In cryptocurrencies, multisig feature allows to sign a transaction with more than one private key. Funds protected with multisig can only be spent by signing with M-of-N keys.
* shared account (1-of-2; both husband and wife individually have full access to their funds)
* consensus account (2-of-2; both husband and wife must agree to spend their funds)
* threshold account (2-of-3; an escrow service is involved as an independent 3rd party, to co-sign with either the seller, or with the buyer, if seller and buyer do not agree)
Monero doesn't directly implement multisignatures (at least not in a classical sense). Monero emulates the feature by secret splitting.
Transactions are still signed with a single spend key. The spend key is a sum of all N private keys. The rationale for such design is to decouple multisig from ring signatures.
Let's consider the 2-of-3 scheme. We have 3 participants. Each participant is granted exactly 2 private keys in a way that pairs do not repeat between participants. This way any 2 participants together have all 3 private keys required to create the private spend key.
Multi-signing is a wallet-level feature, and there is no separate multisig address type. This means there is no way to learn from the blockchain which transactions were created using multiple signatures.
After multisig wallet setup every participant ends up knowing the public address and private view key. This is necessary for participants to recognize and decipher transactions they are supposed to co-sign.
Multisig is currently only available via the Command Line Interface (CLI). This tutorial will assume you have some familiarity with the CLI before beginning.
If you're not already familiar with stagenet, it is a separate, but functionally identical instance of the Monero network, created for testing purposes. To use it you simply add the --stagenet flag when creating and running your stagenet wallet.
### 1: Create a new wallet
To begin you will need to create a new wallet. Multisig cannot be applied to a wallet that has previously received funds.
First you create a new wallet. The below the code assumes you're using a remote node, but using a local node is ideal:
```
./monero-wallet-cli --stagenet --daemon-address address-URL # Create your wallet
```
In the above, replace address-URL with the actual URL that you want to connect to. At the time of writing, a list of remote nodes can be found at: [monero.fail](https://monero.fail). The default view shows mainnet servers, so make sure to filter by stagenet servers first.
If you don't set this flag, then try to issue the first command, you will see:
```
Error: Multisig is disabled.
Error: Multisig is an experimental feature and may have bugs. Things that could go wrong include: funds sent to a multisig wallet can't be spent at all, can only be spent with the participation of a malicious group member, or can be stolen by a malicious group member.
This warning message is there to let people know that Multisig is still an experimental feature and may have bugs. You can [read more](#warning) about this message below.
**Recommendation:** By default the CLI applies a screen timeout of 90 seconds. After which, you will be asked to input your password to continue using the wallet. Unfortunately, once the wallet times out, it interrupts the multisig creation process.
To extend the timeout to 10 minutes, use the command:
```
set inactivity-lock-timeout 600
```
To disable the timeout entirely (for this session only), use the command:
```
set inactivity-lock-timeout 0
```
### 2: prepare_multisig
To begin, every participant independently generates **initialization data**, which is **not** an address.
Participants then send their initialization data manually to all other participants over a secure channel.
However, if you're creating the multisig wallet without external participants, then you simply transfer the data between terminal windows.
Begin by using the command:
```
prepare_multisig
```
**Note:** if you try to use this command on a wallet that has already been used, you will see the error message:
```
Error: This wallet has been used before, please use a new wallet to create a multisig wallet
```
After prepare_multisig you will see a message that looks similar to the below:
The long string that begins Multisig is important, and will be shared with the other wallets in the next step.
Before you move to the next step, you'll want to run the **prepare_multisig** command on the rest of the wallets you want to use in your multisig setup. For example, 2 more if you're doing a 2/3 multisig.
This command is where you set the threshold for your multisig wallet and then pass the initialization data from the other participants. The initialization data is the long string beginning **Multisig** mentioned above.
For example, if you're doing a 2 of 2 multisig, then your threshold is 2 and you'll pass 1 piece of data. If you're doing a 3 of 5 multisig, then your threshold is 3 and you'll pass 4 pieces of data.
