Introducing Multisig Vaults: Your Keys, Your Bitcoin, Just Safer

First published: 03/11/2019
| Last updated: 01/05/2024
| -- min read

Large exchanges and financial services providers such as Unchained Capital rely on industry best practices such as 100% cold-storage, multisig, and multi-factor identity verification. Unfortunately, it’s been challenging for individuals and smaller businesses to achieve this same level of security and reliability for themselves.

That changes today. We are excited to announce the release of our new vault product. Unchained vaults make these best practices accessible to individuals, small funds & businesses through our easy to use website. All you need to get started is a hardware wallet (or two!).

Unchained vaults use dedicated, on-chain bitcoin multisig addresses. You get to control who holds keys to these addresses, allowing you to define the security that’s best for you. Our website makes it easy to upload your public keys, build new vault addresses, and coordinate transaction signing. Unchained Capital can cosign with you if requested or if you lose one of your keys, but you remain in control. We call this model collaborative custody.

Collaborative custody increases your security while preserving your sovereignty.

Unchained Capital is the first company to offer these kinds of extremely high-security vaults within a financial services platform. And our vaults integrate seamlessly with our existing loans: once you have funded a vault, if you need to borrow against your bitcoin (or use a future product from us), you can do so easily and quickly from within our application. You can even continue to use the same key(s).

Read more below and try our new vaults out for yourself on our website: https://my.unchained.com/orgs/new.

Screenshot from our vault creation interface

Traditional Custody Solutions are Unsafe

Exchanges and fully custodial services lack transparency and deny you control

Based on public reported compromises, exchanges lost nearly $900 million worth of cryptocurrency in 2018 alone.

From Coindesk: A Record Breaking Year for Crypto Exchange Hacks

Bitcoin custodial services, including exchanges, create a myriad of risks that users can control if they protect their own private keys. Self-custody of keys mitigates risks from these common sources:

  • Exchange hacks: Exchanges are consolidated pools of risk, making them high-value targets for theft or fraud. They also commingle funds to gain operational efficiencies, which socializes losses if one of their wallets is hacked.
  • Compromised user accounts: If a withdrawal can be created with a username, password and (maybe) two-factor authentication, your funds are at risk if your email gets hacked, your phone gets stolen, or your number gets ported.
  • Frozen accounts or funds: Exchanges can and will freeze your account to prevent you from withdrawing funds, just like a traditional bank account. This can sometimes happen by accident or mistake and may only be corrected after a long and painful process.
  • Insolvency risk: Exchanges do not typically perform a proof-of-reserves, and even if they do, because of the disconnect between on-chain addresses and your individual holdings, there is no guarantee that your particular funds are part of the reserve. Internal security compromises or operational security failures/fraud could have caused your funds to be lost months before you even find out about them.

With all of these issues, users are wise to turn to self-custody solutions such as hardware wallets. But this presents its own set of challenges.

Self-custody lacks redundancy and creates a single point of failure

Millions of cryptocurrency holders have graduated from buying their first coins on an exchange to now securing them with a Trezor or Ledger. This increases the transparency and control they have over their funds and eliminates many of the risks of using exchanges or centralized custodians.

But a single hardware wallet is a single point of failure. Even if you keep wallet words as a backup, there are many situations where losing or compromising your hardware wallet means losing your funds. Most worryingly, attackers who know you self-custody don’t need to hack a sophisticated exchange; they just need to hack you or threaten the safety of you or your loved ones. Very few people are capable of securing large amounts of physical gold by themselves — why should millions of people attempt to secure digital gold on their own?

The solution to this problem is to use multisig storage. Multisig prevents any one key from being a single point of failure should it be lost or compromised. Unfortunately, multisig has been out of reach of most individuals and businesses, even those with significant amounts of cryptocurrency.

Though many wallets exist that provide multisig, most provide only software without the crucial operational aspects of multisig such as cosigning, sharing keys and vaults among users, identity and intent verification, or key recovery.

Unchained Capital started as a financial services company that needed the best possible multisig software AND operations to secure our borrowers’ collateral. The experience of building a world-class multisig, multi-tenant storage platform for our own internal use helped us understand what individuals need from multisig custody.

Unchained’s Vaults Are Safer

Multisig is the best of both worlds

Multisig is a middle path between losing control of your funds on an exchange and creating a single point of a failure by through self-custody with a single key:

  • Your Keys are Distributed: Using multiple keys allows you to distribute them geographically and across multiple parties, including Unchained Capital and our 3rd party key agent(s). A hacker cannot hope to steal your funds by attacking Unchained Capital. If you distribute your own keys across multiple locations or trusted partners & colleagues, hackers cannot hope to steal your funds by merely targeting a single person or key.
  • Complete On-Chain Transparency: One of the greatest benefits of self-custody is that all your addresses and transactions are on-chain: you never have to worry if your funds are “really there.” Multisig doesn’t change this — all your addresses and transactions are still on-chain. All that’s different is that more signatures are required when you move funds. When you create a vault at Unchained, you get a unique, dedicated multisig address. Any withdrawal and even transfers between vaults and loans are all on-chain transactions. Your funds are never commingled.
  • Redundancy Against Loss: Multisig can require multiple signatures to move funds, but it can also provide extra keys that serve as backups. If you lose a key, your funds are not lost — you can use the backup key(s) to sweep funds into new addresses protected by new (and old) keys.
Unchained goes beyond just multisig software

