I recently gave Casa’s 3-of-5 multisig wallet a try. I’m pleased with it, but it didn’t implement one feature I’ve come to expect in multisig wallets: multiple verification of receiving addresses.

In a typical single-sig software wallet, you click some sort of receive button, it displays an address, and you trust that address is correct because any software single-sig wallet that was broken or lying to you could already lose or steal your funds.

Users of multisig wallets don’t want to trust any single signer. Casa’s 3-of-5 model allows up to 2 of the signers to be broken or lying without putting your funds at risk. However, the only obvious way1 to get a receiving address in Casa involves trusting the mobile app (which controls one of the keys). There’s no described way to use the other devices you control to verify that it’s a correct address, and so a broken or lying app could lose or steal your funds.

Casa does provide recovery instructions that allow you to import all five public keys for your wallet into Electrum desktop, have it find all of your transactions, and then spend any bitcoins by connecting your three hardware signing devices.2 I didn’t try entering that information into Electrum desktop (I took a different approach), but if you did, it should generate the same receiving addresses as the Casa app. I think that’s probably a reasonable process for most people.

For me, though, that’s not enough. Although I try to stay secure, I have a lot of stuff installed on both my computer and my mobile. I would be unsurprised to discover that a highly motivated attacker could compromise both devices and use that to show me a receiving address that goes to their wallet instead of my own.

The relative ease of compromising mobiles, laptops, and other general purpose computing devices is why we use single-purpose devices like hardware signers. Early hardware signing devices, like the Trezor One, were designed to prevent the above type of attack and most later hardware devices also provide that support. The method is simple: a software wallet can send address-related information to a hardware signing device, the hardware device will check whether it can sign for that address, and (if it can sign) it will display the address to the user on its built-in screen.

The ideal workflow for this would be that I would generate a receiving address in the Casa app, choose a hardware device of mine from the app, and tell the app to verify the address on that device. I would then connect the device to my computer, it would display the address, and I’d check it against the app. For an example of this, see the documentation for Trezor’s app. I could then optionally repeat that process with the same address up to two more times with my other two hardware devices.

Since Casa doesn’t support this directly, I did it myself by writing a quick shell script. The script uses Bitcoin Core and HWI in addition to basic shell tools and jq. I use the information from my Casa recovery instructions plus HWI to get all five of my extended public keys (xpubs), from which I generate a descriptor. With a descriptor, I’m able to generate all the possible receive addresses for my Casa wallet. I then tell the script what address I want to validate, it checks (in software) that it’s on the list of receive addresses and sends it to a connected hardware signing device. The device displays the address if it can co-sign for it. I can repeat that as necessary.

As a bonus, the script gives me my wallet descriptor, which is a compact machine-parsable description of all of the information I need to find all of my funds onchain and spend them with the help of my hardware sigining devices if Casa becomes unavailable. I think it would be great if Casa started including descriptors in its personalized recovery instructions in the future as they become ever more widely supported by other software.

Although I’ve focused on Casa in this post (since that’s what I’ve been playing around with this past week), I would recommend that anyone using multisig, hardware signing devices, or both to consider multiple verification of receiving addresses when working with personally significant amounts of money. If you don’t trust a single piece of code for spending, you shouldn’t trust a single piece of code for receiving.

Footnotes

  1. After writing this post, during the process of adding links, I discovered an old Casa blog post that describes how you can cross check with another software wallet the same way as I describe here (although that post uses Specter desktop instead of Electrum desktop). 

  2. I was quite pleased by the amount of documentation Casa provided for independent recovery and, especially, that they directly emailed me personalized instructions containing my public keys, ensuring that I had a backup in case they later become unavailable.