Continuing with our 2/3 multisig example, you would then type into your CLI:
**Side note:** If you make a mistake, such as inputting the wrong threshold or missing out some initialization data, there isn't an undo function. That individual wallet will get created incorrectly, and you will need to re-do it.
With the threshold established in the prior command, the exchange_multisig_keys command simply takes the init data from the other participants, no threshold parameter needed.
This means that you haven't synchronized your wallet with the threshold amount of wallets needed (1 other in the case of 2/3 multisig) for the outputs to become spendable.
Prior to explaining the process for spending multisig funds, it may help to have a high level overview of the process. There are two core steps:
1) **First, the sharing of partial key-images** - At minimum, the spender needs to get a partial key image from the people (1 or more) who will sign the transaction with him later. They need to export a file and share it with the future spender, who then imports the file to their wallet.
2) **Second, creating, signing & submitting the transaction** - A transfer is created, written to file, and then this file needs to be signed by the co-signers, before it can lastly be submitted to the network.
Prior to constructing a transaction, the spender will need to get a partial key image from the wallet or wallet**s** which will later co-sign the transaction.
In our 2/3 multisig example, the spender needs to get 1 partial key image, because the threshold is 2.
The wallet that will provide the partial key image needs to enter the command:
```
export_multisig_info key1
```
Where **key1** can be any filename. The output will then be:
```
Multisig info exported to key1
```
The file will be saved to the present working directory in the terminal.
It then needs to be shared with the wallet which will create the spending transaction.
**Preparation Step 2: Import partial key image**
Now that the spending wallet has the partial key image it can import it. Assuming the file is in the present working directory, the command would be:
```
import_multisig_info key1
```
If two or more key images were being imported, you would specify them side by side, such as:
```
import_multisig_info key1 key2 key3
```
After issuing that command, the wallet will display how many new inputs it has verified, for example if 1 output is verified:
Multisig info imported. Number of outputs updated: 1
```
### Spending
**Spending Step 1 - Create Unsigned Transaction**
Creating a new transaction can be done by **any** of the multisig wallets. However, to avoid weird things from happening, only do it for 1 transaction at a time. If anything weird happens, re-do steps 1 & 2 again to fix.
The wallet initiating the transfer should create a transfer, as per the normal CLI transfer process:
```
transfer <address><amount>
```
So for example:
```
[wallet 56MD1L]: transfer 72Qv1pqug5rX1qS77Bj9C4XBbrvdYRJLM6769bseDytqVZWV2iQxGDnZ85KmubdiCQgtZjeb4fPdUNGq8Foae5b1Bo77T64 5
Wallet password:
Transaction 1/1:
Spending from address index 1
Sending 5.000000000000. The transaction fee is 0.000167640000
Is this okay? (Y/Yes/N/No): Yes
```
The output will look like:
```
Unsigned transaction(s) successfully written to file: multisig_monero_tx
```
The present working directory will now contain a file named **multisig_monero_tx**, which should then be shared with the co-signer.
**Spending Step 2 - Sign Transaction**
The wallet that has been chosen to co-sign the transaction now needs to run the command:
```
sign_multisig multisig_monero_tx
```
Which will result in an output similar to:
```
Loaded 1 transactions, for 10.000000000000, fee 0.000167640000, sending 5.000000000000 to 72Qv1pqug5rX1qS77Bj9C4XBbrvdYRJLM6769bseDytqVZWV2iQxGDnZ85KmubdiCQgtZjeb4fPdUNGq8Foae5b1Bo77T64, 4.999832360000 change to 56MD1L4zky3bFXDQb9qvSx7PDbg8F4x1HgPrFNrDnGnYDqFZcWGswWc1p2moFa1F44ccJniY9Wkzk6urkJbEDvubHqYtkcs, with min ring size 16, dummy encrypted payment ID. Is this okay? (Y/Yes/N/No): y
Transaction successfully signed to file multisig_monero_tx, txid 82132a4302188b15c87916c05df79755dafb9ada78c39164937c246a4c2dee0a
It may be relayed to the network with submit_multisig
```
**Note:**
Once you synchronize the partial key images, there is a certain time window by which you can create and send your transaction. I'm unsure exactly how long the time window is. If you leave it too long you will see the output:
```
Error: Multisig error: This signature was made with stale data: export fresh multisig data, which other participants must then use
```
The solution is to re-do steps 1 and 2 of the preparation for sending. Once that's completed, you can return to the sending steps.
