FC poll: how big of a role do MPC wallets play in next wave of adoption?

shadowy super coder. Banner is Solvency #486                                                                   Currently: Metamask Portfolio

i've got a question about MPCs that quick googling couldn't answer: if both i and the service i use have a "secret share", can the service "recover" my wallet without my knowledge and transfer all funds away?

cto @ bwl.gg (lunchbreak.com), 80M+ users (bdut.ch) 🙏 built @remindme, @mintit, @gpt, @healthbot, farcantasy.xyz

we are doing a form of MPC at Bunkyr and we position ourselves as recovery only. So users still have their copy of primary keys for everyday use (service provider can't block anything), but if they lose their copy then we can help them get it back.

Founder bunkyr.com | Building web3 recovery | Killing seed phrases | 🍊

is there a cryptographic mechanism that prevents you from recovering a user's keys without the user's consent?

yes, we have 1/3 pieces of the recovery key. The service provider and the user are responsible for the other 2.

wait wait wait, this scheme with you having 1/3 keys, the service provider having 1/3 keys is susceptible to social engineering attacks; a smart malicious agent can be posing as me, pass the checks and "recover" the access to my funds

or am i wrong here?

You are not entirely wrong. We force the service provider to verify the user before they contribute their portion of the key (MFA, email, text). Then the attacker would have to have access to the user's account which represents contributes their 1/3 of the key.

It's not perfect, and perhaps not as secure as just a seed phrase, but we are betting on the need for easier methods for onboarding that is still a relatively strong security posture. Still better than a lot of social engineering attacks for sure

I think that is fair. At least for us, we and the service provider can't team up against the user. The user (or a malicious actor who gets control of a user account and passes all checks) is required to contribute. I reckon if an attacker got that far, a user has bigger problems

just to be clear here: the reason i say that mpc are basically custodial wallets with extra steps is that they have all the same issues as custodial wallets (you can always "team up" with service providers willingly or — more likely — by being forced to)