Our new Multi-Owner Account feature recognizes the need to empower teams on Starknet to manage contract upgrades and treasury funds in secure and efficient ways.
Moving beyond the conventional crypto multi-sig model, we designed our Multi-Owner Account with enhanced collaboration and security in mind. We’ve built this feature out of a necessity we felt ourselves, and we want to ensure it aligns with the wider Starknet community.
As we prepare to roll out this feature today (July 24, 2023), this post will explore the intricacies of how it operates. As part of our commitment to transparency, we have also made the code open source – ready for anyone to review and verify.
What is a Multi-Owner Account?
At its core, the Multi-Owner Account (MOA) is an innovative feature that harnesses the power of account abstraction to facilitate collaborative on-chain transaction management.
We designed this account type to cater to teams, organizations, or any group where each member has a unique wallet. This account only executes transactions once it receives a predefined number of owner approvals (a threshold the team sets).
Here, Braavos founder Motty Lavie describes the purpose and key features of the Hardware Signer.
What are the Benefits?
Our Multi-Owner Account provides teams on Starknet with collective control over their contracts and treasury, unlocking a number of specific benefits:
Collaborative Control. Enables on-chain team management of transaction execution, reinforcing collective decision-making and eliminating unilateral transaction risks.
Dynamic Owners Structure. Provides the flexibility to easily add or remove owners, and to adjust the minimum signers required for transaction approval at any time.
Fortified Security. Each owner’s account can adopt (or opt into) enhanced security measures such as 2FA, 3FA, or even becoming another MOA, thereby heightening account security.
Autonomous Gas Payments. As a standalone account on Starknet, the MOA covers its own gas fees.
Seamless dApp Integration. The MOA integrates effortlessly with each and every dApp, as it is treated like any other account in your wallet.
How Does it Work?
Setting up a multi-owner account is simple.
Here’s how to do it:
Click on the Menu and select ‘Add a Multi-Owner Account’. You will have the choice to either create a new account or join an existing one.
To create a new account:
- Initiate: Click on ‘Create a New Multi-Owner Account’.
- Add Owners: Include up to seven unique wallet addresses as owners for the single account.
- Set Threshold: Set the minimum number of owners (M out of N) that are required to sign for a transaction to be approved.
- Review and Confirm: Review all the details and, once everything is in order, confirm the creation of the account.
To join an existing account:
- Import: Click on ‘Import an Existing Multi-Owner Account’.
- Set MOA Address: Add the MOA address and click ‘Import’.
That’s it! Your wallet will now list the account under the MOA section.
Once the account is up and running, any owner can start a new transaction signing process or sign pending transactions. Owners can collaboratively add or remove other owners or adjust the M out of N signers’ threshold – all easily accessible within the account settings.
What Makes the Multi-Owner Account Superior to a Multisig Account Like Gnosis Safe?
Our Multi-Owner Account is designed to function like any other account but with additional features. This means it covers its own gas fees and connects seamlessly with any dApp.
In addition to these features, the account also accommodates the various security measures specific to each owner. These can range from a simple Seed Signer to a sophisticated Hardware Signer (2FA), Multi-Signer (3FA), or even another Multi-Owner Account.
This combination of flexibility, control and enhanced security sets it apart from traditional Safe multisig accounts.
The Technical Details
How does account abstraction work?
The MOA leverages account abstraction to deliver superior account collaboration functionality, where each owner can be multi-factor authenticated.
Here’s a brief recap of how Account Abstraction works on Starknet.
There are two main entry points to the account:
__validate__: This function is responsible for verifying that the transaction is correctly signed by the account owner, whether the signature is a standard STARK signature, secp256r1, or other.
__execute__: This function assumes that the transaction signature is valid and executes the transaction accordingly.
The Starknet OS first calls __validate__. If this function fails, the transaction is rejected. If __validate__ passes, the transaction can either succeed (and be accepted) or fail (and be rejected).
Two critical points worth noting are:
- Even if transactions are reverted, they still incur gas fees.
- Starting with Starknet v0.12.1, reverted transactions do not revert the state of __validate__, but only the state of __execute__. This means that any changes to the storage made in __validate__ are preserved, while any changes made in __execute__ are reverted.
What is the flow when issuing a transaction?
When it comes to implementing the MOA, we previously faced a significant challenge related to the Starknet OS operations.
This challenge revolved around the fact that external contracts can’t be called from the __validate__ function, as it introduces a Denial of Service (DoS) attack vector. As a result, calling the owner’s account is_valid_signature directly from __validate__ wasn’t an option.
Our solution follows these steps:
The transaction may require two signatures – initially from the Seed Signer, and then from the actual signer of the account, whether that’s another Seed Signer, a Hardware Signer (2FA), or a Multi-Signer (3FA).
In the __validate__ phase, the MOA verifies the transaction’s authenticity against the Seed Signer’s signature. The owner’s Seed Signer key is set in the MOA at the time of initialization; this can be done either during the MOA creation process or later, when a new owner is added to the MOA.
In the __execute__ phase, the MOA checks the transaction’s authenticity by calling the is_valid_signature method on the initiating owner’s account. This step allows us to confirm the owner’s legitimacy by comparing the transaction with the defined security level in the owner’s account, which could be Seed, Hardware, or Multi-Signer security.
What were potential attack vectors?
Gas drain attack – malicious owner
One possible threat is a malicious owner draining the account balance by issuing defective transactions that waste gas. In such a scenario, the MOA account __execute__ will calls the malicious owner account’s is_valid_signature, which uses specific logic to intentionally waste gas, for example via long execution or excessive storage writes.
To prevent this, the MOA:
- Limits the MAX_FEE allowed for owners’ 1…S transaction, where S<M.
- Ensures that all owners signed the same MAX_FEE, including the last owner to sign (signer M).
- Enforces a limitation of 15 daily transactions (in the future, we might adjust this to introduce a cooldown period after N consecutive transactions — whether failed or successful — from the same owner).
What about nonce abstraction?
Nonce abstraction provides the capability to send multiple uncoupled transactions concurrently, with the outcome of each transaction – be it a success or failure – not affecting the nonce of the others. This allows for simultaneous transaction handling without the risk of nonce conflict.
However, Starknet does not currently support nonce abstraction – it’s a feature on the roadmap. As such, if two owners of the MOA issue transactions in parallel (i.e., the second transaction is issued before the first one is executed), the latter transaction will be rejected due to nonce mismatch.
We consider this to be a minor concern at the moment, as the targeted use case does not involve a large number of owners. This scenario would only happen if two owners signed transactions within the same minute, a relatively unlikely event. Moreover, this issue is set to be resolved in the future once Starknet implements nonce abstraction.
Summary
We believe that the Multi-Owner Account feature will significantly enhance Starknet teams’ ability to manage their contracts and treasury on-chain. It has been designed to be powerful, flexible yet extremely secure. We will use it for our contract upgrades and treasury management, reinforcing our commitment to the best security and user experience.
If you have any questions or need more clarification about the Multi-Owner Account feature, please contact us on Twitter or Discord. We will be happy to help.