Published on

Self-custody

Authors

Disclaimer

As a disclaimer, NOTHING in this post is advice -- financial, legal, or otherwise. Do your own research and seek professional advice as it concerns your finances.

TL;DR

One could keep a daily spending amount of crypto in whatever wallets are convenient for their usecases, Metamask, Phantom, whatever.

One can put the rest in a 2 of 3 multisig:

  • One hardware wallet easily accessible if needed
  • One hardware wallet in a vault somewhere else
  • For the third, we have a choice:
    • If you're on BTC, one from a trusted third-party service that offers the features you want (like Unchained for BTC).
    • If you're on an altcoin, there aren't great options, but I would love to hear from you if you disagree. You can always use Gnosis Safe and just have another hardware wallet with a friend or another vault.

Multisig has usability tradeoffs, so see "Approach A" for a slightly flawed but also viable method.

Assumptions

  • We are going to speak generally, but product examples may not support a specific chain
  • This is individual custody, not a DAO or corporation
  • There is a life-changing amount of money stored in crypto
  • We don't want to use a fully custodial service like Coinbase or Binance Exchange

Background

Recent events, including the return of inflation and bank failures, have caused many to take a renewed interest in self-sovereign money, like Bitcoin. You can check out Balaji's Twitter if you want the full picture. In broad strokes, inflation is running hot, and the Fed must keep rates high. Unfortunately, banks purchased long duration assets to generate higher yield, and have large mark-to-market losses. The post-COVID reserve ratio is essentially zero, and social-media can create very quick bank runs.

Personally, I'm not too worried about widespread collapse from bank runs or inflation. The shadow of Paul Volcker's heroic stand against inflation looms large over the Fed. They will be willing to keep rates high for a long time if the alternative is failing to contain inflation. I suspect the FDIC will step in to backstop any banking failures, as it has done with the likes of SVB and First Republic. There may be inflationary pressure if banks feel they can take wanton risk with no fear of failure, but this can be addressed by stricter banking regulation. In addition to regulation, regulators will likely be watching banks closely behind the scenes, and their severe scrutiny will curtail risk-taking. In other words, banking will be an even less fun industry post-2023, but we'll otherwise muddle through.

That being said, if you believe that there will be systemic financial problems, simply buying BTC in Coinbase is unlikely to be a panacea. In a world where confidence in the dollar is shaken to its core, people like @balajis suspect that regulators will bar the exits, eliminating custodial products and on/off ramps for crypto. The old maxim of "not your keys, not your crypto" may prove important. This is doubly true, if one wishes to leave the US.

Best Practices

So what is a crypto novice to do if they want to store their crypto themselves? Storing crypto yourself essentially means keeping a piece of secret data called your "private key" safe. The method you use for storing this key is called a "wallet". The gold standard for securing significant sums is to have both a "hot wallet", and a "cold wallet", that you manage yourself. Neither of these requires a website like coinbase.com to secure your funds.

The purpose of the "hot wallet" is for actually spending or investing your funds. In the course of everyday financial life, there are many opportunities for an attacker to steal your funds, or for dangerous human error to creep in. Imagine getting mugged while in line for a hot dog, or approving a wallet-draining transaction on a sketchy website. Your hot wallet is money you'd be fine losing, and lives on an internet-connected device for convenience.

The cold wallet should hold the bulk of your funds, and should be on a non-internet-connected device. Ideally, it should be a device that cannot access your private key unless someone is pushing a physical button. This limits the attack surface to the physical vicinity of the hardware device, ignoring social engineering attacks. Importantly, the cold wallet should not do any transactions except sending money to the hot wallet. If you buy coffee (or NFT's) with it, there are many more opportunities for error. In particular, if you only ever send money to the same address, the user has less need to manage and double-check new ones.

In this analysis, I'm only interested in considering two flavors of "cold wallet"

  • Approach A: A hardware wallet with a seed backed up using Shamir's Secret Sharing (SSS)
  • Approach B: A multisig wallet where you need signatures from multiple keys to effect a transfer.

Hardware

The current favorite of large BTC holders seems to be the Coldcard. It has quite a few slick security features -- including

  • A separate duress wallet that activates when you enter a separate PIN because you are threatened
  • Tamper-aware packaging
  • Open source bootloader / firmware
  • Extremely paranoid construction

I've never tried this thing myself, so I can't wholeheartedly recommend it. In addition, it seems to be intimidating for a lot of novice users. That basically leaves Ledger and Trezor. These are pretty similar, but the basic difference is that the currency support on Trezor is somewhat wanting, but the initial seed setup is much better.

For purposes of this walkthrough, I'm gonna assume you're using a Ledger.

