Ethereum Social Recovery Wallets

Author: Dmitry Radkovskiy

Two notable news stories came out last month.

First, Ledger Connect Kit library was exploited with a supply chain attack. Luckily, the damage was limited to less than $1M which is not that much compared to other crypto exploits. Unfortunately, someone still lost their money.

Second, Safe Wallet (previously Gnosis Safe) announced the release of a marketplace for different self-custodial recovery options for Safe Wallet.

These two news might not seem to be connected at first, but they fit very neatly into a bigger picture of the state of crypto self-custody wallets.

Before we get deeper into details, let’s recall what are our current options to send a blockchain transaction.

Option 1: Externally Owned Account

This was the only option to send transactions when Bitcoin first came out.

The algorithm goes like that:

1. There exists a secret private key. Whoever knows this private key is the owner of the assets in a “wallet”.

2. The private key can be used to cryptographically sign a transaction (e.g. asset transfer).

3. The signed transaction is broadcast to the blockchain nodes and included in a block.

In Ethereum this is called EOA — Externally Owned Account.

It might sound simple, but most of the today’s Web3 ecosystem works with EOA. You connect a wallet, sign a transaction with a private key in your browser and a few seconds later your tokens are magically transferred to a person on another continent.
Centralised crypto exchanges might also use EOA to custody your assets.

Unfortunately, for EOA to work, you have to create a signature using a secret private key. And that means that there’s a time and place when the secret private key is physically present in it’s full unencrypted form — otherwise it would be impossible to calculate the signature.

And that brings us to the recent supply chain attack. This time it was a software supply chain attack, the hardware was not exploited. But do you know who assembled your hardware USB signer? Are you 100% sure that the delivery company didn’t switch the box on it’s way to your home?

Having a single private key that grants unlimited access to the account is simply never safe. I’ll list just a subset of risks of using an EOA in any physical form (software, hardware, paper).

Losing the private key

Scenarios:

1. You store the private key on your phone and accidentally wipe the storage.

2. You store the private key on a piece of paper in the safe deposit box, the fire destroys both the building and your private key.

3. You own a hardware USB signer and it falls out of your pocket at some gas station in another country.

4. You store the private key on a remote cloud server, the cloud provider has a malfunction in their data center and loses your private key.

5. The owner of the private key is unconscious or dead, and only they knew how to access it.

Malicious actor gets access to private key

Scenarios:

1. Private key owner is abducted by the government agency and tortured for full access to all information and devices.

2. The laptop with a private key is hacked with a 0-day vulnerability and a trojan is planted with full access to the device.

3. The mobile phone with a private key is stolen while unlocked.

Risk mitigation

1. Losing the private key
   Increase the amount of copies of private keys: duplicate the key on different devices, in different places, stored with different people.
   Problem: the more copies of the private key, the more attack vectors are possible. The security of the key is as weak as the weakest storage for it.

2. A malicious actor gets access to private key.
   Make access harder: encrypt the key, reduce the amount of devices that store the key, implement a reset switch that destroys private key when a specific passphrase is entered, etc.
   Problem: the harder the access, the easier it is to lose the private key with no possibility to recover any assets.

EOA vs Smart Wallets

As you can see, using an EOA has certain risks and the mitigation tactics are mutually exclusive: if we make it harder to steal the key, it will be more prone to losing; if we make it harder to lose the key, it will be easier to steal.

What can we do to increase the security?

Option 2: Smart Wallet

Smart Wallets are also sometimes called Smart Contract Wallets and Account Abstraction.

The exact implementation can be different, but in the end we get a wallet that follows a strict set of rules before approving transactions.

I will list a few examples of the possible rules.

Multisig

A smart wallet can require multiple signatures to perform the action.

In the simplest form the signatures can be equal, e.g.: “here’s 3 signers, we need at least 2 of them to sign a transaction”

The signatures can have weights, e.g.:

• Alice has vote weight of 2

• Bob has vote weight of 1

• Charlie has vote weight of 1

• Every transaction requires 2 votes total.

This means that Alice can execute any transaction single-handedly, while Bob and Charlie should coordinate and vote together.

Advantages: a single stolen key cannot steal all of the assets on the wallet, because multisig requires multiple signers to participate.

Disadvantages: there is no single owner of the wallet, every transaction needs multiple signers and it’s very inconvenient to use for small day-to-day operations.

Timelock & Veto

The transactions can be time-locked: even when the signatures are valid, some time should pass between submitting the signatures on-chain and executing the transaction.

While the transaction is time-locked, the signers may have the ability to veto the transaction: cancel the execution on-chain.

This can be weighted as well by introducing “veto power” similar to vote power, e.g.:

• Alice has veto power of 3.

• Bob, Charlie and Derek have veto powers of 1.

• Everyone can send a time-locked transaction.

• Veto power of 3 is required to cancel a time-locked transaction.

This means that Alice can stop any transaction from executing single-handedly, while Bob, Charlie and Derek should vote unanimously to cancel a transaction.

Advantages: a single stolen key cannot steal all of the assets on the wallet, because anyone can cancel their transactions.

Disadvantages: time lock prevents transactions from executing immediately, this makes many time-sensitive operations such as on-chain token swaps basically unusable.

Freezing the wallet

Freezing is very similar to transaction time lock, but is available on-demand.
One of the signers can freeze the wallet to prevent any transactions for a certain time period.

This can be used to stop all wallet operation if it becomes known that some of the signing keys was compromised.

Advantages: if one of the keys is stolen (or event suspected to be stolen), wallet can be freezed without having a time-lock enabled all of the time.

Disadvantages: the malicious actor can disrupt normal activity on the wallet (at least temporary).

Changing the signers

The list of signers can be changed.

The simplest example is a 1/1 multisig wallet:

• Alice can execute any transaction with her signature.

• Alice can change the owner of the wallet from Alice to Bob.

• After that Bob can execute any transaction with his signature.

This makes key rotation possible, and structural changes as well.
E.g. after a divorce you might want to remove your spouse from your multisig.

Advantages: a single stolen key can be easily replaced with another one. If there are multiple signers, a lost key of one signer can be replaced with a fresh one by other signers.

Disadvantages: using a stolen key it is possible to remove or change the other signers.

Limited list of operations

Some operations can be specifically allowed, e.g.:

• sending certain amounts of ETH with daily limits

• interacting with certain smart contracts (e.g. providing Uniswap liquidity)

• calling certain functions on a specified contract

These operations will have less restrictions than the default ones, e.g. no time lock or less signers required.

Advantages: if a wallet is mostly used in predictable ways, we can greatly reduce the damage from the attacks by using more secure defaults (more signers, time locks etc.).

Disadvantages: harder to implement and audit, high gas costs. It can still be possible for the attacker to cause harm before the limits kick in.

Is it DAO?

As you can see from the examples, the line between smart wallets and DAOs is getting kind of blurry.
Smart wallets with the social recovery module are basically micro-DAOs with one person capable of handling the assets exclusively, unless their social circle freezes their wallet on the ground of an ongoing attack attempt suspicion.

The combination of a convenient user experience and a high level of security is very hard to achieve, but we in crypto are not afraid of hard problems — we build upon them.