The benefits presented above are generic to any multisig wallet software. As an experienced financial services provider, Unchained goes much further to ensure the best security for your funds:

  • 100% Cold Storage: At launch, our platform supports Trezor and Ledger signing devices, meaning that all customer keys are held in cold-storage: no mobile phones or hot wallets. Keys held by Unchained and our 3rd-party key agent are also cold-stored using hardware devices or offline, air-gapped computers. Collaborative custody means we collaborate to protect each other — by ensuring only cold-storage keys are possible, we are greatly increasing everyone’s mutual security by eliminating attack vectors which exploit remote or network access.
  • Flexible Key Management: You can operate all your keys completely by yourself, but you can also share keys with other users. This allows you to build vaults with shared access with a family member, trusted partner, or colleague. Many custody use cases such as escrow, inheritance, or treasury management become possible with this arrangement. Unchained Capital takes care of sending of notifications to your cosigners, communicating transaction information between them, and coordinating key replacements when necessary.
  • Multi-Factor Identity Verification: In addition to the traditional network security of usernames, passwords, and 2FA devices, our platform provides additional mitigations against attempts to steal or forge your identity. If you opt-in to our video verification feature, you will be asked to record a short video verifying your identity and intent whenever you withdraw or transfer funds out of your vault(s). Whether your transactions are being cosigned by a friend, colleague, or by Unchained Capital, these videos give them confidence that you really intended to take this action.
  • Customer Support: Unchained Capital has excellent, live customer support. You can reach us via email, through the live chat interface on our website, or call us and reach a real human being who is eager to help you. When you are performing a large transaction and feel uncertain about something or have a question, it’s invaluable to be able to speak to an expert who can guide you through it.
  • Trust Minimized External Recovery: We engineered ourselves out of the custody risk equation by releasing the industry standard for external recovery workflows. By securing your wallet configuration file and using open source Caravan, Unchained clients don’t need to worry about losing access to their Unchained Capital account for any reason.
After security, privacy and freedom are our highest priorities

One of the greatest benefits of self-custody is the high privacy it confers. You are directly interacting with the blockchain without any intermediaries. No one knows who you are or how much bitcoin you possess.

Increasing your security by adopting multisig is valuable, but it does incur an anonymity cost. Because we want you to improve your security, we have worked very hard to ensure that this anonymity cost is minimized:

  • We guard your privacy: To open a vault at Unchained you provide some basic information about yourself such as your name, contact information, government ID, and address, which is stored in a manner consistent with PCI-compliance standards. We do not require your social security number and we do not perform credit checks. We do not voluntarily report any vault client data to the IRS or other government agency.
  • We don’t know how much you have outside our platform: Most every hardware wallet uses the m/44'/... BIP32 namespace to organize your addresses and balances. When you use such a hardware wallet on our platform, we export public keys from the m/45'/... namespace. This means that we have no idea what your self-custody addresses or balances are outside our platform. You can even customize this BIP32 path when you upload your public key, giving you even greater ability to control how much information we have about your holdings. You are welcome to use hardware wallets for both single signature self-custody and an Unchained Vault.
  • You are not locked in if you create a vault: Our expectation is that customers will sign transactions through our website because of its excellent user interface and the support you receive from our team. But if you hold your own keys, you should be able to move your funds without any interference from Unchained Capital. You can retrieve the wallet configuration file at any time from your vault’s page on our website. You can use this information to author and sign transactions outside our platform, using open source Caravan or any multisig wallet software you like.

How do Unchained’s Vaults Work?

Our vaults are 2-of-3 multisig addresses. This means 2 keys are required to move funds and 1 key serves as a backup. We believe this 2-of-3 model is the best compromise between security, redundancy, and complexity.

Within this structure, you have a lot of freedom to customize who holds keys, allowing you to build a security model that is right for your use case.

Vault custody models

We offer two different custody models for our vaults:

Client-controlled

  • You hold 2 keys, maintaining sovereign control of your funds
  • Unchained can act as either a backup or as a trusted cosigner, but we cannot move funds without a signature from you
  • Ideal for individuals, family offices, or small to medium-sized businesses that value enhanced security and prioritize ultimate control of their funds

Multi-institution

  • Three separate parties each hold a key; no single party can cause your funds to move
  • All transactions will be signed by you and cosigned by Unchained Capital
  • A 3rd-party key agent(Citadel SPV) acts as a backup to both parties
  • Ideal for institutions, family offices or investment funds that value enhanced security and financial controls

Pricing

Our client-controlled model is designed to be self-service: most of the time you will be signing and cosigning by yourself or with other Unchained Capital users. There is no additional setup fee. We will only charge you 0.10% of the transaction amount when you ask us to cosign. Furthermore, for the first three months, we are in our “limited release” phase, asking for feedback from you, our users. All transactions will be 100% free during this time.

Our multi-institution model requires more coordination between more parties and so we charge a $500 setup fee, a 0.25% annual storage fee (accrued daily), as well as a 0.10% transaction fee.

Create your vault today

Once you have created an account and your basic contact information has been approved, you will be able to upload public keys from your hardware wallets and create your own multisig vault.

Reach out to us at hello@unchained.com if you have any questions or feedback!

Sign up to get notified for future blog articles.