From 34cebf67ceb1f2c46546ee607ae68fa691212ed5 Mon Sep 17 00:00:00 2001 From: johnr365 <67366109+johnr365@users.noreply.github.com> Date: Thu, 26 Jan 2023 16:50:10 +0000 Subject: [PATCH 1/4] First update of the multisig document --- docs/multisignature.md | 337 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 310 insertions(+), 27 deletions(-) diff --git a/docs/multisignature.md b/docs/multisignature.md index dfbbb84..89ce839 100644 --- a/docs/multisignature.md +++ b/docs/multisignature.md @@ -10,10 +10,10 @@ Example use cases: * shared account (1-of-2; both husband and wife individually have full access to their funds) * consensus account (2-of-2; both husband and wife must agree to spend their funds) * threshold account (2-of-3; an escrow service is involved as an independent 3rd party, to co-sign with either the seller, or with the buyer, if seller and buyer do not agree) -* secure account (2-of-3; a single owner controlls all 3 keys but secures them via a different means to diversify risks) +* secure account (2-of-3; a single owner controls all 3 keys but secures them via a different means to diversify risks) * arbitrary threshold account (M-of-N; some cryptocurrencies provide full flexibility on the number of signers) -## Monero multisignature +## Monero's multisig design Monero doesn't directly implement multisignatures (at least not in a classical sense). Monero emulates the feature by secret splitting. @@ -29,57 +29,340 @@ After multisig wallet setup every participant ends up knowing the public address ## Multisig wallet setup -Multisig feature is only available via a command line wallet. You should be familiar with the CLI wallet before playing with multisig. +Multisig is currently only available via the Command Line Interface (CLI). This tutorial will assume you have some familiarity with the CLI before beginning. -Let's consider a 2-of-3 scheme as it generalizes well. +In this example we will use a 2-of-3 multisig scheme, as it generalizes well. -### 0. Open your wallet +Initially, while you're becoming familiar with multisig, it's suggested you begin by using **stagenet**, such that no valuable Monero are lost. -Access your (stagenet) wallet: +If you're not already familiar with stagenet, it is a separate, but functionally identical instance of the Monero network, created for testing purposes. To use it you simply add the --stagenet flag when creating and running your stagenet wallet. + +### 1: Create a new wallet + +To begin you will need to create a new wallet. Multisig cannot be applied to a wallet that has previously received funds. + +First you create a new wallet. The below the code assumes you're using a remote node, but using a local node is ideal: ``` -./monerod --stagenet --daemon # Run your full node; make sure it is fully synced -./monero-wallet-cli --stagenet --wallet-file=... # Run your wallet; make sure you have some funds to play with +./monero-wallet-cli --stagenet --daemon-address address-URL # Create your wallet ``` -### 1. prepare_multisig +In the above, replace address-URL with the actual URL that you want to connect to. At the time of writing, a list of remote nodes can be found at: [monero.fail](https://monero.fail). The default view shows mainnet servers, so make sure to filter by stagenet servers first. -Every participant independently generates **initialization data**. This is **not** an address. +Next, **enable** multisig via: -Every participant sends his initialization data manually to all other participants over secure channel. +``` +set enable-multisig-experimental 1 +``` -### 2. make_multisig +**Recommendation:** By default the CLI applies a screen timeout of 90 seconds. After which, you will be asked to input your password to continue using the wallet. Unfortunately, once the wallet times out, it interrupts the multisig creation process. -Every participant applies initialization data from other participants. This results in a **second round of initialization data**. This is still **not** an address. +To extend the timeout to 10 minutes, use the command: -Every participants sends his second round of init data to all other participants over secure channel. +``` +set inactivity-lock-timeout 600 +``` -### 3. finalize_multisig +To disable the timeout entirely (for this session only), use the command: -Every participant finalizes wallet creation by applying the second round of init data from all other participants. This finally results in a wallet **public address** and **private view