Secure Operations with multi-signature
Multisignature (multisig) refers to requiring multiple keys to authorize any Operation, rather than a single signature from one key. Each Operation will define a multi-signature threshold required for Operation validation, This secures the operation by :
Dividing up administration responsibility among multiple people.
Avoiding a single-point of failure, making it substantially more difficult for the wallet to be compromised.3
M-of-N backup where the loss of a single key doesn't lead to loss of the wallet.
Security levels
Depending on the criticism of the operations, The following security levels can be seated. Each security level will define a multi signature threshold.
LEVEL 0 or Public: Does not require any signature.
LEVEL 1 requires 1 admin signature or an owner signature.
LEVEL 2 requires 2 admin signatures or 1 super Admin signature
LEVEL 3 requires 1 super admin signature
Operations and security levels
By default, the following security levels are assigned to each Operation when instantiating the smart contract during the setup:
Nft Solution Operation | Security Level | API Iteration |
|---|---|---|
Transfer | LEVEL 1 | V.2 |
Mint | LEVEL 2 | V.2 |
Remove Admin | LEVEL 3 | V.2 |
Add Admin | LEVEL 3 | V.2 |
Remove Super Admin | LEVEL 3 | V.2 |
Add Super Admin | LEVEL 3 | V.2 |
Update Admin | LEVEL 3 | V.2 |
Update Super Admin | LEVEL 3 | V.2 |
The smart contract must be replaced by a new one if it is requested to change the security levels. This is not a recommandable request as all tokens minted with the previous smart cotnract won’t be available in the new smart contract.
Signature Process
If an operation requires only one signature, the qualified administrator can sign using his/her ledger keys just. After the signature, the transaction will be submitted in the blockchain, and so the operation with status “Pending” will appear in the Operations dashboard.
If more signatures are required, like for operations LEVEL 2 , the operation will appear in the Operations dashboard with a status “ReqSig”, allowing a second administrator to go to the details of the operations do the required signature.
Automatic Signature Process
Some operations, like the “Mint” of a sold asset, will be preformed automatically by the platform. In this case manual signature of administrators is not required. However in case of error, the mint of the asset can be manually performed using the key ledger.
Security Warning
It has to be noted that the notion of “super administrator“ can be seen as a security threat.
Indeed, multi-signature’s main objective is to avoid the Single Point of Failure. Therefore, multi-signature contract generally requires at least 2 signatures before triggering the target function. That way, hackers have to steal at least two private keys before being able to corrupt a contract.
Letting a super administrator trigger a function with a single signature means that the hacker only have to steal one key to take over the token.
However, private keys are stored on hardware secured modules (Ledger Nano S) and are protected with a pin-code system that locks the wallet after 3 failed attempts. Moreover, since multiple super administrators will be declared, there is no security risk of loosing one key. Thus, it remains difficult for hackers to corrupt the system. Lastly, in case of breach (i.e. a super administrator’s Ledger Nano S is stolen as well as its pin-code and the private key has been used before disabling the key on the contract), we could always use the recovery system to annul hacker's transactions.
On the user experience aspect, letting super administrators to activate operations without requiring additional signature is also more convenient.
In summary, we consider that letting super administrators to activate operations with a single signature is safe as long as the Ledger Nano S are securely stored and protected. Nevertheless, we recommend rising the signature threshold for more security.