Pontem Weekly Livestream Recap October 14, 2022
This week we have Jackie and Wendy from Momentum Safe on our weekly podcast. We’ll be learning about multisig and more from them today. Momentum Safe is the most secure and extensible multi-signature wallet solution on the Move ecosystem, currently LIVE on Aptos DevNet & TestNet. It allows users to make their Move assets, resources, and code more secure and decentralized.
Alejo: So, tell us a little about yourselves!
Jackie: So I have been in the Web3 space since 2018. I started working as a Llayer -1 front-end developer. When I started, this was around the same time as the ICO was really popular. And after 4 years of development, I have come to deeply believe that this crypto space, Web3, is a space that should definitely be explored. We are more determined than ever to do something in Web3 to bring more users into this industry.
What we are doing is building a very secure infrastructure. We are building a multisig. Initially, the single-sign was definitely not secure enough to manage multi-person funds because if the private key is compromised, you’ll lose all control over the funds. Basically, the solution is something that will let you add another security layer to your fund management. You can manage all the funds with confirmation from multiple parties. This is where the multisig comes from. It adds another security layer by human interaction. So for each transaction that is sent from the multisig, it will require multiple permissions from the owners. Let’s say you have a wallet that has 3 owners: , you will need to receive two out of three confirmations to send one transaction. So this will make the fund management more secure.
Wendy: I’m the co-owner of Momentum Safe. I think Jackie has done an amazing job of talking about what we’re doing here.
Alejo: Coming back to this idea of multisig being a key infrastructure of everyone’s tech stack, from individuals to institutions to DAOs, what does a world look like without multisig? What if multisig didn’t exist?
Wendy: So it’s actually pretty interesting. I used to have a single key wallet myself, and from personal experience, once you reach a certain threshold of money, you feel really insecure with that amount. Everyday I would be checking to see if the balance was still there, if my key was still secure. And I actually had 24 phrases instead of the regular 12. This whole process is not the best.
Jackie: I think that another use case is you can avoid drama with people. Say that you started a small fund with your friends, you pooled your money together to invest. The best way to do this isn’t to put the money in one person’s wallet who has full control over it. Maybe you trust your friends, but the best practice is to set up a multisig wallet so that everyone will have some control over the transactions. But we think that the best use case for multisig wallets is for business purposes. For example, if you have some large crypto funds to manage, or if you are a DAO (which owns a treasury), or if you are a project that has operables to manage. Multisig is an incredible tool to help people manage funds with each other, and if you don’t have this, I can’t imagine how you are going to manage the funds. There will only be one private key for the account, which makes it super dangerous for the guy who holds the private key. If that private key is compromised, he loses everything. I think that multisig is the key for collaboration.
Alejo: So what I’m hearing is that one, it’s a tool for collaboration, a social fabric that allows us to not have to trust one individual and two it’s a core security feature. I agree that if multisig didn’t exist, I’d be very anxious about my own personal holdings. This technology is really useful for everyone, whether it be a DAO with a treasury or just a group of friends with a shared fund. I mean, think back to what happened when the Quadriga founder died. Only one private key and everything was lost.
Wendy: When you have something to manage, for example, say you’re a protocol owner. You’re not only holding a key to your own assets;, you’re also holding a key to the community’s assets. People are trusting you with their money, so you should probably think of all the possibilities.
Alejo: Definitely, this should be a security best practice. Do you have any good resources/best practices on multisig? For example, how do you split up the backups and make sure they’re backed up? Or what if one person loses their private key?
Wendy: Yes, absolutely. This is something that we should all brush up on, how to secure our assets. I think my key is to create some redundancy but we can talk more about that later.
Alejo: In terms of treasury management, are there good ways that multisig can be used to allow people to give input in the treasury or manage the treasury in more creative ways than if it was just one individual? For example, could governance be managed with multisig?
Wendy: If you have some assets that aren’t owned by you, say they’re owned by a protocol like a DEX or lending protocol. A team develops this protocol and deploys it. Say they charge transaction fees for revenue, which will be owned by the team and not just one person. In that case, they would want to create a Momentum Safe account where multiple team members own this account. Let’s say 5 people own this account and it allows 3 people to withdraw or distribute money. So that’s a good example of team-owned assets. I think the community would trust the protocol even more when they are using a multisig account instead of if just the CFO owns the account.