key** to be known for all participants. +``` +set inactivity-lock-timeout 0 +``` -Please note actions are symmetric for all participants. Even though we considered a 2-of-3 scheme, every participant cooperates with everyone else. The secret splitting is performed internally by the wallet. +### 2: prepare_multisig -Secure sharing of initialization data between participants is manual. The wallet itself does not provide any secure communication channel. This is out of scope. +To begin, every participant independently generates **initialization data**, which is **not** an address. + +Participants then send their initialization data manually to all other participants over a secure channel. + +However, if you're creating the multisig wallet without external participants, then you simply transfer the data between terminal windows. + +Begin by using the command: + +``` +prepare_multisig +``` + +**Note:** if you try to use this command on a wallet that has already been used, you will see the error message: + +``` +Error: This wallet has been used before, please use a new wallet to create a multisig wallet +``` + +After prepare_multisig you will see a message that looks similar to the below: + +``` +MultisigxV2R1C9Bd2LNS9oDXLwDWbVbWc53nfUJpFnQqPDDtHksVVrY33DADgnhKetL5Swgk477uP1AENAy2pz11zW73NGqZojTai2TSDyARK3QR8uVt1t26oW21mFdZtd8iuNqTPBjuCc2q9jaRzqUG75rXtnn8eD5DwJX6NaMP63o2n2fta7dXZcpM +Send this multisig info to all other participants, then use make_multisig [...] with others' multisig info +This includes the PRIVATE view key, so needs to be disclosed only to that multisig wallet's participants +``` + +As the instructions above say, you then want to share this initialization data (the long string that begins Multisig) with the other multisig participants. + +### 3: make_multisig + +This command is where you set the threshold for your multisig wallet and then pass the initialization data from the other participants. + +For example, if you're doing a 2 of 2 multisig, then your threshold is 2 and you'll pass 1 piece of data. If you're doing a 3 of 5 multisig, then your threshold is 3 and you'll pass 4 pieces of data. + +Continuing with our 2/3 multisig example, you would then type into your CLI: + +``` +make_multisig 2 +``` + +With the number **2** above being our threshold, and the parameters **** and **** being the initialization data you received via the other wallets which ran prepare_multisig. + +If you were doing a 3/5 multisig, you'd instead run: + +``` +make_multisig 3 +``` + +Once this command is run on each wallet, you will then receive a second round of initialization data, that looks something like: + +``` +Another step is needed +MultisigxV2Rn1LVYohry597ZfzPhWnuL6qcueBNdq4ivrP7zqDm4W5eKBhxgdcERcSvFs8F5EkLSuYFyKfBEeh4Fui6xHTeRqb7cWshXY96WruxMaSxMafTdPn48ko52e8UHvA4kWwpuPidBYg5dyVWoQLWgqCMDANxWnjhenw6HTwpT96yB8n1a16oQEYyQWg66r2sZHi9RMmivTsihnMq66rTHKPKKau1SHButDwQ +``` + +**Side note:** If you make a mistake, such as inputting the wrong threshold or missing out some initialization data, there isn't an undo function. That individual wallet will get created incorrectly, and you will need to re-do it. + +### 4: exchange_multisig_keys + +With the threshold established in the prior command, the exchange_multisig_keys command simply takes the init data from the other participants, no threshold parameter needed. + +For example: + +``` +exchange_multisig_keys +``` + +It is either run once or twice in total. + +Once if your wallet has the same threshold as the total number of participants, e.g. 2 of 2. + +Twice if you have a different threshold, e.g. 2 of 3. + +Continuing our 2/3 multisig example, after inputting the above exchange_multisig_keys command, we would then see: + +``` +Another step is needed +MultisigxV2Rn1WCSNqbsjuTXaPVfFsk3ekFF444yFN5PMCXcQHv1Pv794ZdkDZRnfVGgeP5JwpysR3ingQtQMMnmQDEXnP4qgdnh3SU2NXvfe7kMaSxMafTdPn48ko52e8UHvA4kWwpuPidBYg5JdJwdEAh8Ud7kBFX34zP33ZBbrYXcQbQKTcM3XQ8AEP8bVXHVqQSGzkAkjZRp3H63k6ZSXSYdH9WaC9pdr9FV3tx +Send this multisig info to all other participants, then use exchange_multisig_keys [...] with others' multisig info +``` + +Then for a second, and last time, we input: + +``` +exchange_multisig_keys +``` + +And we receive back: + +``` +Multisig wallet has been successfully created. Current wallet type: 2/3 +Multisig address: 56MD1L4zky3bFXDQb9qvSx7PDbg8F4x1HgPrFNrDnGnYDqFZcWGswWc1p2moFa1F44ccJniY9Wkzk6urkJbEDvubHqYtkcs + +``` + +This results in a wallet **public address** and **private view key** to