Multsig ops are the foundational element of Strike’s functionality and also endow Strike users with unique benefits, and therefore there is naturally a need for a process of secure and trusted approvals. Requirements for this process are as follow:
- approvals must be signed by a user with a secured private key
- all approvers must verifiably see the same request for approval
- the process must support information used for approvals that is not publicly available.
Of these three requirements, the final may require further explanation:
Consider as an example the state change entailing the addition of an address to the address whitelist for a selected balance account. This state change would be subject to the wallet configuration policy and therefore require a multisig op. The wallet program would require nothing more than the Solana address being whitelisted, but it’s common sense that a user approving such a configuration change would benefit greatly from knowing the entity associated with the Solana address, for example someone’s name. But this private information is not appropriate to make public on the chain. To solve for this privacy requirement, Strike has implemented the technique of hashing the name that is displayed by the approvals app and only passing the hash without the plaintext to the wallet program to be added to the address book.
Now consider a transfer to that particular address. Because the transfer can pass the name as well as the address to the approvals app for signing, we now know that:
- all approvers saw the same information (hashes agree)
- all approvers signed with their private key
- the name associated with the address that was presented to the approvers was the same name that was associated with the address in the address book
This technique is applied in multiple circumstances to assure the integrity of the approval text.
A multisig wallet requires some sort of device or application to sign transactions. Ideally this device / app has certain attributes such as:
- secure execution environment
- secure storage environment for keys / passwords
- biometric authentication
- network connectivity
- easy to us
A modern phone actually meets these these requirements not only surprisingly well, but arguably better than a general-purpose computer running a browser or app-based solution.
Both apps implement the same features as described above in features
As a backup or alternative implementation it is possible to use the the combination of an EOA (non-program based wallet such as Phantom) to approve and sign interactions with Strike. This is described in the section on Wallet as dApp