Published on: 2019-05-09T17:08:47+00:00
In a bitcoin-dev thread, the author proposes a solution to aggregate spending from different wallets into one transaction for efficiency and convenience. They suggest using stateful signers that store trusted xpubs to apply it to stateless hardware wallets. This would allow distinguishing trusted outputs even if the inputs are not derived from the same set of xpubs. However, this idea is seen as an attempt at a different and broader problem.Dmitry Petukhov suggests in the thread that a hardware wallet can sign a message consisting of xpubs of participants and auxiliary text during the setup phase. However, this method seems overly complicated and its purpose is unclear. The thread discusses the threat model and suggests that each individual multisig signature signs the set of signers. This ensures that if an attacker provides bad xpubs, the signature won't be valid for the given multisig output. The weak spot in the process is generating the receiving address, but this issue is unrelated to PSBT.To safely show an incoming address to the user, PSBT-signing devices still need to store the xpubs of their co-signers. However, hardware wallets need to be stateless for easy wiping and recovering. To solve this, the user can verify a multisignature address or xpub on the screens of all devices during the setup phase. Hardware wallets can then mark outputs that use the pubkeys derived from 'verified' xpubs as 'trusted' outputs. This allows distinguishing trusted outputs even if the inputs are not all derived from the same set of xpubs.The proposal suggests sharing xpubs in the global section of the file, with a restriction that they must only include the hardened prefix of the path. The existing bip32 derivation path included in individual inputs and outputs should be merged in as needed. However, it is not necessary to restrict xpubs to have only hardened derivation. PSBT-signing devices still need to store the xpubs of their co-signers for safe verification of incoming addresses. The proposal also suggests using the extension serialization format without any encodings for PSBT, and keeping the prefix that defines if the key is used for testnet or mainnet may also be useful.Stepan Snigirev raises concerns about the possibility of user funds being stolen in multisignature setups using the current specifications for PSBT. An attacker could replace half of the keys in the change address with their own keys and still get the transaction signed. To fix this issue, Snigirev suggests adding an xpub field to the inputs and outputs metadata so that signers can verify that the same xpubs are used for public keys in inputs and outputs. He proposes two new key-value pairs to be added to PSBT: `PSBT_IN_BIP32_XPUB` and `PSBT_OUT_BIP32_XPUB`. This would ensure that the output is indeed a change. Snigirev also suggests reviewing the communication protocols of existing hardware and multisignature wallets to see if there are other solutions to this issue. If the proposal is accepted, he plans to prepare a pull request to the bip.
Updated on: 2023-08-02T00:44:57.994125+00:00