Author | OneKey
If you want to leverage manpower to onboard players and step onto the stage of 'capitalists' on the chain, then this article is prepared for you. Of course, 'slaves' and 'capitalists' are just jokes; the core is about trust and security games in hierarchical management.
After reading this article, you will be clear about:
(1) How to avoid employees accessing private keys in one-to-many management;
(2) How to diversify risks and how to use multi-signatures for employees;
(3) Other risks and precautions.
No nonsense, let's dive in:
1. How to avoid employees accessing private keys in one-to-many management
1.1 'Castrated' hot wallets?
We previously noted that some teams used a 'castrated version' of the MetaMask wallet, removing the features to export private keys and display mnemonic phrases. Then, they used monitoring software to keep tabs on asset movements at all times. However, this approach does not fundamentally solve the risk of private key leakage.
First, by using an unofficial 'castrated version' wallet, you must trust that it has no backdoors, after all, this is an unofficial version.
Secondly, even if the private key is not displayed, the private key of the hot wallet is still stored locally on the device in an encrypted file. If the device is infected with a trojan or virus, these private keys could be stolen through brute force attacks.
Not long ago, Yu Xian, the founder of Slow Mist Technology, disclosed the issue of brute force cracking of private key caches from hot wallets after trojan infections. (Original text) And even if the private key has not been cracked, there may still be risks of transaction signature replacement, backend wallet operations, and directly logging keyboard passwords to extract the private key file while the wallet is unlocked.
When a leak occurs, hackers may not immediately transfer assets but instead play the long game, making it sometimes impossible to determine whether it's an insider or a phishing attack.
In summary, this 'castrated' solution for hot wallets can only be considered a stopgap measure and cannot fundamentally solve the private key security issue.
1.2 How to use hardware wallets in this situation
In contrast, various hardware wallets can better protect private keys through their secure design, shifting responsibility back to the operator.
Taking the OneKey hardware wallet as an example, other brands require you to read their documentation on your own.
OneKey has been designed from the beginning without the 'export view mnemonic phrase' feature; it can only input and confirm if it is correct within the hardware wallet. You can understand that once the mnemonic phrase enters the hardware wallet, it is only input and not output; it can only be verified but not extracted.
Moreover, the mnemonic phrases of the hardware wallet are stored in an offline secure chip, interacting with the outside world using public keys. The latest EAL6+ secure chip is currently uncrackable, so the mnemonic phrases are not connected to the internet—unless a hacker physically obtains your local backup notes.
Even if your phone or computer is hacked or controlled, hackers cannot access your private key files, nor can they obtain your private key permissions, and they cannot physically operate to confirm control of your funds. Only the employee with the hardware wallet can physically control it.
How to configure operations specifically? Three steps.
(a) Generate mnemonic phrases locally offline.
You can generate it directly on the hardware wallet or use other open-source tools. Physically back it up on paper or metal and verify that it can be restored. Then lock it in a high-security safe, preferably with camera monitoring;
(b) Prepare the hardware software wallet.
Import the mnemonic phrase into the hardware wallet in advance and generate a wallet address on the accompanying computer/mobile App. You can even use a Passphrase to hide the wallet, adding an extra layer of protection; even if someone obtains the mnemonic phrase, they cannot use it without the second layer password. (Tutorial)
After setting the PIN code, distribute it to the employee operator. The OneKey hardware wallet encrypts and stores the private key mnemonic phrase in the EAL6+ secure chip after entering the mnemonic phrase, without the 'export view mnemonic phrase' feature.
Employees can only operate assets through physical confirmation of the hardware wallet. One device corresponds to one employee responsible. At the end of the day or when necessary, the administrator retrieves the hardware wallet, and the employee can no longer operate.
(c) Monitor employees' operations.
You can import observation addresses in your OneKey wallet to receive message notifications. Alternatively, use other balance monitoring and large transaction alert services.
In the future, OneKey will update related security monitoring service functions, so stay tuned.
