I have been fascinated about the factors raised within the Nov. 5 2020 article from Benma/Bitbox about How practically all private {hardware} pockets multisig setups are insecure.
Do you agree that the next 2 steps summarize precisely the required (and adequate) steps to safe a 2-of-3 Segwit Native (P2WSH) multisig pockets setup earlier than sending any funds to this pockets?
Step 1: Create a secure backup of every xpub by verifying the xpub of every cosigner on a minimum of one {hardware} pockets per cosigner and saving it on paper or in a reliable medium. This step serves 2 functions, the primary being to create a secure backup of the xpubs in case one cosigner ({hardware} pockets and backup) is misplaced. The second goal is to allow the second step (see beneath).
Step 2: Confirm on ALL 3 {hardware} wallets that ALL 3 cosigner xpubs match the verified xpubs that had been obtained within the earlier step. Which means 3×3 = 9 verification steps. This step serves to ensure that any obtain tackle generated by any of the {hardware} wallets and any change tackle accepted by any of the {hardware} wallets whereas signing transactions are certainly addresses that these 3 cosigners management.
And yet one more query: Is there a way we might ignore these steps with cheap security (assuming e.g. that it is extremely unlikely that malware would concurrently infect e.g. each Sparrow on Desktop in addition to e.g. Nunchuk on Cell) by a intelligent mixture of signing transactions (with a small quantity of Bitcoin despatched to the unsecured pockets) with a number of cosigner {hardware} wallets and on a number of gadgets and wallets?
PS: I am pondering it will be nice to create a {hardware} pockets that permits you to load not solely a single cosigner seed phrase onto the machine, however as well as all of the remaining cosigner seedphrases for the multisig setup when registering the multisig pockets with anybody {hardware} pockets. The {hardware} pockets wouldn’t preserve any personal keys of the extra cosigners, however would use the extra seedphrases to calculate and save the xpubs wanted for this multisig pockets registrations, eliminating the necessity for all of the handbook xpub verification at setup. A easy verify that the cosigner {hardware} wallets all generate the identical obtain addresses can be greater than sufficient to realize confidence that they’re all setup appropriately. Handbook verification would nonetheless be wanted for the xpub backups, however any of the cosigner {hardware} wallets might show and generate a full backup for you.