be known for all participants. + +Please note: + +- Actions are symmetric for all participants. Every participant cooperates with everyone else. The secret splitting is performed internally by the wallet. +- Secure sharing of initialization data between participants is manual. The wallet itself does not provide any secure communication channel. ## Receiving funds -Address built by multisig setup is like any other address. +### 1: Funding the Multisig Account -You can generate integrated addresses and subaddresses based on it. +Fortunately, addresses created by a multisig wallet operate the same as normal, non-multisig addresses. This means: -All participants are able to see incoming funds as they share the private view key. +- Each wallet can create subaddresses independently, no collaboration needed. -With a CLI, use the following commands to see incoming payments: +- All participants can see incoming funds as they share the private view key. - address - refresh - show_transfers +The main difference comes when trying to spend funds from a multisig wallet. See the **Spending Funds** section below for how to do this. + +### 2: Check Account Balance + + +To check the account balance, open one of the multisig wallets and type the **refresh** command. + +This will refresh the wallet and display your balance. The output will look similar to the below, but with a different amount: + +``` +Starting refresh... +Refresh done, blocks received: 0 +Currently selected account: [0] Primary account +Tag: (No tag assigned) +Balance: 10.000000000000, unlocked balance: 10.000000000000 (Some owned outputs have partial key images - import_multisig_info needed) +``` + +If you see that last sentence: +``` +(Some owned outputs have partial key images - import_multisig_info needed) +``` +this means that you haven't synchronized your wallet with the threshold amount (1 other in the case of 2/3 multisig) needed for the outputs to become spendable. + +You can also use the command **show_transfers** to display a list of funds received and the transfer date, with the output looking similar to: + +``` + 1263592 in unlocked 2023-01-09 21:13:59 10.000000000000 c5a3eec347401b1e263f45577b840c036568aa841eb2ebc6eb1332c1bc281f28 0000000000000000 0.000000000000 76Matb:10.000000000000 1 - +``` ## Spending funds -TODO +Prior to explaining the process for spending multisig funds, it may help to have a high level overview of the process. There are two core steps: -## Reference +1) **First, the sharing of partial key-images** - At minimum, the spender needs to get a partial key image from the people (1 or more) who will sign the transaction with him later. They need to export a file and share it with the future spender, who then imports the file to their wallet. + +2) Preparing / Signing / Submitting the transaction - + + +### Preparation for spending + +**Preparation Step 1: Export partial key image** + +Prior to constructing a transaction, the spender will need to get a partial key image from the wallet or wallet**s** which will later co-sign the transaction. + +In our 2/3 multisig example, the spender needs to get 1 partial key image, because the threshold is 2. + +The wallet that will provide the partial key image needs to enter the command: + +``` +export_multisig_info key1 +``` + +Where **key1** can be any filename. The output will then be: + +``` +Multisig info exported to key1 +``` + +The file will be saved to the present working directory in the terminal. + +It then needs to be shared with the wallet which will create the spending transaction. + +**Preparation Step 2: Import partial key image** + +Now that the spending wallet has the partial key image it can import it. Assuming the file is in the present working directory, the command would be: + +``` +import_multisig_info key1 +``` + +If two or more key images were being imported, you would specify them side by side, such as: + +``` +import_multisig_info key1 key2 key3 +``` + +After issuing that command, the wallet will display how many new inputs it has verified, for example if 1 output is verified: + +``` +Height 1263592, txid , 10.000000000000, idx 0/1 +Multisig info imported. Number of outputs updated: 1 +``` + +### Spending + +**Spending Step 1 - Create Unsigned Transaction** + +Creating a new transaction can be done by **any** of the multisig wallets. However, to avoid weird things from happening, only do it for 1 transaction at a time. If anything weird happens, re-do steps 1 & 2 again to fix. + +The wallet initiating the transfer should create a transfer, as per the normal CLI transfer process: + +``` +transfer
