Self-Custody in Muun: Why Not just a Mnemonic?

TL;DR
Muun uses advanced bitcoin scripts for its security model (with multisig) and to enable instant and cheap transactions (with lightning).

Mnemonics are a great backup mechanism to store private keys but lack other information required for spending multisig and lightning funds independently. Having just a mnemonic would mean your bitcoin could be easily frozen.

Self-custodianship is at the core of everything we do. Therefore, we built an Emergency Kit, leveraging new standards like output descriptors, to provide you with full custody of your bitcoin.

Self-custody: When was a mnemonic enough?

For the last years[1], you could summarize the security model of most self-custodial wallets as:

  1. Your wallet created a master private key.
  2. From it, bitcoin addresses were derived and used to receive funds.
  3. Your private key had two purposes: to find your unspent outputs and to spend them.

Wallets asked users to make a backup of their key and keep it safe. To provide a nice experience, private keys were represented as a mnemonic - a group of easy-to-write words. By writing 12 words on paper, you could later perform step 3 without relying on any particular app or service.

Mnemonics did a good job. They were a static backup that you created once, and it lasted forever, making sure you had complete control over your money. Importantly, they provided a single, simple instruction to give to newcomers: “write down the 12 words and keep them safe”.

The dirty little secret of mnemonics was that you needed some extra information to find back your unspent outputs. If you didn't remember the wallet you used to create the mnemonic, or it was no longer available, finding the required derivation path, script type, and gap limit usually involved a combination of googling, guessing, and brute-forcing.[2]

What changed: multisig, lightning and taproot.

As bitcoin evolved, new spending conditions began to be explored, unleashing a new world of improvements in security, user experience, and more.

Multi-signature is one such example. In multisig wallets, you can no longer use a single private key to find the unspent outputs or spend its funds. Other data that can't be guessed, such as the public keys from all the participants, is needed.


Lightning Network is an even more sophisticated scenario. Depending on the implementation, a lightning wallet may require you to back up data that changes during your wallet's life[3]. This has a significant implication. It means self-custody is no longer something you get once and forever, but something you can lose if you don't keep your backup updated[4].


Finally, taproot is on the way 💫. Taproot is a privacy and scaling improvement for complex spending conditions like multisig and time-lock vaults. We are very much looking forward to using it once it's ready. Similar to multisig and lightning, taproot also usually needs more information than a mnemonic can provide.

As the bitcoin ecosystem continues to develop, mnemonic recovery will most likely become less interoperable and more obsolete. Fortunately, some of the industry's best minds are currently working on new standards, like miniscript and output descriptors, to solve these new challenges. These standards allow wallets to build more secure and private setups while keeping static backups feasible and interoperable[5].

Muun’s Emergency Kit

Muun is a multisig wallet with lightning support, so backing up a mnemonic alone would mean your bitcoin could be easily frozen. Self-custodianship is at the core of everything we do, so this wasn't acceptable. We built an Emergency Kit that gives you full self-custody of your money when combined with your Recovery Code[6].

Your Emergency Kit is a PDF document with the information and instructions needed to find and spend your funds independently. No need to brute-force any missing data. Everything is there, including your private keys and output descriptors[7].

Your private keys are securely encrypted with your Recovery Code. This makes your Emergency Kit harmless by itself: you can keep multiple copies, and you can even store it safely on the cloud.

By combining your Emergency Kit and Recovery Code, you have total, undisputed control over your bitcoin.

Conclusion

Wallet recovery can get tricky in the brave new world of bitcoin smart-contracts. As more wallets adopted mnemonics, it became easy to think they are universal, interoperable, and enough for self-custody. But we are heading in the opposite direction.

We believe that output descriptors, miniscript, and 2-layered backup systems are the way to go for modern wallets. There's still a lot of standardization and tooling work to be done, but we are getting closer by the day!

Stay safe and remember: “Not your keys, not your coins” does NOT imply “Your keys, your coins”.


  1. This became the go-to model for wallets after the introduction of BIP32 (HD wallets), BIP39 (mnemonics) and BIP44 (standard derivation paths) from 2012 to 2014. ↩︎

  2. Recent documentation efforts like https://walletsrecovery.org/ made this process much more enjoyable than it used to be. ↩︎

  3. To exit a payment channel without collaboration, you may need an off-chain pre-signed transaction. ↩︎

  4. Because of the need for dynamic backups, encrypted cloud storage plays an important role in lightning wallets. ↩︎

  5. Notice that for some off-chain protocols, static backups might not be enough. ↩︎

  6. Your Recovery Code is a set of randomly-generated characters that Muun prompts you to write on paper. It has more entropy than a 12-words-mnemonic. ↩︎

  7. The output descriptor standardization is still a work in progress, so some notation might change in the near future. ↩︎


Download Muun: https://get.muun.com

Visit Muun Website: https://muun.com/

Follow Muun on Twitter: https://twitter.com/MuunWallet