ETH Multisig Contract Bounty & Audit Results

Background – Two months ago, Unchained Capital released an open-source Ethereum multisig smart contract which is directly signable by Trezor hardware wallets.

Previous Ethereum multisig implementations were overly complex and lacked test coverage (Parity hacks of 2017, 1st, 2nd). Our goal was to create a secure multisig Ethereum vault to support collateralized lending against ETH.

We offered a $150 bug bounty program to root out any potential issues. We also retained Hosho — a leading Blockchain security firm — to audit and validate our contract. The results:

Our bug bounty and security audit were uniformly positive, and found no flaws.

Hosho:

“We are grateful to have been given the opportunity to work with the Unchained Capital Team. The team of experts at Hosho, having backgrounds in all aspects of blockchain, cryptography, and cybersecurity, can say with confidence that the Unchained Capital contract is free of any critical issues.”

Hosho thoroughly reviewed our smart contract line-by-line, and evaluated our code with the following criteria:

• Documentation and code comments match logic and behavior;
• Follows best practices in efficient use of gas, without unnecessary waste;
• Uses methods safe from reentrance attacks; and
• Is not affected by the latest vulnerabilities.

Hosho determined that our smart contract follows best practice with 100% testable code, and found no issues of any severity.

Hosho’s findings:

“The Unchained Capital Multisignature wallet is a well constructed piece of Solidity code, designed to work heavily with Trezor multisig wallets, which it executes on soundly.”

“The Hosho team has completed both On-chain tests through Ropsten, as well as Off-chain test[s], with the latter generating their own hashes as needed in the correct format. Particular attention was paid to testing Trezor interoperability and we found no issues in this area.”