Redundancy-focused 3-of-5 Multisig Wallet Protocol and Wrench attack?

[philipbjorge]

README currently has the Redundancy-focused 3-of-5 Multisig Wallet Protocol as being resistant to the $5 wrench attack.

Given that the mobile wallet is on your person and HW wallet 1 and 2 are in your home -- It seems like this would be susceptible to the $5 wrench attack if one was at home?

[fresheneesz]

Ah, good point. I think that was a mistake. https://github.com/fresheneesz/TordlWalletProtocols/commit/3cf121b0ec6a1866191186b64fd86ca4e2211a96

Thanks for the point that out!

[philipbjorge]

Nice 👍. Good to see I was comprehending correctly. Thanks

[philipbjorge]

@fresheneesz -- Thank you for putting these docs together btw! It's been really helpful for me to wrap my head around various implementations of multisig.

Unsolicited feedback: The only thing I'd like to see more of is more community feedback and review so that I could feel confident in these guides. I know you're already working on that, so keep up the great work 👍 !

[fresheneesz]

Glad its helpful! I would also love to see more community feedback and review. I have been getting the word out about this sporadically, but I'm not sure how to find people willing to give feedback. Also I'm curious what form of feedback would make you feel confident in this? Like, were people to review this, would it be enough for github issues to exist that discuss things? Should the guide explicitly list out places people can read reviews? I'm definitely looking for help developing these guides. I'd appreciate any help I can get.

[philipbjorge]

@fresheneesz -- I'd love to see feedback from security researchers. Would also be interesting to get feedback from folks at companies like Unchained Capital and Casa. I understand though that getting their attention is not easy or cheap 😂.

I saw you were getting feedback from the YetiCold folks -- So 👍 there! Having github issues would be sufficient as would 3rd party people discussing the protocols (and linked in the README).

[fresheneesz]

I've had emails between people at both Casa and Unchained. I'll drop them a line and see if someone over there would be willing to review. That's a good idea.

Do you know if other things like this have the kinds of reviews you're talking about? I'd be interested in seeing examples I could learn from.

[philipbjorge]

@fresheneesz -- The only project that comes to mind is Monero which pays for audits from security researchers.

https://www.getmonero.org/2020/07/31/clsag-audit.html https://blog.quarkslab.com/security-audit-of-monero-bulletproofs.html

[fresheneesz]

Ah gotcha. Well I certainly don't have the budget for that kind of thing. What might be helpful is if individuals gave a reasonably thorough review of a protocol or even an individual document, we could link to the discussion from the relevant protocol/page so people can look through them.