At the same time, the contract authorization situation also needs to be checked regularly, even daily, to control token risk authorization and manage risk exposure. Commonly use
Revoke to check and cancel.
In this way, even if abnormal operations occur, the basic reason is likely that the employee performed improper physical confirmation on the wallet they were responsible for.
2. How to use employee multi-signatures
2.1 Preventing and resolving single point failures
If it's not a high-frequency scenario, we recommend using Gnosis Safe multi-signature.
Pairing with one or two operation security personnel or teammates for physical operations can further prevent and resolve the risk of single point failures in personal operations.
This way, even if one person is targeted by social engineering attacks or makes a mistake, other signers can act as checks and balances. Meanwhile, you can still physically retrieve the 'keys' at any time. You still hold all the private key mnemonic phrases and can directly control transfers if necessary.
Earlier this year, we wrote a simple tutorial on how to use multi-signatures; please refer to it.
In traditional enterprises, similar practices are widely adopted, usually managing key resources or assets through 'multiple keys.' For example, a company safe requires multiple people to jointly hold the keys or requires multiple individuals to provide fingerprints or passwords to unlock certain important documents or funds. This method ensures that even if a single person encounters issues (e.g., forgetting a password, being coerced, etc.), it will not directly lead to resource misuse or leakage.
3. Other risks and precautions
3.1 Reduce risk exposure
Diversify funds. Concentrating large amounts of funds in a single wallet or account increases the risk of being targeted by hackers, malicious internal operations, or social engineering attacks.
At the same time, frequent authorizations and large transactions will also expand the risk exposure of being exploited. We recommend controlling potential losses and keeping the average amount within a smaller range.
You can set up different operational wallets according to different business scenarios or funding scales. Low-risk operations use small wallets, while high-risk, large operations can be handled with multi-signature wallets.
3.2 Social engineering attacks
Regardless of the technical measures taken, the greatest risk has always been people.
No matter how you guard against it, family thieves are hard to prevent. Implementing a multi-signature security personnel mechanism and transparent operation records is crucial. When an employee leaves, for insurance, you can transfer to another wallet or mnemonic phrase for use.
At the same time, it is recommended to keep the hardware wallet and its operations within a monitorable range, not allowing employees to open or take them out of the work area.
Assuming an insider attempts brute force cracking or bypass attacks, the risk of cracking OneKey is relatively low. In the former case, entering incorrect data 10 times will completely wipe the data, leaving the attacker with no way to crack it. In the latter case, our solution is that the EAL6+ encrypted chip has built-in detection algorithms. If powered on, non-official firmware signatures or abnormal circuits will be detected and the data will be wiped.
Even if it is official firmware, if an attempt is made to downgrade, it will also be wiped. In extreme cases, when the method of cracking the hardware wallet is disclosed, you can promptly retrieve it, update to the latest firmware security patches, and wait for official news.
Additionally, hackers may use various social engineering tactics to induce employees to make physical errors. Therefore, in addition to technical prevention, it is necessary to enhance employees' security awareness training to ensure they do not easily fall for tricks, nor easily perform sensitive operations such as authorization signatures.
Especially Permit signature phishing, which is currently the root cause of most stolen funds. You can refer to this popular science article. This quarter, OneKey will add advanced signature parsing for hardware wallets to help employees identify such risks.
3.3 External attacks and phishing risks
Employees using hardware wallets may encounter malware, phishing attacks, or counterfeit official websites.
It is recommended to strictly manage the software and plugins installed on operational devices and prohibit the installation of apps outside the whitelist. Additionally, OneKey comes with risk webpage recognition features; you can also use security detection plugins like ScamSniffer and Pocket Universe.
Also, ensure that the company’s network security is not compromised.
See original
OneKey: How to Safely Lend Your Hardware Wallet to Friends/Team Employees?
Disclaimer: Includes third-party opinions. No financial advice. May include sponsored content. See T&Cs.
Replies 0
Explore the latest crypto news
⚡️ Be a part of the latests discussions in crypto
💬 Interact with your favorite creators
👍 Enjoy content that interests you
Email / Phone number