Another good example for DAOs is the DAO will have a group of people who own the assets for the community, and if a group of contributors has done great things for the DAO community, you probably want to reward them with some tokens. Who decides that? The best practice here is to have a group of people from the community holding a Momentum Safe account. As an example, let’s say 10 people share the account, if 8 of them say let’s reward these community members, then the funds are released.
Jackie: I would like to add something else to the DAO use cases. So you have a DAO where there are some proposals and the community can decide whether they will pass. Then the executor ofr this proposal is going to give some treasury to some entities or add some protocol-level changes. All of these need to be carried out by a multisig, which can be held by both the community leaders and the team members. If you have an account of 10 keys, 3 can be given to team members, and 7 can be distributed to the community leaders. This is a good example of decentralization of power. Basically, if the team itself wants to rob the community, they won’t reach enough signatures to reach the threshold of this multisig. It’s the community that is taking the lead and executing decisions.
Alejo: So it’s like a safety mechanism to prevent collusion, a way to make sure there’s no central point of failure.
Jackie: Exactly. It’s not even about trusting the project team, it’s about decentralizing the risk. This isn’t only limited to treasury management, but also works for protocol upgrades. There will always be some changes that can be carried out by the DAO proposal, and it will require a multisig to execute the operations approved by the DAO or community. And we think the community is the root power of Web3 that can bring us together.
Alejo: I definitely agree. Even as I think of our own architecture, that’s a difficult decision point for a lot of developers. From our perspective, we want to minimize the attack vectors for censorship, and losing our private keys. For us, we made the difficult decision to ship our code immutably, meaning no upgradability. It’s a security function. And I can see how handing that power to a multisig and distributing the risk can also be another layer of security. For us, because we’re so new, it can be dangerous to give that much power to the community which is why we chose to go with immutable ships. But I can see how in the future it could potentially be a huge asset to distribute the risk.
But it’s still relatively untested, isn’t it? What if the community members themselves decide to collude? In my opinion, it’s best practice to have safety measures in place like veto power for the protocol developers so that things don’t get instituted that could blow up the system. You also want to severely limit the number of parameters that are actually changeable.
Wendy: I love the way you think. I feel like security is something where people tend to overlook things. But with protocols, if we don’t think about it beforehand, then we run into the common situation of a hack happening and everyone panicking and figuring out how to prevent this from happening again. This is definitely something you should be thinking about from Dday 1, when you are deploying.
Alejo: These things should definitely be well thought out before deployment. And it’s definitely the community members’ responsibility to keep the protocol developers accountable and transparent in how they’re managing treasuries and deploying their code. And generally, it’s only really thought about in hindsight. Maybe there’s some good coming out of all of these recent hacks, that security is definitely top in everyone’s minds right now.
Wendy: And I just thought of another case. If you live in the States, the regulations are getting more and more complex. I used to work on Libra, Facebook’s past blockchain project, and when I was working there, one of the topics that we dealt with everyday was regulation. You need to meet all the compliance requirements and, if people haven’t heard, we weren’t able to launch several iterations of the project just because the Feds didn’t want us to. As a protocol, you don’t want that happening to you.
Let’s say that you build a DEX that’s super popular, or a lending protocol that you deposit thousands of dollars into and then one day the Feds come in and decide to shut it down. How can they do that? If the protocol is owned by one person, they can just arrest that person. But if you use Momentum Safe to deploy, the Feds might not be able to arrest enough people to get it shut down. As a community member, we are responsible for our assets and we need to push protocol developers to deploy from a multisig account.
Alejo: I would agree that a lot of projects today are known as “DINOs” or Decentralized In Name Only, which poses a lot of risk. Imagine we were living under an authoritarian regime. You really want this core blockchain function of censorship resistance. You don’t want a central state actor or even a private actor to be able to come in and shut it down and demand the funds. You really don’t want that central point of failure. Protocols like Uniswap are built with immutable ships so that they can’t be shut down. The power just transfers to the DAO. At the end of the day, there’s real people behind these tokens and the voting to move coins around. But if they’re built correctly, we’re building these decentralized organizations that run autonomously without the input of one single party. That architecture should be robust enough to avoid censorship from authoritarian regimes.
Wendy: I’d say that it’s not even just the US. Other countries would probably have the same concerns, which is why it’s better to not leave the control of the protocol up to only the developers, but to also include the community.
Alejo: This may sound extreme but I think it’s also a matter of national security. Think of Bitcoin, which can be a neutral way to settle money. Do we really want a large state actor to be able to shut it down? What happens when the US and all of these companies hold Bitcoin in their portfolio and it gets shut down? It’s important for these things to be decentralized and unable to be controlled by one single actor.
