jackclancy.eth 🎩 pfp
jackclancy.eth 🎩
@0xjack
FC poll: how big of a role do MPC wallets play in next wave of adoption?
7 replies
0 recast
0 reaction
borodutch pfp
borodutch
@warpcastadmin.eth
i've got a question about MPCs that quick googling couldn't answer: if both i and the service i use have a "secret share", can the service "recover" my wallet without my knowledge and transfer all funds away?
2 replies
0 recast
0 reaction
Reid pfp
Reid
@reid
we are doing a form of MPC at Bunkyr and we position ourselves as recovery only. So users still have their copy of primary keys for everyday use (service provider can't block anything), but if they lose their copy then we can help them get it back.
1 reply
0 recast
0 reaction
borodutch pfp
borodutch
@warpcastadmin.eth
is there a cryptographic mechanism that prevents you from recovering a user's keys without the user's consent?
1 reply
0 recast
0 reaction
Reid pfp
Reid
@reid
yes, we have 1/3 pieces of the recovery key. The service provider and the user are responsible for the other 2.
2 replies
0 recast
0 reaction
borodutch pfp
borodutch
@warpcastadmin.eth
wait wait wait, this scheme with you having 1/3 keys, the service provider having 1/3 keys is susceptible to social engineering attacks; a smart malicious agent can be posing as me, pass the checks and "recover" the access to my funds or am i wrong here?
2 replies
0 recast
0 reaction
Reid pfp
Reid
@reid
You are not entirely wrong. We force the service provider to verify the user before they contribute their portion of the key (MFA, email, text). Then the attacker would have to have access to the user's account which represents contributes their 1/3 of the key.
2 replies
0 recast
0 reaction
borodutch pfp
borodutch
@warpcastadmin.eth
just to be clear here: the reason i say that mpc are basically custodial wallets with extra steps is that they have all the same issues as custodial wallets (you can always "team up" with service providers willingly or — more likely — by being forced to)
2 replies
0 recast
0 reaction
Reid pfp
Reid
@reid
I think that is fair. At least for us, we and the service provider can't team up against the user. The user (or a malicious actor who gets control of a user account and passes all checks) is required to contribute. I reckon if an attacker got that far, a user has bigger problems
1 reply
0 recast
0 reaction
borodutch pfp
borodutch
@warpcastadmin.eth
true true, what you're talking about is security spectrum whereas i'm evaluating the tech from the standpoint of absolutes: either you own a wallet or you don't; with mpc i'm still inclined to believe that users don't own the wallets but it might be for the better of the users
2 replies
0 recast
0 reaction
Reid pfp
Reid
@reid
right, mpc by definition means other people are involved. They can block you or hijack your wallet depending on implementation. Otherwise it's not really mpc but mpc in parallel to pure user key ownership gives you benefits of helpful recovery + full control
0 reply
0 recast
0 reaction