Vitalik's Latest Perspective: How to Choose Guardians for Multi-Signature Wallets and Social Recovery Wallets?
Original Title: How I think about choosing guardians for sig and social recovery wallets Original Author: Vitalik Buterin Compiled by: Qianwen, ChainCatcher
Multi-signature wallets (like Gnosis Safe) are a simple and secure way to store funds, allowing you to enjoy most of the benefits of self-custody—your funds won't disappear when seemingly trustworthy centralized entities become untrustworthy. At the same time, you don't have to bear the risk of being responsible for the entire security setup. Personally, I use a multi-signature wallet to store most of my funds, and the Ethereum Foundation does the same.
Another type of wallet similar to multi-signature wallets is the social recovery wallet—a single key can be used to sign transactions, but if that key is lost, a set of keys held by others can be used to recover the funds. Social recovery wallets are easier to use than multi-signature wallets, especially with the rise of ERC-4337 account abstraction and the upcoming launch of soul wallets (Soul Wallet), which will make this technology more user-friendly. Once social recovery wallets develop sufficiently, my suggestion is to use social recovery for hot wallets, storing a small portion of personal or organizational funds; and use multi-signature for cold wallets, storing personal or organizational savings.
Both multi-signature wallets and social recovery wallets rely on the concept of "guardians": a group of N addresses, typically held by others, where any M of those addresses can approve an operation (for example, you can set N=6 and M=4). In the case of multi-signature wallets, each transaction must be signed by M out of N guardians. In the case of social recovery wallets, a single key can sign transactions, but if that key is lost, M out of N guardians must sign off to reset the key.
The two key questions for securely using multi-signature wallets and social recovery wallets are : (i) who do you choose as guardians, and (ii) what instructions do you give them? This article will outline how I think about this issue, with most of the points likely applicable to both multi-signature and social recovery wallets used to safeguard personal and organizational funds.
What do we want from guardians?
- Minimize the probability of losing their keys.
- Minimize the probability of colluding to steal your funds or being coerced to do so.
- In the event that the above two risks are unavoidable, the risks of each guardian should be maximally uncorrelated—you want to minimize their commonalities, as such common risks could lead to scenarios where many of your guardians become incapacitated or affected at the same time.
The answer to this question is simple, but it guides all my choices regarding guardians:
Guardians can be your own devices, but do not make too many devices your guardians.
It is normal for at least one guardian to be a wallet on your own device, after all, this is your own money, and there is no reason that affects decentralization. However, once you have more than one guardian under your control, you face a tricky dilemma: your trust in others decreases, and you concentrate more power in yourself, which could pose risks if you are hacked, coerced, incapacitated, or deceased.
In my experience, there should be enough guardians controlled by others. If you disappear, there should be enough other guardians to recover your funds. That is to say, you should control at least one guardian and at most N-M guardians. Additionally, each guardian should be on a separate device (laptop, phone, old phone, etc.).
Choose guardians who do not communicate frequently, or preferably do not know each other.
Ideally, guardians should not know who each other is. This greatly reduces the risk of them colluding, and they have no strong reason to know each other. If something happens to you, they can still find each other, as people would naturally think of some obvious standard procedures (for example, contacting your family).
Additionally, minimize the correlation between guardians: do not choose two guardians who live in the same city (or even better, the same country), or two guardians who use the same type of wallet, and balance between different operating systems.
Guardians should first pose a security question before approving an operation:
When you ask guardians to approve an operation (in multi-signature, this refers to a transaction; in social recovery wallets, this refers to resetting your account key), they should not immediately proceed with the operation. This is a disaster for security: if someone hacks your chat account, they can scan your messages, find out who your guardians are, contact each of them, and ask them to confirm, thereby stealing your funds.
To avoid this situation, my preferred process is to instruct guardians to pose security questions. When you request confirmation of your operation, the guardians should ask you something that only the two of you and a very few others know (for example, "What food did we eat the last time we met?"), and only confirm the operation once you provide the correct answer.
A natural choice is a voice or video call, but in an era where AI excels at forgery, this method is no longer as trustworthy, so you might want to combine voice/video calls with asking some kind of security question.
If you are a "Degen veteran," ensure your guardians can respond quickly. Otherwise, you do not need to make this requirement.
If the activities you engage in with on-chain contracts are high-risk, you may need to act quickly: if there is a vulnerability in the contract, pull the funds out. If you are about to be liquidated, transfer the money out, and so on. If you have these needs, then you need to find guardians who can act swiftly in a short time frame (therefore also find guardians in different time zones, so that there are enough guardians available to complete transactions at any time) to protect your funds. However, if you do not engage in such activities, then speed is not particularly important; in fact, it may even be somewhat harmful, as persuading people to act urgently is a common social engineering tactic used by hackers, and if people dislike this mentality, it might actually be a good thing.
Test each guardian at least once a year
Conduct at least one test operation each year. Ideally, perform two test operations each year, one using half of the guardians and the other using the other half. This can ensure that your guardians have not forgotten or lost their accounts.
More advanced issue: privacy
One of the challenges with guardians is that there is currently no technology that can keep your financial privacy unaffected by guardians. However, this is a technical problem that can be solved: guardians do not directly guard your account, but rather guard a "vault" contract, with the link between your account and the vault hidden.
Keeping the link hidden before recovery is very easy: for example, your account can have a guardian CREATE2 contract that only the vault can create. However, keeping the link hidden after recovery requires more advanced ZK-SNARK technology. I expect this issue to gradually be resolved in the coming years.