I feel like for a lot of community members, multisig seems like it’s a little bit extra. But I feel like if we can institute these best practices at every level and we make it easy to use, like with Momentum Safe, then this technology can be mass adopted. It’s just a matter of changing our culture and perspective on keys. I was looking through your interface and some of the products you’re putting out, it’s really user-friendly. Maybe you could talk about how easy it is to create and use a multisig.
Jackie: So the interface is very intuitive. Basically, we are going to create a 2-signature account, which is available through the UI. You and the 2 other people you’re creating the account with open a web interface and click “Create Wallet” and then fill in all the required data and then you’re able to create a multisig account with one click. You’ll need to collect enough signatures to authorize this creation.
Alejo: Maybe this is how we can transition to how MSafe and Pontem can work together. We’ve been so happy with our experience with the Momentum Safe team, and we’ve been given a lot of support in integrating your products. It is a core, integral part of our Liquidswap protocol. How we deploy and change the feed parameters is multisig. Our protocol is immutable, but there are certain parts of it that are changeable, like the feed parameters of how much each pool should be charged. In the future, we plan to transfer that to a DAO account, but right now it’s a multisig. And then on the wallet front, I’m really excited to make this technology accessible to more people.
Jackie: We are very grateful for Pontem adopting our solution. I really appreciate Pontem’s efforts to make the smart contract immutable, because I think it’s the most secure solution ever because you are minimizing the attacking interfaces for malicious actors. I have read into Pontem’s code, and it’s very solid with deep insights into the Move ecosystem. Pontem also has one of the most talented teams in the Move ecosystem. Every time we talk to the team, we learn something new.
So let’s talk about the multisig. We are offering the multisig for Pontem Network's emergency stop as well as parameter changes. This is done by multiple parties that the Pontem team chooses. I think you guys are doing a great job of trying to decentralize everything.
Wendy: We are enjoying working with the Pontem team. We have a Telegram group and Pontem is one of the first customers of the Momentum Safe account, especially on the deploying smart contract part. Just wanted to highlight the collaboration between us and the Pontem team.
Alejo: Thank you so much, we really enjoy working with each other too. As protocol developers,we are still part of the broader Aptos community, and it’s important for us all to share the same values and principles in how we build these things. It’s important to share the knowledge, as well, because a lot of these best practices for Move, we’re actually pioneering. We really appreciate working with y’all and look forward to the future. Let’s answer some questions from the community!
- Will gas fees increase for this type of signature?
Jackie: There will be no excessive gas fees for multi-signatures. Every one of the owners will need to submit a transaction to submit a signature, so in that sense it will take more gas than a single signature transaction. But the gas fees on Aptos are supposed to be much, much lower, so I don’t think it’s going to be a problem. Also, Aptos’s network is super fast. So I don’t think gas will be a problem.
- What are some of the competitive advantages of Momentum Safe?
Wendy: So there’s one thing I really want to share that’s very special about Momentum Safe. If you are the holder of a Momentum Safe account, you likely own a big chunk of money that you really want to keep secure. But also meanwhile, we have this concept of an App Store, so if you go to Momentum Safe’s account you can actually explore all the other protocols in the Aptos ecosystem. You can go there and find the protocols you can use with a multisig account and generate some yield for yourself. We are the only multisig wallet account that can do this. On another account you can transact money, but you can’t do staking or lending protocols, etc.
The other thing about the App Store is that there are all these amazing protocols and things going on in the community, but it’s hard to find a place where you can know what’s going on in the whole Aptos ecosystem. We provide a way to discover all the other protocols and what’s going on with them.
Jackie: Another thing I will add is that we talk about protocol deployment and who controls it, and Momentum Safe can interact with any smart contract at will. So any protocol can use Momentum Safe to add accounts to interact with smart contracts. Any project can use us for a set of operations like smart contract deployment, emergency stops, protocol changes, execution of DAO proposals, etc.
Wendy: I also wanted to talk about the security part. For us, security was a top concern and when we started building this protocol, as you can imagine, security was something we would review daily. Our protocol is as secure as Aptos’s core protocol, meaning as long as the Aptos core protocol is not hacked, you will be safe with us.
Thank you to Momentum Safe for joining us today! Go ahead and check out their Discord and Twitter. Hopefully next time you guys are on, we can do a demo and we look forward to seeing the progress of your project! Join us next week for our weekly livestream and follow us on our Twitter, Discord, and Telegram chat to keep up with all things Pontem in the meantime.