The Rise of Multisigs in Crypto Security: Insights from Squads Protocol

In the ever-evolving landscape of blockchain technology, security remains a paramount concern. As the crypto industry matures, we're witnessing a significant shift in how projects and individuals approach the protection of their digital assets. At the forefront of this transformation is the growing adoption of multisignature (multisig) wallets, particularly within the Solana ecosystem. To delve deeper into this trend, we turn to Stepan Simkin, co-founder of Squads, a leading multisig solution on Solana.

What is a Multisig?

A multisig, short for "multiple signatures," is a wallet that requires multiple private keys to authorize transactions. Stepan Simkin defines it succinctly: "Multisig is this very simple consensus mechanism that allows to execute transactions on a blockchain by requiring multiple signatures." This straightforward definition belies the profound impact multisigs are having on crypto security and operational practices.

Traditionally, multisigs have been used as wallet systems, allowing groups of people or individuals with multiple keys to manage treasury assets such as NFTs or tokens. However, the scope of multisig applications has expanded significantly in recent years. On Solana, we now see multisigs being used to manage validators, tokens, and even entire programs.

The Evolution of Multisigs in Blockchain

The concept of multisigs wasn't baked into blockchain protocols from the beginning, despite its apparent alignment with the principles of decentralization and security. Simkin explains that the necessity for multisigs grew alongside the increasing value accruing to cryptocurrencies, particularly Bitcoin.

The very first Bitcoin multisig implementations were actually done off-chain, where users would generate multiple shards from a single key. This early version was primarily focused on additional security, akin to two-factor authentication for holding Bitcoin. As Ethereum gained popularity as a smart contract platform, the idea of on-chain smart contract wallets became feasible, allowing for more complex and programmable multisig solutions.

Multisigs vs. On-Chain Governance

Interestingly, there was a period when many institutions and project teams believed they could achieve similar security and control through on-chain governance rather than multisigs. The idea was to form a DAO (Decentralized Autonomous Organization) where executive team members would have voting power. However, this model has largely fallen out of favor for several reasons.

Simkin points out that governance tokens introduce additional complexities and potential attack vectors that aren't present in multisig setups. "With governance, it is more complicated," he notes, "Because also, when you have a large supply of liquid tokens involved in this, it potentially -- there's different kinds of attacks that are possible. They are not really possible with a multisig."

Moreover, the shift towards multisigs aligns with a broader cultural change in the blockchain space. Newer blockchains like Solana have attracted builders who are more focused on iterating quickly and delivering products before decentralizing. This approach necessitates different tooling, making multisigs an attractive option for teams that want to maintain control during early development stages.

The Serum Incident: A Case for Multisigs

The importance of proper multisig implementation was starkly highlighted during the FTX collapse and its impact on the Serum protocol. When FTX collapsed, there were concerns that some of Serum's program keys or upgrade keys might be in the hands of potentially malicious actors. While no exploit occurred, the fear alone was enough to severely damage confidence in the protocol.

Simkin explains that this incident served as a wake-up call for many teams in the Solana ecosystem. "When the Serum happened, people started talking publicly about this issue on Twitter and on Discord. And then users on Solana started to really understand that this thing exists and the potential impact that it can have if that authority is in malicious hands."

This event catalyzed a shift in how projects approach their upgrade authorities. Many teams realized the need for a robust multisig solution to manage these critical controls, leading to increased adoption of tools like Squads.

Program Management: A Killer Feature for Multisigs on Solana

One of the unique aspects of Solana's architecture is that programs (smart contracts) are upgradeable by default. This feature, while powerful for rapid iteration, also introduces security considerations. Simkin emphasizes that program management has become a "killer feature" for Squads on Solana.

"Program management is very important," Simkin states. "And I think it does kind of, in many ways, novel to blockchains. And it's like, it's the first time we really took it to its furthest extreme where we have a full program management flow because Solana programs are upgradable."

This capability allows teams to securely manage their program upgrades through a multisig, providing an additional layer of security and transparency that wasn't previously available. It's particularly crucial for protocols in their early stages when rapid iteration is necessary, but security cannot be compromised.

The UX Challenge of Multisigs

While the technical benefits of multisigs are clear, their adoption has been somewhat hampered by user experience challenges. Crypto is notorious for "technically shipping technology, but not practically shipping technology," as the podcast host notes. Squads has had to carefully consider how to design an interface that meets the needs of various user types, from small investment groups to large projects deploying mission-critical programs.

Simkin describes Squads' approach: "Squads interface today is really an amalgamation of a bunch of familiar flows and products that you've seen just completely different realms that we fit to specific needs of the users that we have." He distinguishes between treasury management components, which draw inspiration from fintech and banking apps, and developer-focused interfaces that resemble project management tools like Jira.

This dual approach allows Squads to cater to both the financial management needs of teams and the complex on-chain workflows that developers must navigate. By making these processes more intuitive and familiar, Squads is lowering the barrier to entry for multisig adoption.

