Select whether to setup Mapcovery or recover your wallet
Setup: Add 5 locations (25sqm areas)
Setup: Define recovery policy
Recovery: Enter your 5 locations again
Recovery: Bond prevents brute force attacks
Recovery: Timedelay allows to cancel (malicious) recovery
Details can be found in this overview presentation.
Screencast is here
Problem: Key Management
- Private keys are too cryptic too remember
- Mnemonics are too hard to remember
- Social recovery is not really a solution
- Either you are not sure about who to trust
- Do you really want to put the burden on friends/family?
- Time lock is cool but not a recovery solution by itself
- If just a single character is wrong, the private key is wrong and recovery is not possible.
- Current key recovery solutions are either way less secure or less convenient
- “Memory Palace”
- Locations are easy to remember
What it does & how does it work?
Prerequisite: You need a smart contract wallet (Gnosis Safe)
- Select 5 locations of your choice.
- Geo-data is hashed to derive the private key to recovery account
- FOAM is used as decentralized geo-data provider
- Smart contract module is attached to your Gnosis Safe
- You can recover by entering the 5 Locations to get the private key for recovery account
- Sign recovery and new Safe owners using recovery account
How we built it
- We wrote a module for the Gnosis Safe smart contract in Solidity.
- There are 2 use cases: (1) Set up mapcovery and (2) perform mapcovery to recover your wallet.
- We wrote a webapp and an Android app to allow users to set up mapcovery and to actually recover as well.
- We made minor changes to the Safe Android app to allow the setup of the recovery module.
Challenges we ran into
- Where would we get reliable geo-location data from?
- What is a good number of locations to reach sufficient security?
- How can we prevent front running?
- How can we make sure to not leak the 5 locations when performing recovery?
Accomplishments that we're proud of
- Finding another possible recovery method for smart contract wallets.
- Finding a method that is relatively easy to remember but still provides enough security.
- Solving for front-running through elegant smart-contract design.
What we learned
- How FOAM really works incl. their APIs and why it is needed.
- What ways of storing location data exist out there incl. their advantages and disadvantages.
- How modules work with the Gnosis Safe
- How to design and build prototypes with Adobe XD.
- How hacking is enhanced when techno music is blasting through Factory the entire day.
How to try it out
- Download the Gnosis Safe version we adjusted (running on Rinkeby)
- Create a Safe
- Download Mapcovery
- Follow the steps in the Mapcovery app:
- Connect to the Safe for which you want to setup the recovery via WalletConnect
- Select 5 locations
- Press "next"
- Select "Setup recovery for Safe"
- Follow the steps in the Gnosis Safe app to finish setup
- Reset the Gnosis Safe app (or remove the created Safe)
- Use the Mapcovery app or our web app to trigger the recovery
- (App only) Connect to a wallet to interact with the recovery module
- Select 5 locations
- Follow the instructions
- The new recovery phrase that is displayed can be used to recover the Safe
What's next for Mapcovery
- Allow users to configure more parameters:
- Number of locations
- Time-lock period
- Add bonds required to trigger mapcovery
- Allow recovery cancellations.
- Allow Gnosis Safe users on iOS and Android to set up mapcovery, if they would like to do so.
- Security audit of the contract code.
- Add more locations to FOAM in order to increase security and make brute-force attacks harder.
- Wait for FOAM's "Presence Claims" and integrate them. They are ways to check that someone is actually present at a location. If enabled for Mapcovery, this would increase security even more by requiring physical presence at the recovery locations. This would decrease convenience but attacks get harder by multiple orders of magnitude.
- Broaden use cases for Mapcovery (Other smart contract wallets, potentially even traditional EOA wallets, etc.)