+``` + +So for example: + +``` +[wallet 56MD1L]: transfer 72Qv1pqug5rX1qS77Bj9C4XBbrvdYRJLM6769bseDytqVZWV2iQxGDnZ85KmubdiCQgtZjeb4fPdUNGq8Foae5b1Bo77T64 5 +Wallet password: + +Transaction 1/1: +Spending from address index 1 +Sending 5.000000000000. The transaction fee is 0.000167640000 + +Is this okay? (Y/Yes/N/No): Yes +``` + +The output will look like: + +``` +Unsigned transaction(s) successfully written to file: multisig_monero_tx +``` + +The present working directory will now contain a file named **multisig_monero_tx**, which should then be shared with the co-signer. + + +**Spending Step 2 - Sign Transaction** + +The wallet that has been chosen to co-sign the transaction now needs to run the command: + +``` +sign_multisig multisig_monero_tx +``` + +Which will result in an output similar to: + +``` +Loaded 1 transactions, for 10.000000000000, fee 0.000167640000, sending 5.000000000000 to 72Qv1pqug5rX1qS77Bj9C4XBbrvdYRJLM6769bseDytqVZWV2iQxGDnZ85KmubdiCQgtZjeb4fPdUNGq8Foae5b1Bo77T64, 4.999832360000 change to 56MD1L4zky3bFXDQb9qvSx7PDbg8F4x1HgPrFNrDnGnYDqFZcWGswWc1p2moFa1F44ccJniY9Wkzk6urkJbEDvubHqYtkcs, with min ring size 16, dummy encrypted payment ID. Is this okay? (Y/Yes/N/No): y +Transaction successfully signed to file multisig_monero_tx, txid 82132a4302188b15c87916c05df79755dafb9ada78c39164937c246a4c2dee0a +It may be relayed to the network with submit_multisig +``` + +**Note:** +Once you synchronize the partial key images, there is a certain time window by which you can create and send your transaction. I'm unsure exactly how long the time window is. If you leave it too long you will see the output: + +``` +Error: Multisig error: This signature was made with stale data: export fresh multisig data, which other participants must then use +``` + +The solution is to re-do steps 1 and 2 of the preparation for sending. Once that's completed, you can return to the sending steps. + +**Spending Step 3 - Submit Transaction** + +Now that your transaction has been co-signed, it is possible to submit it. You can do this from any of the wallets, as long as they have the co-signed multisig_monero_tx file. Using the command: + +``` + submit_multisig multisig_monero_tx +``` + +You will then see an output similar to: + +``` +[wallet 56MD1L]: submit_multisig multisig_monero_tx +Wallet password: +Loaded 1 transactions, for 10.000000000000, fee 0.000167640000, sending 5.000000000000 to 72Qv1pqug5rX1qS77Bj9C4XBbrvdYRJLM6769bseDytqVZWV2iQxGDnZ85KmubdiCQgtZjeb4fPdUNGq8Foae5b1Bo77T64, 4.999832360000 change to 56MD1L4zky3bFXDQb9qvSx7PDbg8F4x1HgPrFNrDnGnYDqFZcWGswWc1p2moFa1F44ccJniY9Wkzk6urkJbEDvubHqYtkcs, with min ring size 16, dummy encrypted payment ID. Is this okay? (Y/Yes/N/No): y +Transaction successfully submitted, transaction <82132a4302188b15c87916c05df79755dafb9ada78c39164937c246a4c2dee0a> +You can check its status by using the `show_transfers` command. +``` + +The transaction has now been broadcast to the network. If you want to create another one, you will need to go back to the preparation stage and re-sync the partial key images. + +## Mnemonic Seeds + + +With a regular wallet is it possible to create a mnemonic seed that you can backup, and later use to recreate the wallet. + +Fortunately, multisig wallets have the same feature. The only difference is that the seed is a **long string** of letters and numbers, rather than a set of dictionary words. Unfortunately, it needs to encode too much data to fit neatly into the regular mnemonic seed dictionary output. + +To access your wallet seed, open the wallet within the CLI and type **seed**. You will see an output similar to this: + +``` +NOTE: the following string can be used to recover access to your wallet. Write them down and store them somewhere safe and secure. Please do not store them in your email or on file storage services outside of your immediate control. + +020000000300000051512b513c603a023df44e2400ad58b3f4751e2dcba44b1d4316be5adffd330b773b3818a07ab6ccc4ffcee1feed5526296b52f5ea0844eb8562cb3e63e8154c5c91f0cfd102a830d8692cec64e662f7ffac4cb82dd950c891a92a22dc80930ab78dd01a1ec7ed04d90eff530d2af9d4e40670576863492357727c6615620e95d2e962632518d958040b710474a4c944cb3a286e3fe9ad0b1d651ff6d8b4c50c81a74423650210bbcb7b427435e90b3eb494cb108bd148cab56e5352303d55070d35e703217b7b051a96af50c1c912bc372f65a4ffa93631ae009a544106bd5dfcf477573387f159ce6cae10fb2ffe63f55e75ed94d0893ece9b67b0a1cf0fc2034ca04ef7c862494a13237bfaa8e822f824ea59de561353f2ac01fbc279280c +``` + +**Note:** This seed will only recreate the individual wallet it is created from. Each wallet would need to be backed up separately. + +## References * [https://monero.stackexchange.com/questions/5646/how-to-use-monero-multisignature-wallets-2-2-2-3](https://monero.stackexchange.com/questions/5646/how-to-use-monero-multisignature-wallets-2-2-2-3) +* [https://taiga.getmonero.org/project/rbrunner7-really-simple-multisig-transactions/wiki/23-multisig-in-cli-wallet](https://taiga.getmonero.org/project/rbrunner7-really-simple-multisig-transactions/wiki/23-multisig-in-cli-wallet) \ No newline at end of file From eab6d8b0d742c7f2abc20d59fc2b3923fd3c733f Mon Sep 17 00:00:00 2001 From: johnr365 <67366109+johnr365@users.noreply.github.com> Date: Fri, 27 Jan 2023 17:43:54 +0000 Subject: [PATCH 2/4] Completed the first version of the multisig doc update --- docs/multisignature.md | 44 ++++++++++++++++++++++++++---------------- 1 file changed, 27 insertions(+), 17 deletions(-) diff --git a/docs/multisignature.md b/docs/multisignature.md index 89ce839..471e902 100644 --- a/docs/multisignature.md +++ b/docs/multisignature.md @@ -21,9 +21,7 @@ Transactions are still signed with a single spend key. The spend key is a sum of Let's consider the 2-of-3 scheme. We have 3 participants. Each participant is granted exactly 2 private keys in a way that pairs do not repeat between participants. This way any 2 participants together have all 3 private keys required to create the private spend key. -Multi-signing is a wallet-level feature. There is no way to learn from the blockchain which transactions were created using multiple signatures. - -It is also worth noting in Monero there is no multisig addresses as such. [Address structure](/public-address/standard-address/) does not care how the underlying private spend key got created. +Multi-signing is a wallet-level feature, and there is no separate multisig address type. This means there is no way to learn from the blockchain which transactions were created using multiple signatures. After multisig wallet setup every participant ends up knowing the public address and private view key. This is necessary for participants to recognize and decipher transactions they are supposed to co-sign. @@ -55,6 +53,15 @@ Next, **enable** multisig via: set enable-multisig-experimental 1 ``` +If you don't set this flag, then try to issue the first command, you will see: + +``` +Error: Multisig is disabled. +Error: Multisig is an experimental feature and may have bugs. Things that could go wrong include: funds sent to a multisig wallet can't be spent at all, can only be spent with the participation of a malicious group member, or can be stolen by a malicious group member. +Error: You can enable it with: +Error: set enable-multisig-experimental 1 +``` + **Recommendation:** By default the CLI applies a screen timeout of 90 seconds. After which, you will be asked to input your password to continue using the wallet. Unfortunately, once the wallet times out, it interrupts the multisig creation process. To extend the timeout to 10 minutes, use the command: @@ -97,11 +104,13 @@ Send this multisig info to all other participants, then use make_multisig ``` -With the number **2** above being our threshold, and the parameters **** and **** being the initialization data you received via the other wallets which ran prepare_multisig. +Which in practice would look similar to: + +``` +make_multisig 2 MultisigxV2R1MyhE1hgED7AFwytsfW44s7G4abNHFKhwfJH9kvB2Q7xNVBdJAyY9gm7eJkHVRo1T3Hb6PeYsyzUrqQsmpBByDq4iRywanpRLxLN2JKuvKPBDayAywAHBzGxdnGiyoXhLdnZiU6Azy3VNocwH1jgfFvYDUUCo7H8mFacnLUFVLC8LjEfz MultisigxV2R1CzwgGBTPxb51nWfvLg7mYPRBnqDgppZq85E745qR1NvGNCLBaHSCmUQ4JRb41tW9PUerAgz9pKHJ5NpKgE6vsZnpLJkCP3u4zwcXJW3UHjABc446jdQegP1hyHnGgJpah8RmdeLcLCAqa6WXgt3xJoz6QF5o66tnCiyJkYyebjWeXV2y +``` If you were doing a 3/5 multisig, you'd instead run: @@ -119,7 +132,7 @@ If you were doing a 3/5 multisig, you'd instead run: make_multisig 3 ``` -Once this command is run on each wallet, you will then receive a second round of initialization data, that looks something like: +Once this command is run on each wallet, you will then receive a second round of initialization data, that looks similar to: ``` Another step is needed @@ -166,18 +179,15 @@ Multisig address: 56MD1L4zky3bFXDQb9qvSx7PDbg8F4x1HgPrFNrDnGnYDqFZcWGswWc1p2moFa ``` -This results in a wallet **public address** and **private view key** to be known for all participants. +This results in a wallet **public address** and **private view key** to be known for all participants. -Please note: - -- Actions are symmetric for all participants. Every participant cooperates with everyone else. The secret splitting is performed internally by the wallet. -- Secure sharing of initialization data between participants is manual. The wallet itself does not provide any secure communication channel. +So if you're the sole participant in the multisig setup, you'll know it has worked when you see the same multisig address across all the wallets. ## Receiving funds ### 1: Funding the Multisig Account -Fortunately, addresses created by a multisig wallet operate the same as normal, non-multisig addresses. This means: +Addresses created by a multisig wallet operate the same as normal, non-multisig addresses. This means: - Each wallet can create subaddresses independently, no collaboration needed. @@ -187,7 +197,6 @@ The main difference comes when trying to spend funds from a multisig wallet. See ### 2: Check Account Balance - To check the account balance, open one of the multisig wallets and type the **refresh** command. This will refresh the wallet and display your balance. The output will look similar to the below, but with a different amount: @@ -204,7 +213,7 @@ If you see that last sentence: ``` (Some owned outputs have partial key images - import_multisig_info needed) ``` -this means that you haven't synchronized your wallet with the threshold amount (1 other in the case of 2/3 multisig) needed for the outputs to become spendable. +This means that you haven't synchronized your wallet with the threshold amount of wallets needed (1 other in the case of 2/3 multisig) for the outputs to become spendable. You can also use the command **show_transfers** to display a list of funds received and the transfer date, with the output looking similar to: @@ -218,7 +227,7 @@ Prior to explaining the process for spending multisig funds, it may help to have 1) **First, the sharing of partial key-images** - At minimum, the spender needs to get a partial key image from the people (1 or more) who will sign the transaction with him later. They need to export a file and share it with the future spender, who then imports the file to their wallet. -2) Preparing / Signing / Submitting the transaction - +2) **Second, creating, signing & submitting the transaction** - A transfer is created, written to file, and then this file needs to be signed by the co-signers, before it can lastly be submitted to the network. ### Preparation for spending @@ -347,7 +356,6 @@ The transaction has now been broadcast to the network. If you want to create ano ## Mnemonic Seeds - With a regular wallet is it possible to create a mnemonic seed that you can backup, and later use to recreate the wallet. Fortunately, multisig wallets have the same feature. The only difference is that the seed is a **long string** of letters and numbers, rather than a set of dictionary words. Unfortunately, it needs to encode too much data to fit neatly into the regular mnemonic seed dictionary output. @@ -364,5 +372,7 @@ NOTE: the following string can be used to recover access to your wallet. Write t ## References +The below guides are very detailed, and were formative in the creation of this document. Note that they are both a little out of date, as a few of the CLI commands have been updated in the interim. + * [https://monero.stackexchange.com/questions/5646/how-to-use-monero-multisignature-wallets-2-2-2-3](https://monero.stackexchange.com/questions/5646/how-to-use-monero-multisignature-wallets-2-2-2-3) * [https://taiga.getmonero.org/project/rbrunner7-really-simple-multisig-transactions/wiki/23-multisig-in-cli-wallet](https://taiga.getmonero.org/project/rbrunner7-really-simple-multisig-transactions/wiki/23-multisig-in-cli-wallet) \ No newline at end of file From ff30812528fd160ca6e26cf41931b2537021f665 Mon Sep 17 00:00:00 2001 From: johnr365 <67366109+johnr365@users.noreply.github.com> Date: Fri, 27 Jan 2023 20:15:07 +0000 Subject: [PATCH 3/4] Added context around the multisig experimental warning message. --- docs/multisignature.