The Risks of MPC and the Shift to Smart Contract Wallets

Self-custody sucks right now. Default solutions like Ledger, Metamask, and other externally owned accounts (EOAs) leave crypto-natives struggling with real problems.

As a user, you must:

  • Figure out how to protect your seed phrase. If an attacker gets access to your 24-word seed phrase they can steal all of your assets.

  • Avoid making mistakes while transacting. Signing malicious transactions or sending assets to the wrong address is too common.

  • Build custom recovery and inheritance plans. In the case that you or your next of kin can’t access your seed phrase.

Multi-party computation (MPC) and smart contract wallets are both solutions that can help solve these problems. They allow wallet providers to build things on top of EOAs like social recovery, transaction limits, 2FA and more. At Waymont, we started with MPC. On the surface, it seemed flexible and efficient. As we went deeper though, we found some security gaps and attack vectors inherent to MPC that we couldn’t deny.

Ultimately, we decided to shift our infrastructure to Safe's smart contracts, which now secure over $100 billion in assets. This blog post will detail: 1) how MPC wallets work 2) the problems we found with MPC and 3) our shift to smart contracts.

1) How MPC wallets work

At a high-level, a MPC wallet generates a private key that is pre-divided into key shares and distributed among different parties. These key shares can sign a transaction independently and the off-chain signatures from each key share can combine to form a single valid Ethereum signature.

MPC models are typically similar, but vary in terms of who holds your key shares.

  • Centralized MPC: All key shares are controlled by a single entity (e.g. Coinbase) but processed in isolated & secure cloud environments. This method is often used by institutional custody providers for operational efficiency; but it can leave assets vulnerable to attacks from insiders and single points of failure. It may also require the provider to register as a legal custodian.

  • Hybrid MPC: Key shares are split between the user, wallet provider, and third-parties. This method is used by providers like Fireblocks and ZenGo so that you don’t have to trust a centralized provider to hold all of the key shares. While this provides more security, a centralized party still needs to distribute, manage, and revoke key shares securely.

2) Challenges with MPC Wallets

Regardless of the model you use, any MPC-based custody setup has three key problems.

Problem 1: You must trust a centralized party to coordinate signing and key generation securely

Any hybrid or centralized MPC setup inherently requires a trusted centralized party to secure one or more key shares (and potentially, backups of these key shares).

Securing these key shares requires complex and trusted cloud infrastructure. The complexity involved with distributed key generation, key rotation, and key revocation opens you up to risk of key share exposure through insider threats and man-in-the-middle attacks. Exposure of enough key shares will allow an attacker to gain full control over your assets.

Problem 2: You must trust that old key shares are properly discarded during key revocation

If you wish to revoke access from an MPC signer, you will need the ability to revoke keys and you will need to trust all parties to discard old key shares. Given the deterministic nature of cryptography, it can be challenging to revoke a key share. If a wallet provider’s key share infrastructure is compromised with a virus, the virus could remain dormant collecting old key shares on each key revocation until they have enough to drain all assets.

Problem 3: You must trust that your MPC algorithms have no vulnerabilities

MPC algorithms involve complex cryptography and algorithms are updated on occasion to unlock performance and capability improvements. Vulnerabilities have been found in industry-standard algorithms and implementation mistakes with MPC can lead to exploits resulting in a complete loss of funds.

For example, two recent vulnerabilities found in the cryptocurrency space include:

  • The private key information leakage found with GG18 and GG20 (the MPC algorithms used by Fireblocks between 2019-2021)

  • The recent vulnerability found in BitGo’s MPC implementation that would have allowed a hacker to gain complete access to your funds with only a single signature

3) Smart Contracts > MPC-based Wallets

Switching to a smart contract solution (Safe) allowed us to eliminate each of the problems we were concerned about:

Problem 1: You must trust a centralized party to coordinate signing and key generation securely.

Safe’s solution: Transparent + verifiable signing and key generation. Your Waymont Vault is a 2-of-2 Safe multisig. You can verify, on-chain, that Signer 1 is your enrolled mobile device and Signer 2 is your Waymont Policy Guardian. Waymont never holds any key shares that, if exposed, could initiate a transaction and endanger your assets.

Problem 2: You must trust that old key shares are properly discarded during key revocation

Safe’s solution: You can freely rotate, remove, and add signers on-chain. There is no need for key shares to be discarded and no risk of a malicious party accumulating old key shares.

Problem 3: You must trust that your MPC algorithms have no vulnerabilities

Safe’s solution: Safe’s smart contracts secure over $100 billion in assets. Since 2018, the Safe smart contracts have passed the highest possible security standards in the industry including Formal Verification and excelled in 11+ security audits.


Using Safe is not without trade offs though. By optimizing for security, we accept increased gas costs and being locked into EVM chains for the time-being. We think this trade is a no-brainer. Our absolute priority is security. Smart contracts also enable additional capabilities which benefit our users:

  • On-chain time-locks - Timelocks for recovery and delayed actions which can be canceled by the user

  • Batched transactions - Users can batch together transactions to save on gas

  • Sponsored transactions - Other parties can sponsor transactions for the user (also pay gas with any ERC20 token)

  • Programmable security - On-chain key rotation and programmable key management (e.g. have transactions over $10K require additional or different signing keys)

MPC likely still has a role in the future of self-custody. It may make sense for institutions who want to work with a custodian. Or as noted by Lukas Schor, the founder of Safe, MPC could be used as a solution for improving the security of a smart contract wallet’s signing keys.

Ultimately, an MPC setup can be secure with the right implementation. But as noted above, MPC requires inherent trust assumptions and introduces risk vectors that Waymont and most of our crypto-native users would rather avoid. Therefore, Waymont is confidently secured today by the Safe smart contracts alongside with $100B of other assets.


Follow us on Twitter: @WaymontCo

Acknowledgments: Kaito (Utopia Labs), Richard Chen (1confirmation), James Folkestad (Waymont), Jai Bhavnani (Waymont), David Lucid (Waymont), Yao (Waymont)

--

The information provided in this Post about Waymont Holdings, Inc. (“Waymont” or the “Company”), its crypto-assets, business assets, strategy, and operations, is for general informational purposes only and is not a formal offer to sell or a solicitation of an offer to buy any securities, options, futures, or other derivatives related to securities in any jurisdiction and its content is not prescribed by securities laws. Information contained in this Post should not be relied upon as advice to buy or sell or hold such securities or as an offer to sell such securities. This Post does not consider nor provide any tax, legal, or investment advice or opinion regarding any person's specific investment objectives or financial situation. Waymont and its agents, advisors, directors, officers, employees, and shareholders make no representation or warranties, expressed or implied, regarding the accuracy of such information. Waymont expressly disclaims any liability that may be based on such information or errors or omissions thereof. Waymont reserves the right to amend or replace the information contained herein, in part or entirely, at any time and undertakes no obligation to provide the recipient with access to the amended information or to notify the recipient thereof. The information in this Post supersedes any prior Post or conversation concerning the same, similar, or related information. Any information, representations, or statements not contained herein shall not be relied upon for any purpose. Neither Waymont nor its representatives shall have any liability whatsoever, under contract, tort, trust, or otherwise, to you or any person resulting from using the information in this Post by you or any of your representatives or for omissions from the information in this Post. Additionally, the Company undertakes no obligation to comment on the expectations or statements made by third parties regarding the matters discussed in this Post.

Subscribe to Waymont
Receive the latest updates directly to your inbox.
Mint this entry as an NFT to add it to your collection.
Verification
This entry has been permanently stored onchain and signed by its creator.