All 21 million XCH in Chia’s prefarm have been moved to four custom-built custody wallets.
Why design new wallets from scratch? Existing web3 custody solutions rely on simple multisig contracts that can be drained of their funds in the event of a minor security breach. We knew we could do better.
Chia’s custody solution uses a combination of custom hardware and state-of-the-art Chialisp to create the most secure wallet in the industry. In this post, we’ll discuss both the hardware and software used to secure the prefarm. We’ll also give an example of just how powerful this solution is. Finally, we’ll show how you, too, can use a similar solution to guard your XCH.
Chia’s prefarm has been split into four wallets, two in North America and two in Europe. For each location, seven-eighths of the XCH is stored in a cold wallet, and one-eighth is stored in a warm wallet. These wallets use the same custody tool, but with different settings, which we will describe later in this post.
Chia Network Inc. has strategically located multiple computers called Hardware Security Modules (HSMs) in North America and Europe. These computers are surrounded by faraday cages, have no antennas on their motherboards, and can never connect to the internet. Each HSM holds a private key that can authorize withdrawals and other actions on the prefarm (though multiple signatures are required – keep reading for more info).
Because these computers are always offline, remote signing is not possible. Instead, a human must scan a QR code from inside an HSM’s secure “vault.” A digital signature for the specific transaction is then generated and can be safely removed from the vault. If the signed transaction is modified, it is automatically rendered invalid. If a QR code or a device holding a signature is stolen, theft of the prefarm will not be possible. In fact, even if all but one HSM is compromised, the prefarm will still be recoverable. There is no single point of failure in our solution.
The prefarm’s hot and cold wallets allow three basic actions, which will be discussed individually: withdrawal, rekey, and lock level increase.
Of the values discussed here, only the custody of the singleton can be modified. This requires a signature from the majority of the keys to change features, such as the number of keys, and is subject to the same time values as other changes. All other mentioned time values included can never be modified, nor can the details of the actions after they have been initiated, such as the destination address for a withdrawal. These values are guaranteed to be immutable by the secure and auditable Chialisp code that comprises the custody solution.
All of the settings described here apply to the cold wallets. The warm wallets will be described afterward.
Three of the five private keys must sign for any withdrawals to occur. (This is known as an m-of-n multisig.) However, before any withdrawal can be initiated, at least 30 days must have elapsed since the last action was performed.
If three keys have signed the transaction and at least 30 days have elapsed, then the amount to be withdrawn will be locked in a new coin called a drop coin with no third party involvement for an additional 90 days. During this time, clawback (returning the funds to the prefarm) is possible. In order for this to occur, three keys must sign a clawback transaction.
After 90 days if the coins have not been clawed back, the withdrawal may be completed. The coins must be withdrawn to an address specified in the original transaction. It is not possible for a hacker to modify this address. Because this address cannot be modified, anyone can complete this transaction.
In a rekey action, a brand new set of private keys will be created to control the prefarm’s custody. The total number of keys may also be modified, as well as the number of keys required to sign off on withdrawals. A rekey will be performed if any of the original keys are lost, stolen, or copied.
A strict set of rules must be followed in order for a rekey to occur. In a normal rekey action, a signature from three of the original keys is required. In addition, at least 15 days must have elapsed since the last action was performed on the prefarm.
A slow rekey is also possible if fewer than three keys have signed. In this case, a time penalty is imposed, the length of which depends on the number of keys used. For example, if only one signature is obtained, then 90 days must have elapsed since the prefarm’s last action.
Given the number of signatures obtained, if a sufficient amount of time has elapsed, then a new drop coin with zero value will be created. This coin comes with an additional 30-day timelock, during which a clawback (canceling the rekey) is possible. In order for this to occur, the same number of keys that originally signed the rekey must sign a clawback transaction.
If the drop coin has not been clawed back after 30 days, the rekey may be completed. The keys were specified upon the rekey’s initiation, so they will automatically become the new keys that secure the prefarm. Just as with a withdrawal, anyone can complete a rekey transaction.
Lock Level Increase
Currently, three signatures are required for withdrawals to occur from the prefarm’s cold wallets. This is known as the “lock level.” This number can be incremented if four signatures are obtained. The effect is immediate – four signatures are instantly required for all future withdrawals – and it invalidates any outstanding rekey attempts. This action increases the security of the prefarm by making it more difficult to initiate a withdrawal. The lock level could even be increased again, thus requiring signatures from all five keys to initiate all future withdrawals.
The two warm wallets that secure one-eighth of the prefarm follow the same basic rules described above, but with different settings. They each have three total keys stored in HSMs, two of which must sign for withdrawals. Additionally, they have a 24-hour clawback period for transactions, a 1-hour withdrawal timelock, a 24-hour rekey clawback, a 24-hour rekey timelock, and 48-hour slow rekey penalty.
The actions described above enable an unprecedented level of security. And to show how committed we are to this solution, we’ve put our entire prefarm into it.
If anything goes wrong, we have multiple mitigation plans in place. For example, if an adversary managed to obtain a copy of four (!) of the five cold wallet keys, they would likely attempt to drain that wallet. We would claw back the payment and increase the lock level to five (thereby negating the possibility of future withdrawal attempts). We would then perform a rekey, after which the adversary’s keys would be useless. No funds would be lost in the process.
Other mitigations are possible for various types of attacks. In all cases, the timelocks will give Chia Network Inc ample time to put together a plan to minimize or avert any damage.
Public Custody Tool
Along with locking up our prefarm, we’re also releasing the tool that made this solution possible. That’s right – you can use the same custody tool to lock up your XCH! For now, this tool only works on a command line, and it likely comes with more bells and whistles than most would require. However, we still feel that it will be invaluable to those who have been waiting for a secure option to lock up their funds.