Seeds

When you set up a hardware wallet, you'll be prompted to save a "seed phrase" somewhere. It's generally represented by several simple words, using a schema known as BIP-0039 . There are 2048 distinct words that may appear in a seed, and there is a standard algorithm for converting a seed into raw bytes. This seed is used to derive any keys that are secured by the hardware wallet. If your seed is compromised, all the money on the hardware wallet is basically compromised. If you simply lose it, but you retain access to the hardware wallet, you must migrate the funds to a new one.

You can generate an essentially limitless number of private keys from a single seed. See BIP-0032 for an example. You can even generate a new private key for every transaction. Of course, if the seed is compromised and a standard scheme is used to derive private keys, all should be considered compromised. Many custody solutions do NOT handle seed security, because the whole point of the seed is to recover funds if you lose the wallet.

Seed Security

The attacks against a seed include

  1. Physical, including robbery, where someone simply finds your whole seed phrase
  2. Brute force, where someone is able to guess your seed.
  3. Exfiltration, where a software vulnerability enables a remote attacker to access your seed.

By using a cold wallet for the majority of one's funds, it's possible to mitigate (3). Unfortunately, many crypto users take such great security precautions only to leave their seed in a drawer in their house. This leaves a major attack surface from social engineering or physical robbery.

Rather than storing the entire seed in one place, we can do better by requiring multiple sets of keys to access the money. That way if someone raids our house, they still cannot take our money.

Of course, we also need protection against our own human foibles. If we create seven horcruxes and lose our hardware wallet, it might prove quite difficult to recover all seven and restore our funds!

See the links for logic on this, but for most users requiring 2 shares out of 3 total seems to strike a great balance.

(Approach A) Shamir's Secret Sharing

In this approach, we're roughly going to set up a hardware wallet, put the bulk of funds on it, and back up the seed phrase using Shamir's Secret Sharing.

We'd like a scheme where we can split the seed into n shares, such that we can restore the original if we are able to recoup any k of the n. For example, we might split into 3 pieces and recover the seed if we can recover 2. This particular 2 of 3 setup seems to be a favorite of security minded, yet practical crypto users -- as one can see in BIP-0085.

To achieve a balance of safety from oneself and safety from others, some will naively splitting their 24 word seed into 3 groups of 16 word seeds, with each group missing 8 words. While it provides much better security against (1), it comes at an undue sacrifice in (2). Of course, it is much easier to guess 8 words than 24, by a factor of 10^53!

We have a lovely algorithm called "Shamir's Secret Sharing" that can achieve our goals without this entropy tradeoff. The specifics of its implementation and information-theoretic security are beyond the scope of this post. Let it suffice it to say that an extremely well-resourced attacker cannot recover your seed any easier until they the required number of shares -- unlike the previous naive example where possession of any one share would severely compromise the seed's security.

If one were to lose access to their wallet, one would have to recover the requisite number of shares and run them through an algorithm to recombine them. There are a couple of interesting standards for the implementation of SSS, including SLIP-0039 and BCR-0011. SLIP-0039 is essentially what the Trezor wallet does on Setup. It has the annoying property that you cannot directly recover a BIP-39 mnemonic seed, if you use it. This issue for the Ledger wallet has some great context. BCR-0011 is better.

Ideally, regardless of what scheme you use, you'd want it to be executed directly on your hardware wallet -- so that you don't have to download an untrusted program to run it. Even if you trusted the program, it would have to run in an untrusted execution environment, that is vulnerable to side channel attacks.

In case you have a Ledger, there's this bleeding edge app that is interesting. To use it you would need to sideload a program onto your Ledger to execute SSS. This has the great benefit of your seed never leaving your non-internet-connected device, conferring some robustness to untrusted code execution and side channel attacks. To recover your seed from shares (after loss of your Ledger or Ledger PIN), you would still of course need to run a separate program like Seedtool CLI

(Approach B) Multisig

Critics of Shamir's secret sharing argue that the process is so intricate that there aren't any secure implementations, and most threat models are adequately addressed by other methods. In addition, to actually recover your seed or split it, you generally need a secure execution environment. If you really had one, you could just leave your seed there. See Shamir Secret Snakeoil for a fuller treatment.

In a multisig, your funds are stored in an address that requires multiple cryptographic signatures from different keys in order to effectuate a transfer. Ie, you would not be able to move the money yourself. You would need to coordinate with your friend or a third-party service, like Unchained vaults.In multisigs, as with SSS, 2 of 3 signatures seems like the popular balance of security and usability. All of the keys should be kept secret, as disclosure invites attack. Potential locations include:

  • Your house, in a safe
  • With a friend, in a safe (consider this puts them at risk!)
  • In a private safe deposit box
  • Using a trusted third-party service.

One key with you and one key with a third-party service provides a great balance of usability and security (provided you trust the third party!). For example, you can do remote signing without having to get your friend on the phone to execute a harrowing cryptographic process.

A major problem with the third-party approach is that it's pretty hard to accommodate altcoins. The service has to support the signature scheme of every chain you're interested in. The BTC ecosystem is much more serious about secure self-custody than other ecosystems, and has better options.