Vault: Permission & Trust in Self-Custody Solutions

Vault: Permission & Trust in Self-Custody Solutions

Vault is designed as a permissionless, trust-minimized service that caters to users who want a simple, secure way to self-custody their crypto assets. 

At a glance this may seem contradictory, since some elements of Vault’s services are integrated with Uphold – a regulated and permission-based platform. As a result, it’s worth unpacking this apparent paradox and taking a closer look at the design choices that define Vault's underlying structure. 

Let’s start by recapping the requirements of Vault:

• Vault MUST be resilient to key loss by the user
• Uphold MUST NOT be able to spend user funds without the users approval
• Vault assets MUST be accessible at all times - regardless of the Uphold platform or user account status
• There MUST NOT be any reliance on proprietary tools or infrastructure to recover funds

Vault’s current design satisfies all the above requirements, which means Vault is both permissionless and has minimal trust assumptions. But what do we mean by permissionless, and what are trust minimized systems? Let’s dive in.

Permissionless Systems & Trust

Permissionless systems represent a profound development in the design of digital interactions, fundamentally distinguished by their open and decentralized nature. In a pure permissionless blockchain, such as Bitcoin, anyone is allowed to join and participate in the network without requiring approval from a central authority. This means that users can engage in transactions, participate in the consensus mechanism, and contribute to the network's security and development – all without needing to be vetted or approved by a central governing body. 

A trust-minimized system refers to a design paradigm in which the need for trust between parties is present but significantly reduced. Within a blockchain context, this is achieved through the use of cryptographic algorithms, decentralized consensus mechanisms, and protocols that automate and enforce the rules of interaction without the need for a central authority or intermediary. In such systems, the integrity and security of transactions and data are maintained by the network's protocol itself, rather than the reputation or authority of any single participant.

The main purpose of trust minimization is to create a system where the potential for malicious behavior is limited, not necessarily by the goodwill of the participants, but by the very design of the system. This is done by making all transactions transparent, verifiable by any party, and irreversible once confirmed by the network's consensus mechanism. As a result, users can interact directly with each other in a secure and predictable manner, even if they do not know or trust each other.

How this Applies to Vault

Vault was designed in a way that ensures that users' funds are always on-chain and controlled by the user alone via the 2 out of 3 keys they hold. Users' assets are exactly that – assets they own – and are never liabilities or obligations of Uphold. Within this context, the service enables users to create and manage their own Vault and transactions, including replacing or rotating keys as needed. In addition, using only the keys they hold, users MUST be able to access their Vault, via a variety of open source 3rd party tools.

As a result, Vault is permissionless due to the fact that users can access their funds without using the Uphold platform. Uphold does not have the ability to mediate or restrict a user’s access.

Separately, we have developed an open source project called the Vault Assist Tool (VAT). This is a self-hosted wallet where you interact directly with the required blockchain network associated with your Vault assets – no intermediaries, no account, no permission. Critical Vault Assist Tool code can be validated to ensure withdrawal addresses are not manipulated, keys are never maliciously withdrawn or stored, and only public blockchain infrastructure is used, such as widely available network nodes.

 Why Vault is Multisig vs MPC

Fundamentally, MPC systems are not permissionless due to their reliance on the server-side infrastructure needs of the protocol, and the complexity involved in recovering funds without the aid of the MPC operator.

Some Vault-like products from other service providers rely on multi party computation (MPC) as the basis for their security. While these solutions are certainly secure, they also have a high operational cost due to the MPC algorithm. As a result, most users end up having to use a service provider to compute the signatures and broadcast their transactions. This reintroduces an unnecessary level of permission and trust into the system that Vault is designed to do away with.

That’s why we chose a native multi-signature solution for Vault, despite this being more work for us. Multi-sig protocols are a native part of the blockchains we support within Vault. These native multi-sig capabilities have, and are currently securing, billions of dollars’ worth of crypto assets. It is a battle-tested, provably safe mechanism to securely store crypto assets – and one which puts the user in full control of their assets no matter what.

What Are Users “Trusting” With Vault?

The phrase "Don't Trust, Verify" serves as a reminder for crypto users to refrain from relying on any assertion that they cannot independently confirm. Given that the Uphold application is a proprietary codebase, users are trusting that we do not keep a copy of the users private keys after they are generated. However, you don’t need to take our word for it. A technically competent user can simply run the application and inspect all the API calls we make to the Uphold platform to verify that no user keys are ever exported. 

Once a Vault is created within the Uphold app, users can inspect the resulting on-chain wallet and verify for themselves that the quorum of the multi-sig is indeed 2 of 3 as designed. Furthermore, they can prove that the two keys they own are included signers in the multi-sig. This explicitly verifies the fact that Uphold is unable to spend user funds, since we only have one key (to assist users in account recovery and transaction co-signing) and two keys are required to approve a transaction.

Security experts may correctly point out that users are trusting that the random number generator used in Uphold’s mobile app is sound and not compromised in a way that theoretically enables private keys to be recreated later. Currently, it is not possible for users to independently verify this. To mitigate this risk, a future version of Vault will include support for hardware wallets, allowing the user to generate one or more of their keys outside of the Uphold ecosystem entirely.

All of which is to say, Vault is designed to be as permissionless and trustless as possible while providing a wide range of user benefits that are unavailable through traditional non-custodial solutions, including trading and private key replacement. Under this setup, users remain in complete control of their Vault assets at all times in a way that is verifiably secure and self-sovereign.

Don’t invest in crypto unless you're prepared to lose all the money you invest. This is a high-risk investment and you should not expect to be protected if something goes wrong. Take 2 minutes to learn more.