Vitalik: On the Necessity of Social Recovery Wallets
Source | vitalik.ca
Author | Vitalik Buterin
Source | vitalik.ca
Author | Vitalik Buterin
One of the biggest challenges with cryptocurrencies and blockchain applications available to the average user is undoubtedly security: how do we prevent users from losing or having their funds lost or stolen? Loss and theft are a non-negligible problem, causing innocent blockchain users to lose thousands of dollars, and in some cases, a large portion of their net worth.
Over the years, many solutions have been proposed: paper wallets, hardware wallets, and multisig wallets (my personal one-time favorite). In fact, these solutions do significantly improve security, but all have various drawbacks: the anti-theft and anti-lost protection functions may be far less than actual needs, or the inconvenience of operation leads to extremely low adoption rates. But a better alternative has recently emerged: a new class of smart contract wallets called social recovery wallets. These types of wallets can offer greater security and better usability than previous options, but are still some way off from easy and widespread deployment. This post will explain what a social recovery wallet is, why it is important, and how we can achieve wider adoption across the ecosystem.
secondary title
It can be said that from the very beginning of the blockchain industry, the issue of wallet security has been plaguing the ecosystem. In 2011, when Bitcoin was pretty much the only cryptocurrency in existence at the time, incidents of loss and theft were frequent. Before building Ethereum, I wrote an article as a co-founder and author of Bitcoin Magazine detailing the attacks, losses, and thefts that were happening in cryptocurrencies at the time.
Here's an example of it:
Last night around 9pm PDT, I clicked a link to CoinChat[.]freetzi[.]com and was prompted to run Java. I did that (I thought it was a normal chat room) and nothing happened afterwards. I closed the window without giving it a second thought. About 14 minutes later I opened my bitcoin-qt wallet and saw a transaction that I didn't approve of, almost transferring the entire wallet to another wallet...
The user lost 2.07 BTC, worth $300 at the time, and now more than $70,000. Another example:
In June 2011, Bitcointalk member allinvain lost 25,000 BTC ($500,000 at the time) after an unknown intruder somehow gained direct access to his computer. Attackers can directly obtain allinvain's wallet.dat file, and then quickly ransack the wallet - send transactions from allinvain's computer, or upload the wallet.dat file on their own computer and empty it.
According to the current value, it is worth nearly one million US dollars. But theft is not the only problem, there are also examples of private keys being lost. Check out Stefan Thomas' story:
text
Bitcoin developer Stefan Thomas' wallet is backed up in three places: an encrypted USB device, a Dropbox account, and a Virtualbox virtual machine. He managed to wipe two of them, but forgot the password to the third backup, forever losing access to 7,000 BTC (worth $125,000 at the time). Thomas responded, "Since then, I've been working on building a better client."
It's easy to draw social and psychological reasons why wallet security is so underrated: people don't want to appear stupid or careless in front of an always critical public, and their funds are often vulnerable to theft as a result. This is even more so for losing funds, since the common (although in my opinion very incorrect) belief is that "you have only yourself to blame". But the reality is that the goal of digital technologies, including blockchain, is to make it easier for people to participate in complex transactions without having to exert enormous mental effort or live in fear of making mistakes. An ecosystem whose solution to loss and theft is limited to 12-step tutorials, less-than-secure countermeasures, and not-so-occasionally sarcastic "sorry for your loss" responses will hardly be widely accepted. use.
Therefore, solutions aimed at reducing the risk of loss and theft of funds have begun to be adopted. These solutions do not require too much energy and time for cryptocurrency users to maintain the security of personal assets, and are also very valuable for the entire industry.
secondary title
Hardware wallets alone are not enough
Hardware wallets are often touted as the best technology for cryptocurrency asset management. A hardware wallet is a specialized hardware device that can be connected to a user's computer or mobile phone (for example via USB) and contains a dedicated chip that can only generate private keys and sign transactions. Users can initiate a transaction on a computer or mobile phone, and it must be confirmed in the hardware wallet before it can be sent. The private keys are kept in the hardware wallet, so an attack on a computer or phone cannot wipe out the funds.
➤ Supply chain attack: If you buy a hardware wallet, it means that you trust many participants in its production process, including the company that designed the wallet, the factory that produced the wallet, and the handlers in the transportation process, and they can exchange the wallet. Hardware wallets can be a magnet for such attacks: the probability of funds being stolen correlates very strongly with the number of stolen devices. To their credit, hardware wallet producers such as Ledger have put in place a number of protections against these risks, but not everything is safe. Fundamentally, hardware devices, unlike open source software, cannot be audited.
