RaisePay wallet social recovery: Friends to the rescue!
By Roman, Andrei, and Amanya from Raise Finance.
Social recovery wallets have become increasingly popular with the introduction of EIP-4337 on the Ethereum mainnet. The Raise team has long been an advocate for this wallet technique as it drastically improves user experience and security for the average user. The reality is, EOA wallets can easily have their private keys lost, especially for inexperienced users, resulting in a total loss of funds and no way to restore access. Social recovery provides an alternative solution by assigning a group of guardians who have the authority to approve authentication and provide a new key in the event of lost keys. To illustrate this further, imagine you have lost the keys to your house after returning from a long trip. Before leaving, you had the foresight to make a new key and divide it into pieces, which you then shared with your neighbors, friends, and family. Now, you can call them up, put the pieces back together and regain access to your home — hooray!
Social recovery has many strategies, and in a recent Reddit post, Vitalik shared his opinion on how to make social recovery wallets safer, including his thoughts on choosing guardians. In this article, we will explore how the RaisePay wallet’s social recovery strategy addresses the issue.
Let’s begin by examining the common methods of user identity verification and the potential issues associated with them. Most users have email or social media accounts, but these can’t be fully trusted to prove user identity. These accounts can be compromised, and if the only way to restore access to them is through access to the original account, an attacker could potentially steal all of the funds. Furthermore, these methods exist off-chain, meaning we need to rely on oracles to verify the user approved the use of their email or Twitter account. However, we can’t fully trust this off-chain logic, as it can be hacked or go offline.
The reliable concept of blockchain governance known as multisig has proven its worth. This system allows important decisions to be made and executed by a group of people. Each person exists in some kind of society and likely has trusted friends or relatives that can help them recover access, acting as a kind of multisig. At RaisePay Wallet, we use both Raise Guardian to verify a user’s email or social media accounts, as well as signatures from guardians assigned by the user. Additionally, the RaisePay wallet recommends users to add their hardware or hot wallet address (if they have one) as one of their guardians for increased security.
To begin the process of restoring access to your wallet, you must first prove that the social media accounts linked to it are owned by you. You can do this by entering the code sent to your email/Twitter/Discord. Once Raise Guardian has verified your ownership, your guardians will be notified that they need to approve the recovery with a unique recovery ID. Your guardians must contact you to confirm the recovery ID. Additionally, we remind guardians to ask a security question only you and your guardian know the correct answer to. When they enter the code, it serves as proof that you have lost access to your wallet, and the guardian has approved the recovery by entering the ID. To further protect you and your wallet, a lock is placed on it for a period of time (e.g. 24 hours) during which the recovery request can be canceled with your old signing key. After 24 hours have passed, new login keys will be added to the wallet, and you will regain access to your funds.
Let’s consider some corner cases of security for this scheme.
- Your guardians collude
Let’s imagine that your friends-guardians conspire to steal all your funds. To safeguard your funds, the guardians of each individual wallet are securely stored as cryptographic hashes, making it impossible to discover who the other guardians are. Additionally, they cannot initiate the recovery process without access to your email or social media accounts. Finally, when a recovery request is made, you will be instantly notified and given a specific time window to cancel it.
2. Your e-mail is hacked
The attacker begins the social recovery process and enters the email code. He is then presented with the recovery ID, but in order to proceed, he must somehow convince the guardians to accept this recovery ID, pretending to be the rightful owner. This is complicated by the fact that the wallet only stores hashes of guardian addresses, making it difficult for the attacker to identify who the guardians are. Besides, each guardian is required to ask a personal question to verify the identity of the individual attempting to recover the wallet. This adds an extra layer of security, as the attacker must be able to answer the questions correctly in order to gain access to the wallet.
3. Some of your friends are offline or refuse to approve the recovery
It’s alright, you don’t need to ask all your guardians; a minimum of 2/3 quorum is needed. It’s recommended to add 7 guardians, and approval of at least 4 of them is required to proceed. If you add a hardware device as one of the guardians, you will only need 3 friends or relatives to authorize the recovery. If most of your friends don’t want you to restore your access, maybe you’re doing something wrong? :)
4. You lost your e-mail access
You can use any of your social accounts linked e.g. Twitter account.
5. Raise guardian is compromised
Hacked Raise guardians may attempt to send your wallet into recovery mode. However, to successfully gain access, the attacker would need to employ social engineering tactics to convince your guardians to enter a unique recovery ID and sign the recovery transaction. Fortunately, this is highly unlikely, as the hacker does not know who your guardians are or how to contact them.
The Raise team is committed to creating the safest and most user-friendly experience when using the RaisePay wallet. We are dedicated to providing a variety of strategies and methods to make social recovery a secure process. With our expertise, we strive to make the RaisePay wallet experience as smooth and effortless for our users as possible.
Learn More About Raise Finance on:
RaisePay wallet Testnet : https://www.raisepay.io/
Raise Launchpad Testnet (completed): test.raisefinance.io
Medium, Telegram Announcement channel, Twitter, Discord
Raise Finance does not guarantee any profits or rewards, and any involvement in this project is entirely at the participant’s own risk. Participation in this project is done solely at the discretion of the individual, and any potential risks should be thoroughly evaluated prior to involvement.
By using Raise Finance Application you will be deemed to have:
(I) read the Legal notice and other informational materials about the operation of the Raise Finance Application.