.

The best option – a wisdom as old as time: Budgets

After exhausting the above options, we’ve realized that the smartest and safest option is a wisdom as old as time: Budgets. Rather than focus on the action performed to execute transactions, “budget” as alternative focuses on the kinds of transactions and grants approval beforehand.

Applying the concept of Budget on-chain, it can replace multisig by setting a conditional framework for future transactions, meaning transactions can be pre-approved without the need to sign and execute every transaction each time. Using budgets also means that transactions are COMPLETELY decentralized, and there’s no reliance nor burden on multisig signers in order to pass something.

To put this in perspective, let’s imagine a series of proposals every month trying to get approved through multisig vs. budgets. Each transaction on multisig would require all signers to be on their given device signing each and every transaction, wasting huge operational cost. Whilst on a budget, it approves the framework at once and the executor has the freedom to act within the framework during the time window, a truly alternative to multisig like Gnosis Safe.

Using Budget system for your treasury

Currently, the Budget system for treasury is only available on ADAM Vault. With a graphical user interface, the Budget solution is easily accessible and convenient to use on ADAM Vault. All you have to do is create a Vault, inject assets inside. By default, the only way to control outflow of assets in your Vault is through creating Budget Proposals. After configurations, the Budget needs to be approved by the members of the Vault. If approved, the Budget can be executed by the stated executor, which can be a single address or a team.