Bitcoin Self-Custody: A Path Forward
2021 has been a strong year for bitcoin, as endorsements from governments and institutions around the world have turned up at an increasing rate ‒ from El Salvador’s adoption of Bitcoin as legal tender to Visa’s induction of Bitcoin into its latest payment ecosystem.
The rise in Bitcoin’s popularity ‒ and price ‒ comes with the rise in the number of cryptocurrency-related scams and fraud, on pace to set a record in 2021. In the US alone, 32 breaches have occurred since January, totaling 3 billion USD lost due to cryptocurrency-related attacks, averaging 93 million USD per attack.
Looking back, 4 million bitcoin ‒ approximately 20% of the current supply ‒ have been lost forever due to the loss of private keys, forgotten passwords, theft or fraud. Let us evaluate some common ways to store bitcoin.
Custodial services (🔒)
A custodial service provider ‒ like cryptocurrency exchanges ‒ keeps your bitcoin for you. They work just like a bank, granting you an account to log in and deposit and withdraw your assets. The good thing is that they assume the risks on your behalf. The bad thing is, such risks are not always properly managed, with multiple points of failure. Most importantly, exchanges hold the keys to their customers’ funds. And as the saying goes: not your keys, not your coins. Prime lessons ‒ from the landmark Mt. Gox hack to the recent Africrypt fraud ‒ are still fresh on our minds.
Software wallets (🔒🔒)
A software wallet is an application that manages the private keys on a host device, such as your smartphone. Unlike exchanges, it gives you complete control over your bitcoin. But that also means you now assume the risks of keeping it. The software itself is a single point of failure, vulnerable to malfunctions or hacks ‒ examples include the Copay backdoor in a popular open-source library, and several Electrum phishing scams. The hardware that accompanies the software is another point of failure: as you are reading this, James Howell is still trying to scan his city garbage landfill for his precious hard drive.
Cold storage (🔒🔒🔒)
Cold storage refers to physical devices that store private keys offline. It could be a dedicated hardware device ‒ like a Trezor, Ledger or COLDCARD, or simply a laptop repurposed to be completely disconnected from the Internet. However, while it is very difficult to hack a cold storage, you might accidentally lose the physical device itself. Hardware devices are also vulnerable to supply chain attacks. Moreover, despite being offline, a cold storage device could still leak private keys. There are multiple ways a committed hacker could crack it by employing techniques such as side-channel attacks.
A common problem with most software wallets and cold storage solutions is that they employ a single key for the Bitcoin wallet. Losing that key means losing all your bitcoin. It does not matter whether you choose to memorize the seed phrase, write it down on a piece of paper or store it in a USB, you could easily lose the key ‒ like in the case of Stefan Thomas.
Isn’t it ironic that while Bitcoin was designed to be decentralized, the most common methods to store it still rely on single points of failure?
Multisig wallets (🔒🔒🔒🔒)
A multisig wallet is a significant security upgrade over the above solutions. It requires at least two keys for spending, effectively addressing multiple types of single points of failure. The loss of any one key ‒ be it a software key or a hardware one ‒ will not compromise your funds. Some early solutions of this type include Specter, Casa and the first version of Nunchuk.
But a multisig wallet comes with its own caveats. The most obvious one is that there are now more keys to manage. This adds to the overall mental stress, especially if you are managing keys all by yourself. You ‒ as the owner ‒ could be a single point of failure. Humans generally suck at safekeeping digital keys, and this is such a huge problem that digital key management companies are now worth billions of USD. As Bitcoin becomes more mainstream, the situation is only going to get worse.
Multi-user multisig wallets (🔒🔒🔒🔒🔒)
At Nunchuk, we have spent most of our time thinking about the problem of Bitcoin key management and how to tackle it. Multisig is the start, but it should not stop there. The burden of key management is too big for any individual to bear alone, especially for an asset class that is intended to be passed down from generation to generation.
That is why our team has dedicated the last two years to develop Nunchuk into the world’s first multi-user multisig wallet. Nunchuk’s multi-user features allow you to co-manage your bitcoin with your trusted ones, effectively reducing the burden of key management. In the simplest of terms, Nunchuk helps protect you from yourself.
We are excited to launch the beta version of Nunchuk 2.0 today. The new version introduces a brand new mobile app and an overhauled desktop app. At the moment, we recommend that you use it for only small amounts of bitcoin, or stick to testnet. Encryption is under testing, and will be enabled at a later release. For a complete overview of our new apps, please visit our website. We look forward to hearing your feedback.