Transparency and Privacy: A Delicate Balance

An interesting aspect of multisig implementation is the balance between transparency and privacy. On one hand, there's a push for greater transparency in crypto projects, especially those that have raised public funding. On the other hand, teams in early development stages often prefer to maintain some level of privacy until they're ready to decentralize.

Squads has approached this by making squad links public, allowing anyone with the link to view details about the multisig setup. Some projects have embraced this transparency, posting their multisig links on their websites or in public forums. However, Simkin notes that privacy concerns have been more prominent among their users: "Privacy came up more than the need for making things more transparent."

This tension reflects the broader cultural shift in the crypto space, where the lines between DAOs and traditional companies building on-chain are becoming increasingly blurred. Simkin suggests that the industry collectively needs to figure out the right tools for each stage of a project's development.

Formal Verification: The Holy Grail of Security?

One of the most intriguing aspects of Squads' approach to security is their use of formal verification. Formal verification is a method of mathematically proving certain properties of a program, providing a higher level of assurance than traditional auditing methods.

Simkin describes formal verification as "the sort of holy grail" in terms of program security. He explains it in layman's terms: "You mathematically verify what is possible to do with a certain program and what's not. And you really care about it because it basically allows you to mathematically prove that, for instance, unless you meet a threshold in a multisig, the assets can't go out."

However, formal verification is not without its challenges. One of the key difficulties is correctly identifying the properties that need to be verified. As Simkin notes, "Verifying every single thing in a complicated program is very hard or nearly impossible." This necessitates close collaboration between auditors and the formal verification team to focus on the most critical aspects of the program.

While formal verification provides an additional layer of security, Simkin is quick to point out that it's not a silver bullet. There are still edge cases and potential vulnerabilities that lie outside the scope of what can be formally verified, particularly when it comes to social engineering attacks or issues at the user interface level.

The Business Model Dilemma

As with many foundational technologies in the crypto space, Squads faces the challenge of monetizing a public good. Despite being venture-backed and having established strong product-market fit on Solana, the path to sustainable revenue generation remains unclear.

Simkin outlines several potential approaches:

1. Keeping the frontend experience free while generating revenue through internal fees on integrations like native staking, liquid staking, and swaps.
2. Offering core features for free but gating advanced features behind a subscription or other payment model.
3. Encouraging protocols to build on top of their infrastructure, similar to Safe (formerly Gnosis Safe) on Ethereum.
4. Aligning with other infrastructure providers like RPC providers and on-chain indexing services to offer a comprehensive suite of services for Solana developers.

The challenge of monetizing public goods is not unique to Squads or even to the multisig space. It's a pervasive issue in the crypto industry, where some of the most valuable and impactful work often struggles to find a sustainable business model.

Simkin reflects on this dilemma: "When you think about the magnitude or in terms of the impact that managing these assets that our users manage for Squads, like the impact that it can potentially have if there are any issues, right? And basically the value that's being secured, same goes for Safe on the VM. And we're seeing though some UIs on top of Safe starting to monetize, and it is looking a lot more, I think it's very much defined by the user archetype you're after."

The Future of Wallets on Solana

Looking ahead, Simkin envisions a future where all wallets on Solana become "smart wallets" in one form or another. This shift would bring more of the security and programmability features currently associated with multisigs to individual user wallets.

However, implementing this vision comes with its own set of challenges. While Solana's low transaction fees make it more economically viable to deploy smart contract wallets for individual users compared to Ethereum, state storage costs remain a consideration. Additionally, Solana's emphasis on program reusability raises questions about how individualized smart wallets might be implemented without unnecessary duplication of code.

Simkin suggests that the future might involve a few standardized smart wallet programs that users can interact with through various front-end interfaces, rather than each user deploying their own unique smart wallet contract. This approach would balance the benefits of smart wallet functionality with the efficiency and cost-effectiveness that Solana is known for.

Conclusion: Multisigs as the New Security Paradigm

As we've explored throughout this discussion, multisigs are rapidly becoming the default security paradigm in the crypto space, particularly within the Solana ecosystem. Their ability to provide robust security, programmable control, and transparency makes them an attractive solution for everything from small investment groups to large-scale protocol management.

The evolution of multisigs from simple shared wallets to complex program management tools reflects the maturing needs of the blockchain industry. As more value accrues on-chain and more complex systems are built, the need for sophisticated yet user-friendly security solutions becomes paramount.

Squads' work in this space, particularly their focus on program management and formal verification, represents the cutting edge of multisig technology. However, the challenges they face in terms of user experience design and business model development are indicative of the broader growing pains in the crypto industry.

As the space continues to evolve, we can expect to see further innovations in multisig technology, potentially extending to individual user wallets and becoming an integral part of the blockchain user experience. The journey of multisigs from a niche security tool to a fundamental building block of crypto infrastructure is a testament to the industry's relentless focus on security and decentralization.

