In the wake of recent phishing attacks, where user wallets were drained, the understanding of the necessity for better security has arisen. However, this topic isn't easy to dive into. At first, multisig seems cool and the arguments are very convincing. But when you start unpacking it, it turns out to be a hard and complex topic, requiring good expertise to fully understand. This article aims to help people understand what multisigs are, their types, and their strengths and weaknesses.
Currently, there are two main kinds of multisig wallets: protocol-based and MPC (Multi-Party Computation) multisig wallets.
Traditionally, multisigs were a specific type of wallet, and it was up to blockchain protocol developers to provide support for this type of wallets along with single-sig wallets. This protocol-specific implementation has brought some very important consequences: unlike single-user wallets, multisig greatly varied by blockchain protocol. While single-user wallets offered nearly the same user experience regardless of the blockchain, where a user just generates and attaches their signature to a transaction, multisigs based on Bitcoin, for example, were implemented with the P2SH standard (the one that starts with a '3' character), which compiled a so-called Bitcoin script that wrapped up multiple public keys together. In contrast, Ethereum multisigs were implemented with smart contracts.
The difference in the UI was so dramatic, that there is pretty much no wallet software that would provide support for multisigs for different protocols. Just to give you an understanding, we will describe the multisig process for each individual blockchain.
The short story is - a Bitcoin multisig address is essentially a hash of public keys listed one after another, but when we want to spend funds from such an address, we have to provide the required signatures and list all the public key participants. This is necessary for each UTXO we want to spend.
The long story is: as it was already mentioned, Bitcoin multisig wallets are P2SH (pay to script hash) type of wallets. This wallet is essentially a script (as its name suggests), that has the following structure: it takes the minimum number of signatures required to spend, the public keys that participate in this wallet, the total count of public keys (to ensure no one is missed out), and an OP code OP_MULTISIGVERIFY (opcode to verify multisignature transactions). To get an address, we take a hash of this script, slightly modify it, and then we receive our Bitcoin multisig address, starting with a '3'.
When we want to spend funds from such a wallet, the first participant should generate the transaction, sign it on their behalf, and pass this transaction to other users, where each user should add their own signature and pass it further. The actual process is more complex than described here, as each time somebody signs a transaction, they generate another signature per each transaction input and then append that to the input unlocking script. This input unlocking script is essentially the complete wallet structure, including a list of all wallet participants, the op code, and prefixed with signatures.
As you have already figured out, both the Bitcoin wallet generation and transaction signing are happening off-chain. This is an important distinction between Bitcoin and other blockchain protocols. The off-chain operations are definitely an advantage in this case, since you don't have to pay for any actions before the final transaction is ready. On the other hand, a major disadvantage is that the transaction length increases with the number of participants and the number of inputs. This quickly becomes a problem during times of network congestion, where a 3-of-5 Bitcoin transaction fee may exceed $100, whereas a P2PKH transaction might only cost $10.
In a nutshell - someone has to deploy a smart contract that lists all the participants and outlines the smart contract's logic.
The deployed smart contract should contain all the logic to handle various types of assets: ETH, ERC20 tokens, NFTs, ERC1155, DeFi protocols, and so on. The issue here is that supporting each asset type expands the code base, as each asset type has its own interface, and the multisig smart contract must know how to manage these types. Another challenge is that some multisig implementations might require each user to submit their signature individually, turning the multisig smart contract into a stateful application. All these factors increase transaction gas, resulting in higher gas costs.
Another problem experienced by smart contract multisigs is that some DeFi protocols may protect themselves from being accessed by other smart contracts. This protection serves multiple security purposes - firstly, it safeguards against arbitrage attacks, where an arbitraging smart contract might call multiple DeFi protocols in a single transaction to profit from volatility differences. Another reason is that some DeFi protocols defend against various reentrancy attacks, which could block smart contract-based multisigs.
Nevertheless, such multisigs are currently very popular, despite all their disadvantages, and continue to develop, overcoming some of the issues mentioned. For example, a well-known safe wallet managed to provide an implementation that generates a spending transaction off-chain. This approach significantly reduced operational costs, but DeFi protocol developers still need to add compatibility with the Safe wallet to their protocols. Unfortunately, this is an ongoing process that requires additional effort from DeFi developers, and not all protocols, even some well-known ones, support this type of multisig.
As cryptography progressed, it developed a mathematical basis for so-called 'threshold signatures', which are foundational for Ethereum, Bitcoin, and many other blockchains. This heralded the era of MPC (Multi-Party Computation) multisig wallets. MPC involves multiple wallet users jointly calculating a single signature.
The revolutionary aspect of this technology is that now multiple users can appear on-chain as a single public key. They can essentially perform everything that a single user can do, and on-chain analytical tools could never guess that such a transaction has been signed by multiple parties or determine the participants of the wallet. Essentially, MPC transactions are a type of "privacy-preserving" multisigs. Unfortunately, this is not the case with Bitcoin P2SH multisig nor with Ethereum smart contract multisigs, as they reveal on-chain that the account is a multisig wallet, who the participants are, what assets each participant owns, and other private financial details.
MPC multisigs quickly became popular and are often used as a backbone for many self-custody services. Many well-known products have migrated their Bitcoin addresses from starting with '3' to '1', indicating the advantages of MPC outweigh its disadvantages.
Firstly, and most importantly, it allows for the same user experience across different blockchains, such as Bitcoin, Ethereum, Litecoin, Dogecoin, or Tron, significantly reducing the amount of development required to provide such functionality for multiple chains in a single application. Another advantage is that MPC multisig operations are significantly, and sometimes drastically, cheaper than protocol-based multisigs, like Bitcoin P2SH multisigs or Ethereum smart contract-based multisigs. For Bitcoin, this might be 3 times cheaper for 2-of-2 multisigs or even 6 times cheaper for 3-of-5 wallets. In the case of Ethereum, MPC technology eliminates the need to deploy a smart contract, cutting out the initial setup cost, which can easily be $60-$70 in case of moderate network congestion, or exceed $100 per wallet during high load times.
However, there is one major downside: there aren't many applications that offer these types of wallets, and those that do exist may cost $2000 a month easily. This is because providing MPC multisigs is a hard and complex task, requiring a deep understanding of many technical aspects. Currently, there is pretty much a single wallet that provides this type of multisig, where you can try it for free, and if you need to scale, there is an affordable pricing tag - it is the TotalSig wallet.
The TotalSig wallet offers multisigs for 11 blockchains, including Ethereum, Bitcoin, BSC, and Tron. Users can store coins, tokens, NFTs, and interact with Web3 applications. Currently available as a Chrome extension, it offers a user experience similar to MetaMask, with plans to expand support to more platforms soon.