Vitalik’s latest opinion: How to choose a guardian for multi-signature wallets and social recovery wallets?

Original title: How I think about choosing guardians for sig and social recovery wallets Original author: Vitalik Buterin Translator: Qianwen, ChainCatcher
 
Multi-signature wallets (like Gnosis Safe) are a simple and secure way to store your funds, giving you most of the benefits of self-custody — your funds won’t disappear when a seemingly trustworthy centralized entity turns out to be untrustworthy — but without the risk of being responsible for the entire security setup. I personally use multi-signature wallets to store most of my funds, as does the Ethereum Foundation.
Another similar multi-signature wallet is the social recovery wallet - a single key can be used to sign transactions, but if that key is lost, a set of keys held by others can be used to recover the funds. Social recovery wallets are easier to use than multi-signature wallets, especially with the rise of ERC-4337 account abstraction and the upcoming Soul Wallet, which will make the technology more user-friendly. Once social recovery wallets become mature enough, my suggestion is to use social recovery hot wallets to store a small portion of an individual or organization's funds, and use multi-signature for cold wallets to store an individual or organization's savings.
Both multi-signature wallets and social recovery wallets rely on the concept of "guardians": a set of N addresses, usually held by other people, where any M addresses can approve an action (for example, N=6 and M=4 can be set). In the case of multi-signature wallets, each transaction must be signed by M of the N guardians. In the case of social recovery wallets, a single key can sign transactions, but if that key is lost, M of the N guardians must sign a message to reset the key.
The two key questions about using multisig and social recovery wallets securely are: (i) who do you choose as guardians, and (ii) what instructions do you give them? This post will outline how I think about this question, and most of the points should apply equally to multisig and social recovery wallets used to secure individual and organizational funds.
What do we want from the Guardians?
Minimize the chance of losing the key.
Minimize the chances of them colluding to steal your funds or being coerced into doing so.
While the two risks above are unavoidable, the risks of each Guardian should be as unrelated as possible - you want to minimize their commonality, because this common risk may lead to risks that cause many of your Guardians to be incapacitated or affected at the same time.
The answer to this question is simple, but it guides all of my choices regarding Guardians:
Your own device can be your guardian, but don't let too many devices become your guardians.
First, at least one of the guardians will be a wallet on your own device, which is normal, after all, it is your own funds, and there is no reason to affect decentralization. However, once you have more than one guardian under your control, you face a tricky dilemma: you trust less in others and concentrate more power in yourself, which may be risky if you are hacked, coerced, incapacitated or die.
My experience is that there should be enough guardians under the control of others. If you disappear, there are enough other guardians to recover your funds. That is, you should control at least one guardian and at most N-M guardians. In addition, each guardian should be on a separate device (laptop, mobile phone, old phone, etc.).
Choose a Guardian you don't talk to often, or preferably one you don't know.
Ideally, the Guardians should not know who the other party is. This greatly reduces the risk of them colluding, and furthermore, they have no good reason to know each other. If something happens to you, they will still be able to find each other, because there are obvious standard procedures that people will naturally think of in such situations (e.g., contacting your family).
Additionally, you want to minimize the interconnectedness between Guardians: don’t pick two Guardians who live in the same city (or even better, the same country), or two Guardians who use the same type of wallet, and balance between different operating systems.
Guardians should ask a security question before approving an action:
When you ask a guardian to approve an action for you (in multisig, this is a transaction; in social recovery wallets, this is resetting your account keys), they should not start doing it right away. This is a disaster for security: if someone hacks into your chat account, they can scan your messages, find out who your guardians are, contact each of them and ask them to confirm, and steal your funds.
To avoid this, my preferred process is to instruct the Guardian to ask a secret question. When you ask to confirm your action, the Guardian should ask you something that only the two of you and very few other people know (e.g., "What food did we eat when we last met?"), and only confirm the action if you give the correct answer.
A natural choice would be a voice or video call, but in an age where AI is getting good at fakes, this is no longer very credible, so you might want to combine the voice/video call with asking some kind of security question.
If you are a "Degen veteran", make sure your guardian can respond quickly. Otherwise, you don't have to make this request.
If you're doing something with an on-chain contract that's riskier, you may need to move quickly: if the contract has a loophole, get the funds out. If you're about to be liquidated, move the money out, etc. If you have these needs, then you want to find guardians who can act quickly in a short period of time (and therefore also find guardians in different time zones so that there are enough guardians to complete the transaction at any time) to protect your funds . However, if you don't do this kind of thing, then speed isn't particularly important, and in fact may even be somewhat harmful, since convincing people to act urgently is a common social engineering tactic for hackers, and if people are disgusted with this ethos, it may be the opposite. It's a good thing.
Each Guardian is tested at least once a year
Do a test run at least once a year. Ideally, do a test run twice a year, once with half of your Keepers and once with the other half. This ensures that your Keepers haven't forgotten or lost their accounts.
A more advanced question: Privacy
One of the challenges with Guardians is that there is currently no technology that can keep your financial privacy from being compromised by Guardians. However, this is a technical problem that can be solved technically: instead of guarding your account directly, Guardians guard a "safe" contract, and the link between your account and the safe is hidden.
It is very easy to keep the link hidden until recovery is needed: for example, your account can have a guardian CREATE2 contract that only the safe can create. However, keeping the link hidden after recovery requires more advanced ZK-SNARK technology. I expect this problem will be slowly solved in the next few years.