For builders, investors, and users in the Solana ecosystem and beyond, understanding and leveraging multisig technology will likely become an essential skill in the coming years. As Stepan Simkin and the team at Squads continue to push the boundaries of what's possible with multisigs, they're not just securing assets – they're helping to shape the future of how we interact with blockchain technology.

Facts + Figures

• Multisigs require multiple private keys to authorize transactions, providing enhanced security for crypto assets.
• The necessity for multisigs grew as more value accrued to cryptocurrencies, particularly Bitcoin.
• Early Bitcoin multisigs were implemented off-chain by generating multiple shards from a single key.
• Ethereum's smart contract capabilities allowed for on-chain implementation of programmable multisigs.
• Solana's architecture allows for upgradeable programs by default, making program management a crucial feature for multisigs.
• The Serum incident during the FTX collapse highlighted the importance of proper multisig implementation for program upgrade authorities.
• Squads' interface caters to both treasury management (inspired by fintech apps) and developer workflows (similar to project management tools).
• Formal verification allows for mathematical proof of certain program properties, providing a higher level of security assurance.
• Squads underwent formal verification for their V3 program, one of the few on Solana to do so.
• The process of formal verification for Squads took 4-5 months, including audits and other security processes.
• Squads is considering implementing time locks in their V4 release, similar to those used by Ethereum protocols.
• The business model for multisig providers remains challenging, with various approaches being considered including free access with internal fees, subscription models, and integration with other infrastructure services.
• Squads envisions a future where all wallets on Solana become "smart wallets" with enhanced security and programmability features.

Questions Answered

What is a multisig wallet?

A multisig wallet is a type of cryptocurrency wallet that requires multiple private keys to authorize transactions. It acts as a simple consensus mechanism, allowing transactions to be executed on a blockchain only when the required number of signatures are provided. This enhances security by distributing control among multiple parties or devices, reducing the risk of unauthorized access or single points of failure.

Why weren't multisigs built into blockchains from the beginning?

Multisigs weren't built into blockchains from the beginning because their necessity grew alongside the increasing value accruing to cryptocurrencies. Initially, the focus was on creating the basic infrastructure for transactions. As more value was stored on-chain, the need for enhanced security measures like multisigs became apparent. The evolution of smart contract platforms like Ethereum also made it possible to implement more complex, programmable multisig solutions on-chain.

How did the Serum incident impact multisig adoption on Solana?

The Serum incident during the FTX collapse significantly boosted multisig adoption on Solana. When concerns arose about potential malicious control of Serum's upgrade keys, it highlighted the importance of secure program management. This event raised awareness among both developers and users about the critical nature of upgrade authorities. As a result, many teams rushed to implement multisig solutions like Squads to manage their program upgrade keys, making it a standard security practice in the Solana ecosystem.

What is formal verification and why is it important for multisigs?

Formal verification is a method of mathematically proving certain properties of a program. For multisigs, it's important because it allows developers to mathematically verify what actions are possible within the program and under what conditions. This provides a higher level of assurance than traditional auditing methods. In the case of Squads, formal verification was used to prove that assets couldn't be moved unless the required threshold of signatures was met, adding an extra layer of security to their multisig solution.

How are multisigs being used beyond simple wallet security?

Multisigs have evolved beyond simple wallet security to become versatile tools for on-chain management. On Solana, they're being used to manage validators, tokens, and entire programs. Squads, for example, has made program management a key feature, allowing teams to securely control upgrades to their on-chain programs. Multisigs are also being used for treasury management in DAOs and companies, providing a secure way to manage collective funds and make decisions about resource allocation.

What are the challenges in monetizing multisig solutions like Squads?

Monetizing multisig solutions presents several challenges. As a public good, there's a tension between providing value to the ecosystem and generating sustainable revenue. Squads is considering various models, including keeping the frontend free while charging for internal services like staking or swaps, implementing a freemium model with advanced features behind a paywall, or aligning with other infrastructure providers to offer comprehensive services. The challenge lies in finding a model that doesn't compromise accessibility while still supporting continued development and security efforts.

How might smart wallets change the future of crypto security on Solana?

Smart wallets could significantly enhance crypto security on Solana by bringing multisig-like features to individual user wallets. This would allow for more programmable security measures, potentially including features like spending limits, time locks, or specific program interactions. However, implementing this vision faces challenges due to Solana's emphasis on program reusability and state storage costs. The future might involve standardized smart wallet programs that users interact with through various interfaces,

balancing enhanced security with Solana's efficiency.

What role does transparency play in multisig implementations?

Transparency plays a crucial but complex role in multisig implementations. While there's a push for greater transparency in crypto projects, especially those that have raised public funding, many teams prefer some level of privacy during early development stages. Squads has addressed this by making squad links public, allowing anyone with the link to view multisig details. This allows projects to choose their level of transparency, with some posting their multisig links publicly while others keep them private. The balance between transparency and privacy reflects the evolving nature of on-chain organizations and traditional companies building in the crypto space.