Custody Tool Description
The majority of Chia Network Inc's prefarm is being held in a cold wallet, secured by a complex set of custodial rules. This document will describe the details of the custodial arrangement. A moderate level of technical proficiency is probably needed to understand the details. For a high-level overview of the custody wallet, see our blog post.
Other relevant documents:
- Flow chart to visualize how the custody tool works
- User guide to help you get up and running
- CLI reference for all custody commands used in this tutorial
Singleton Structure
The prefarm uses a singleton with the following features:
- Multisig -- required to perform actions on the singleton, where:
- The total number of keys in the multisig is initially set to 5, which will be referred to as
n
for the rest of this document.n
can be changed with a rekey (explained later) - Initially, 3 keys will be required to perform withdrawals and standard rekeys. This number will be referred to as
m
for the rest of this document.m
can be thought of as the security level for the wallet. This variable can be modified to be as large asn
. For the prefarm, it can be as small as 1, though other custodial wallets could set the minimum to a larger number
- Merkle root -- Chialisp puzzles representing the
n
keys are stored in a Merkle tree, where:
- Puzzles representing every combination of keys, from 1 to
m
, are stored. If the keys are A, B, C, D and E, andm
is 3, then the combinations to be stored are ABC, ABD, ABE, ACD, ACE, ADE, BCD, BCE, BDE, CDE, AB, AC, AD, AE, BC, BD, BE, CD, CE, DE, A, B, C, D and E - The Merkle root of this tree is curried (pre-committed) into the singleton
- The Merkle root of a tree containing puzzles of all possible combinations for
m
+ 1 is also curried into the singleton. This is required in case of a lock level increase (explained later). This root is recursive, in that it contains puzzles that have combinations form
+ 2 committed to them, leading up to the level wherem
=n
. - In order to spend a coin from this wallet, a node in the Merkle tree, along with a Proof of Inclusion, are required to be passed into the singleton's solution. The Proof of Inclusion must prove the node's existence in the current Merkle root in order for the spend to succeed
- The Merkle tree is stored in multiple private locations. However, even if a copy is stolen, the thief will not gain access to the wallet because
m
digital signatures are still required (see below for a more detailed analysis) - The Merkle tree is generated deterministically, based on the
n
pubkeys. Therefore, if the Merkle tree is lost, it can be regenerated by using then
pubkeys
-
Withdrawal Timelock -- This is a timelock on initiating a withdrawal, referred to as
wt
for the rest of this document. The value ofwt
is set upon the wallet's creation and can never be changed. It will be explained in detail below. -
Rekey Timelock -- This is a timelock on initiating a rekey, referred to as
rt
for the rest of this document. The value ofrt
is set upon the wallet's creation and can never be changed. It will be explained in detail below.
Singleton Settings
The singleton comes in two layers -- one permanent and one non-permanent.