Muun's Multi-Signature Model

TL;DR:

Muun is a 2-of-2 multi-signature wallet, so all your outgoing transactions need to be signed with 2 keys instead of 1. This setup enables what we call warm storage: good security is balanced with good UX, and self-custody is never compromised.

Instead of holding all keys hot in one single device (your phone), you only carry one key there. Muun co-signs daily transactions. Full self-custody is achieved by holding both keys cold in your Emergency Kit.


The most common segmentation for self-custodial wallets is hot versus cold wallets. In hot wallets, keys are stored in devices connected to the Internet, such as phones and computers. This is the case for mobile and desktop wallets. On the other hand, in cold storage, keys are stored in a place that has a very limited connection, or no connection at all, to the Internet. Hardware and paper wallets are the most common in this segment.

You have probably heard about the pros and cons of each kind of storage. Hot wallets usually win on the usability front because they work on online devices that we use daily. Cold wallets typically win on the security field. Having your keys in a device connected to the Internet means they are more exposed to hacks. Therefore, having your keys with limited or no connection to the Internet is a good choice when maximizing security.

Since its creation, bitcoin tech has evolved a lot. In particular, new spending conditions emerged, making the hot-versus-cold segmentation overly simplistic. While during the first years, the only requirement for spending bitcoin was to own the key that would sign valid transactions, the introduction of multi-signature has brought more exciting and complex spending conditions that enable new models with better security and usability. These models can have some keys in hot storage and some others in cold storage, bringing together each kind's benefits.

Let's look at how Muun enhances security while preserving self-custodianship by using a 2-of-2 multi-signature model for all your outgoing transactions.

The goal

From a security standpoint, a bitcoin wallet should meet the following rules:

  • Rule 1: You should be able to spend your bitcoin without anyone's permission. This translates to you having enough keys to spend funds independently.
  • Rule 2: The wallet provider should never be able to spend your bitcoin. This translates to the wallet provider never having enough keys to spend your funds.
  • Rule 3: Attackers should find it extremely hard to steal funds. This translates to attackers finding it hard to obtain enough keys to steal funds.

Let's explore them in detail.

The way

Rule 1: You should have enough keys to spend funds independently.

This is one of bitcoin's most significant advantages and the basic requirement for a wallet to be considered self-custodial. If you use a wallet that fails to fulfill this rule, your funds could be frozen.

To meet Rule 1, you can export your Emergency Kit with all the information and instructions you need to independently spend your funds, including your private keys and output descriptors. If you wonder why Rule 1 isn't met by providing just a mnemonic, you can read more about where bitcoin's recovery is heading in this blog post.

Rule 2: The wallet provider should never have enough keys to spend funds.

If Rule 1 is about making your funds impossible to freeze, Rule 2 is about making them impossible to seize. Any self-custodial wallet should think about both non-freezability and non-seizability.

When it comes to non-seizability, 'won't become evil' is always a weaker statement than 'can't be evil'. Even if the wallet provider doesn't become evil deliberately, someone could force it to act in an evil way. For example, governments and powerful institutions could force bitcoin companies to confiscate funds.

To avoid this from happening, Muun's makes sure to never have the power of confiscating funds. Your funds can only be spent by two keys, which Muun simply doesn't hold.

Rule 3: Attackers should find it hard to obtain enough keys to steal funds.

Security measures are always about maximizing the things that must go wrong before an attacker finds its way to you. Each added measure reduces the number of people that have the means to attack you and discourages the most sophisticated attackers by making the ordeal cost more than it's worth.

This concept is widely known in information security and usually referred to as defense in depth. Its intent is to provide redundancy in the event a security control fails, or a vulnerability is exploited. To meet this rule, Muun ensures your decrypted private keys are never stored in the same place:

  • Your phone stores only the first key. If it gets hacked and attackers can extract your secure storage contents, they won't find enough keys to steal your funds. This is not a theoretical threat. It has happened multiple times, with people losing a considerable amount of bitcoin in a matter of seconds. Downloading a malicious app or opening a dangerous file may be enough to get your phone compromised.
  • Muun's servers store only the second key. So neither Muun nor its potential attackers will find enough keys to steal your funds.
  • Your Emergency Kit has both keys, but they are encrypted. For full self-custody, you need to have both keys, but this doesn't imply your need to carry both of them on your phone. Both keys are encrypted in your Emergency Kit with a code written on paper, with no connection to the Internet. Neither the Emergency Kit, nor the Recovery Code are enough on their own to move funds.

Spending funds

So far, we have seen how a 2-of-2 multi-signature model fulfills the most important security goals of a self-custodial wallet by combining hot and cold storage. Now, what happens when you simply want to make a payment? How is the model more convenient than keeping your keys in cold storage?

From a usability standpoint, you should be able to spend funds easily. After all, a key aspect of any wallet is that you can move bitcoin freely whenever you want.

You could, of course, spend funds by decrypting your Emergency Kit with a cold Recovery Code. However, spending funds with the Emergency Kit is intentionally inconvenient since it was designed by heavily prioritizing security vs. usability, making no concessions. For that reason, the Kit  should only be necessary for an emergency.

Instead, you and Muun will cooperate for daily transactions by each party providing the key they hold on hot storage. Cooperating makes your spending easy while stealing hard.

Conclusion

While the trade-offs between cold and hot storage are widely discussed, you can have the best of both worlds with careful design. Multisig tech obsoletes the cold versus hot storage, making it more of a gradient. Good security is balanced with good UX, and self-custody is never compromised.