The issue with multisigs in DeFi goes far beyond the limitations of the technology. It extends into an area of philosophy that most in this space have refused to acknowledge.
Multisigs are not inherently evil. In fact, they can be extremely useful. A multisig’s primary function is to provide an individual or a group with a shared responsibility to protect value on a blockchain.
A multisig works the way it’s intended when it is securing value that is owned by this individual or group.
If you, as an individual, have value on a blockchain that you’d like to secure, you have options. You can use one key, however this could create a single point of failure that you do not want. So, to avoid that single point of failure, you might choose to create a multisig key that requires m-of-n signatures, where m and n can be any numbers you’d like. You can own all of these keys yourself, or you can take necessary measures to ensure that you only have access to a certain number of them while others retain access to the remaining.
The point here is that it’s up to you how you want to set it up and secure it.
If this is your money, you may decide that you want to have backups of all of the keys yourself, however you also want to have copies of those keys residing with people that you trust.
Or, if it’s shared value among a group, you may decide that you should only have access to one key out of seven, and the other six are with unique individuals. The seven people, including yourself, would then work together to ensure that you all share confidence that the keys were set up properly and that the security model is correctly implemented.
You witness this happening. You know how the keys are being secured. You trust the people involved. So, you feel comfortable that your value is being secured in the fashion that you intended.
Treacherous epistemological questions arise when individuals or groups use multisigs not to secure their own value, but to secure the value of others. They may go through the same steps that they would take to secure their own value with a multisig. However, if the individuals who’s value they are protecting do not witness those steps themselves – if they do not know the signers, do not have any reason to trust the signers, and are not able to be directly involved in the ongoing security of the keys – then those depositors have no rational reason to believe that their funds are secure.
The depositors can’t know what they can’t know:
- They can’t know that the multisig was created securely if they were not present at its creation.
- They can’t know that new wallets were used to secure the multisig keys which hadn’t been compromised in the past.
- They can’t know that the keys are being secured properly ongoing because they don’t know the signers and have no rational reason to trust them.
- They can’t know how these signers will act under duress when they’re presented a choice between protecting other peoples’ money versus facing a multitude of threats ranging from physical harm to criminal charges.
Again, these are all things that you can know if your multisig is securing your money. You know how you would respond if you were facing a threat and you were forced to make a choice that could involve threatening the security of your funds. This is all for you to decide. It’s a personal choice.
But you can’t know how someone else would respond in the same situation. You can’t know how someone else would respond if it were a choice between your money and their personal freedom.
We can make assumptions based on what we do know about human nature. We do know that humans are inherently greedy and have a constant incentive to act in their own self-interests. If a thousand users deposit a total of $100 million of cryptocurrency into an L2 bridge that is entirely secured by a 3-of-5 multisig, we can easily extrapolate that 3 of the signing keys can be used to steal the $100 million. However, we don’t know how the multisig was created, how it’s secured ongoing, or how the signers would react if faced with a threat. Even if the signers tell us what they believe to be the answers, we still cannot know that they are being honest with us or even themselves.
We also cannot know if three separate keys are in the possession of one person, giving that person the ability to commit a transaction all on their own. We must assume that they are. If this is the case, we can’t know if that one person who holds all of the keys set up their wallet correctly. We must assume that they did not. We do not know how that one person would react to a threat. We must assume that they would act in their own self-interests and not ours.
Using basic reason, we can assume that every multisig that’s used to protect other peoples’ money requires the depositors to trust in one unknown person in an unknown emotional state with unknown incentives employing unknown security measures and planning unknown future actions.
This applies to every situation where a multisig is used to protect other peoples’ money. If you’re using a DeFi application that relies on a multisig for security of the funds, you are relying on one unknown person employing unknown security measures with unknown incentives and unknown self-preservation instincts. This holds true in all cases.
How does that make you feel? It should make you feel terrified. No rational person should want to take on this kind of risk. Yet, in DeFi, it’s a seemingly accepted constant. Why? Are we just willfully ignorant? Is this all stuff that we just choose to ignore? Or is something deeper happening?
This new world of ideas and technology confronts us with novel and exciting philosophical questions, but flawed instincts seem to compel us to disregard them until the consequences become too dire to overcome.
If DeFi continues on the path that it’s currently on, then just like in traditional finance, rational thought will continue to take a backseat to greed, and regulators will step in to answer these philosophical inquiries with the violent force of government.
Once that occurs, then our opportunity to address these questions on a rational level will have been lost forever, and DeFi will have failed in its mission to break the cycle of misplaced trust in financial authority.