**Spending Step 3 - Submit Transaction**
Now that your transaction has been co-signed, it is possible to submit it. You can do this from any of the wallets, as long as they have the co-signed multisig_monero_tx file. Using the command:
Loaded 1 transactions, for 10.000000000000, fee 0.000167640000, sending 5.000000000000 to 72Qv1pqug5rX1qS77Bj9C4XBbrvdYRJLM6769bseDytqVZWV2iQxGDnZ85KmubdiCQgtZjeb4fPdUNGq8Foae5b1Bo77T64, 4.999832360000 change to 56MD1L4zky3bFXDQb9qvSx7PDbg8F4x1HgPrFNrDnGnYDqFZcWGswWc1p2moFa1F44ccJniY9Wkzk6urkJbEDvubHqYtkcs, with min ring size 16, dummy encrypted payment ID. Is this okay? (Y/Yes/N/No): y
You can check its status by using the `show_transfers` command.
```
The transaction has now been broadcast to the network. If you want to create another one, you will need to go back to the preparation stage and re-sync the partial key images.
## Mnemonic Seeds
With a regular wallet is it possible to create a mnemonic seed that you can backup, and later use to recreate the wallet.
Fortunately, multisig wallets have the same feature. The only difference is that the seed is a **long string** of letters and numbers, rather than a set of dictionary words. Unfortunately, it needs to encode too much data to fit neatly into the regular mnemonic seed dictionary output.
To access your wallet seed, open the wallet within the CLI and type **seed**. You will see an output similar to this:
```
NOTE: the following string can be used to recover access to your wallet. Write them down and store them somewhere safe and secure. Please do not store them in your email or on file storage services outside of your immediate control.
## <a id="warning"></a>About the experimental feature warning message
Prior to a pull request in mid 2022 ([PR #8149](https://github.com/monero-project/monero/pull/8149)) Monero's multisig feature had some known bugs.
PR #8149 fixed these issues, including findings identified by an [independent audit](https://github.com/monero-project/monero/pull/8149#issuecomment-1167912258) of multisig.
However, there is still a possibility of a yet **unknown** bug that would allow a malicious group member, in a worst-case scenario, to acquire all funds within the multisig wallet.
Two potential steps to get Monero's multisig implementation further tested and more secure would be the completion of a formal specification and a third-party audit. However, there is currently no timeline for this.
It's worth noting that the risks implied by this unknown bug scenario depend upon the individual use-case. For example:
a) If one planned to use multisig in collaboration with other people, then this risk is there.
b) If one planned to use multisig solely to shard a cold wallet, and store it in multiple locations, then this risk may be lessened. On the basis that it requires two coincidences to come together:
i) A malicious actor who has the capability to exploit an unknown bug in Monero's multisig.
ii) This malicious actor is then able to access one of the, presumably secured, multisig wallets.
However, if an exploit was made public knowledge, then the risk increases, because the attacker no longer needs to figure out the exploit, they simply need to locate your wallet and then implement the public exploit.
Thus, if one took the risk to use multisig in method b), they would be prudent to stay up to date on multisig development. Such that they would learn quickly if such an exploit was discovered.
The below guides are very detailed, and were formative in the creation of this document. Note that they are both a little out of date, as a few of the CLI commands have been updated in the interim.