➤ Single point of failure: If someone stands behind you and watches you enter your PIN and then steals your hardware wallet, they can steal your funds. If you lose your hardware wallet, you lose your assets, unless the hardware wallet generates and exports a backup during initial setup, but as we have seen, there are still different problems.
secondary title
vote dance type subject valley fall usage silk essay lunch endorse lunar obvious race ribbon key already arrow enable drama keen survey lesson cruel
Mnemonics alone are not enough
Many wallets (whether hardware or software) have an initial setup process where they output some mnemonic phrase, which is an encoding of the wallet's root private key in human-readable 12-24 words. The mnemonic phrase is as follows:
Seed phrases can help prevent loss, but they won't help in the case of stolen funds. To make matters worse, if you have the standard hardware wallet + mnemonic backup combo, then either a stolen hardware wallet + PIN or a stolen mnemonic backup will result in a loss of funds. In addition, ensuring that the mnemonic is well protected and not accidentally lost is a mental burden in itself.
If you split the phrase 50-50 and give half to a friend to save, the problem of theft can be mitigated, but 1) almost no one really promotes this behavior; 2) there are security problems, if the mnemonic is short (128 bits), Then a deadly attacker, after stealing half, may violently search for the remaining 264 possible combinations to find the other half, and 3) further increases the mental burden.
secondary title
So what do we need?
We need a wallet design that meets the following three criteria:
➤ No single point of failure: There is nothing that can be stolen, allowing an attacker to gain access to your funds, or deny access to them if lost.
➤ Reduce mental load: As little as possible requires users to learn unfamiliar new habits or exert mental effort to consistently follow certain behavior patterns.
➤ Ease of transaction: performing most normal activities should not take more effort than regular wallets (such as Status and Metamask, etc.)
Good sign!
Back in 2013, the best technology to solve these problems was multi-signature (multisig). You can have a wallet with three keys, any two of which are required to send a transaction.
For multi-signature wallets, the main challenge of holding funds for "personal" is: who holds the funds? How to approve a transaction? The most common formula is "two easily accessible but separate keys held by the user (e.g. laptop and phone), with a third key being a more secure and harder to obtain backup, kept offline or by held by friends or organizations".
It's pretty safe: the loss or theft of any single device won't lock you out of your funds. But its security is far from perfect, and if you can steal someone's laptop, it's usually not too difficult to steal their phone. Usability is also a challenge, as each transaction now requires two confirmations using two devices.
secondary title
Social recovery is better
This is my personal preference for wallet protection: social recovery. Its operating mechanism is as follows:
➤ There is a single "signing key" that approves transactions
➤ There is also a set of "Guardians" of at least three members, most of whom combine to change the account's signing key
Signing keys can add or remove guardians, there is a delay (usually 1-3 days) in this process.
Under normal circumstances, users can use social recovery wallets as easily as ordinary wallets, and use their signature keys to sign messages, so that each signed transaction can be quickly completed with one confirmation click, and the operation is like " Traditional" wallets (such as Metamask).
Where social recovery wallets really come into play is when a user loses their signing key. Users can contact their guardians and ask them to sign a special transaction that changes their signing public key registered in the wallet. This is actually not difficult, they can visit a webpage (such as security.loopring.io), log in, receive a recovery request, and then sign it. Guardian operations could be as simple as trading on Uniswap.
There are many possible options for Guardians, the three most common options are:
➤ Wallet owner's own other device (or paper mnemonic phrase)
➤ Friends or family members
➤ Organization, sign recovery deal upon receipt of your phone number or email confirmation, or verify your identity via video call if set value is high
Adding a guardian is also easy, just enter an ENS domain name or ETH address to add a guardian, although most social recovery wallets require the guardian to sign a transaction in the recovery page to agree to be added. In any properly designed social recovery wallet, guardians don't need to download and use the same wallet, they can use their existing Ethereum wallet, regardless of type. In view of the convenience of adding guardians, if your social circle is composed of Ethereum users, I personally prefer to set more guardians (preferably more than 7) to improve security. If you already have a wallet, then there is no constant need for a guardian to keep an eye on it, and any recovery operations you can do through your existing wallet. If you don't know enough active Ethereum users, it's better to have fewer guardians who know how to operate.
To reduce the risk of Guardians being attacked and colluding, it is not necessary for Guardians to be disclosed, in fact, they do not need to know each other's identities. This can be accomplished in two ways. First, the hash of the list of guardian addresses is stored on-chain, not the guardian's addresses, and wallet owners only need to publish the full list when restored. Second, each guardian can be required to deterministically generate a new address only for the current recovery. They don't need to use this address to send any transactions unless recovery is actually needed. In order to cooperate with technical protection, it is recommended to choose different guardians from different social circles (ideally including an institutional guardian), these solutions make it difficult for the guardians to be attacked or colluded at the same time.