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/multisignature.md b/docs/multisignature.md index 471e902..6927ce3 100644 --- a/docs/multisignature.md +++ b/docs/multisignature.md @@ -62,6 +62,12 @@ Error: You can enable it with: Error: set enable-multisig-experimental 1 ``` +This warning message is there to let people know that Multisig is still an experimental feature and may have bugs. + +While none are known at this time, malicious group members, in a worst case scenario, will be able to acquire all funds within the multisig wallet. + +Two of the steps to get Monero's multisig implementation further tested and more secure would be the completion of a formal specification and a third-party audit. However, there is currently no timeline for this. + **Recommendation:** By default the CLI applies a screen timeout of 90 seconds. After which, you will be asked to input your password to continue using the wallet. Unfortunately, once the wallet times out, it interrupts the multisig creation process. To extend the timeout to 10 minutes, use the command: From cce099eb19fbde187f3a35a80395f87e0c126d07 Mon Sep 17 00:00:00 2001 From: johnr365 <67366109+johnr365@users.noreply.github.com> Date: Sat, 28 Jan 2023 11:47:47 +0000 Subject: [PATCH 4/4] Added section regarding the experimental feature warning message --- docs/multisignature.md | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/docs/multisignature.md b/docs/multisignature.md index 6927ce3..8b8cc48 100644 --- a/docs/multisignature.md +++ b/docs/multisignature.md @@ -62,11 +62,7 @@ Error: You can enable it with: Error: set enable-multisig-experimental 1 ``` -This warning message is there to let people know that Multisig is still an experimental feature and may have bugs. - -While none are known at this time, malicious group members, in a worst case scenario, will be able to acquire all funds within the multisig wallet. - -Two of the steps to get Monero's multisig implementation further tested and more secure would be the completion of a formal specification and a third-party audit. However, there is currently no timeline for this. +This warning message is there to let people know that Multisig is still an experimental feature and may have bugs. You can [read more](#warning) about this message below. **Recommendation:** By default the CLI applies a screen timeout of 90 seconds. After which, you will be asked to input your password to continue using the wallet. Unfortunately, once the wallet times out, it interrupts the multisig creation process. @@ -376,6 +372,30 @@ NOTE: the following string can be used to recover access to your wallet. Write t **Note:** This seed will only recreate the individual wallet it is created from. Each wallet would need to be backed up separately. +## About the experimental feature warning message + +Prior to a pull request in mid 2022 ([PR #8149](https://github.com/monero-project/monero/pull/8149)) Monero's multisig feature had some known bugs. + +PR #8149 fixed these issues, including findings identified by an [independent audit](https://github.com/monero-project/monero/pull/8149#issuecomment-1167912258) of multisig. + +However, there is still a possibility of a yet **unknown** bug that would allow a malicious group member, in a worst-case scenario, to acquire all funds within the multisig wallet. + +Two potential steps to get Monero's multisig implementation further tested and more secure would be the completion of a formal specification and a third-party audit. However, there is currently no timeline for this. + +It's worth noting that the risks implied by this unknown bug scenario depend upon the individual use-case. For example: + +a) If one planned to use multisig in collaboration with other people, then this risk is there. + +b) If one planned to use multisig solely to shard a cold wallet, and store it in multiple locations, then this risk may be lessened. On the basis that it requires two coincidences to come together: + +i) A malicious actor who has the capability to exploit an unknown bug in Monero's multisig. + +ii) This malicious actor is then able to access one of the, presumably secured, multisig wallets. + +However, if an exploit was made public knowledge, then the risk increases, because the attacker no longer needs to figure out the exploit, they simply need to locate your wallet and then implement the public exploit. + +Thus, if one took the risk to use multisig in method b), they would be prudent to stay up to date on multisig development. Such that they would learn quickly if such an exploit was discovered. + ## References The below guides are very detailed, and were formative in the creation of this document. Note that they are both a little out of date, as a few of the CLI commands have been updated in the interim.