In the event of a wallet owner dying or being permanently incapacitated, it would be a socially acceptable standard protocol for Guardians to disclose their identities so they could find each other and recover funds in such a case.
Social recovery wallets do not betray "cryptographic value", but a manifestation
To me, the goal of cryptography is never to eliminate all forms of trust. Instead, the purpose of cryptography is to enable people to use cryptography and economics to build things that increase the choice of who can be trusted, and further build more limited forms of trust: someone can be granted the power to perform certain actions on your behalf , without granting carte blanche. Viewed in this way, multisig and social recovery are a perfect example of this principle: each participant has some influence over whether a transaction can be accepted or rejected, but no one can unilaterally move funds. This more complex logic introduces a much more secure setup than would be the case if funds had to be unilaterally controlled by an individual or key.
The basic idea of using human input sparingly rather than discarding it outright works because it fits well with the strengths and weaknesses of the human brain. The human brain is pretty bad for remembering passwords and keeping paper wallets, but an ASIC for tracking relationships with other people. For non-technical users, the effect is even stronger. They may have trouble with wallets and passwords, but they're just as adept at social tasks like "choose seven people who won't all collude to cheat on me" as tech users. If we can extract some information from human input into some mechanism without making those inputs an attack vector, then we should figure out how. Social recovery is very robust, to compromise a wallet with seven guardians, at least four of the seven guardians need to somehow identify each other and collude to steal funds, none of which can vent to the wallet owner Reporting, which is much more difficult than attacking a wallet maintained purely by an individual.
secondary title
The social recovery mentioned above discusses the risk of "losing" your wallet, but there is still a risk of your signing key being "stolen": someone breaks into your computer, sneaks in while you're already logged in, and gives you Hit it in the head, or even just lure you into signing a transaction by creating a user interface glitch.
We can increase social resilience to deal with such problems by adding vaults. Every social recovery wallet can come with an auto-generated vault. Assets can be transferred into the vault simply by sending them to the vault address, but there is a one-week delay to transfer them out of the vault. During the delay, the signing key (or guardian) can cancel the transaction. If desired, the vault can also be programmed so that some limited operations (such as Uniswap trades between whitelisted tokens) can be performed immediately.
secondary title
Existing social recovery wallets
There are currently two major wallets that have implemented social recovery, Argent and Loopring:
Argent Wallet is the first and most popular "smart contract" wallet, and social recovery is one of its selling points. The Argent wallet has added an interface that can add and delete guardians:
The Loopring wallet is probably known because it was built by the developers and supporters of the Loopring protocol (a ZK rollup scheme for payments and decentralized exchanges). But the Loopring wallet also has a social recovery feature, very similar to the one in Argent. In both cases, the wallet provider provides a free guardian who authenticates the user via a confirmation code sent from the phone. Users can add other users of the same wallet or any Ethereum user as additional guardians by providing an Ethereum address.
The user experience of both wallets is very smooth. There may be two challenges. First of all, the smoothness of operations in both wallets relies on the "centralized" relayer (relayer) of the wallet provider to republish signed transactions, and secondly, the fees are high. Fortunately, both of these challenges are solvable.
secondary title
Migrating to L2 (rollups) can solve other challenges
As mentioned above, there are two main challenges: 1) reliance on relayers to process transactions, and 2) high transaction fees. Reliance on relayers is an increasingly common problem in Ethereum applications. The problem arises because there are two types of accounts in Ethereum: external accounts (EOA) and contract accounts controlled by a single private key. Ethereum has a rule that every transaction must originate from an external account. The original intent was that the external account would represent the "user", the contract account would represent the "application", and that the application would only run when the user interacted with it. If we want wallets with more complex mechanisms (such as multi-sig and social recovery), we need to use contracts to represent users. But a new challenge comes with it: if your funds are in the contract account, you need to have another account with ETH balance to pay for each transaction. Once the transaction fee climbs rapidly, a large amount of ETH may be required.
Click "Read the original text" to get the internal link of the article!
Click "Read the original text" to get the internal link of the article!
Original link:https://vitalik.ca/general/2021/01/11/recovery.html
ECN's translation work aims to deliver high-quality information and learning resources for the Chinese Ethereum community. The copyright of the article belongs to the original author, and the source of the original text and the ETH Chinese website must be indicated when reprinting. For long-term reprinting, please contact eth@ecn.co for authorization.
