Casa Blog - Bitcoin Security Made Easy

Since inception, Casa has provided our clients with Sovereign Recovery instructions. The point of these instructions is to establish evidence that Casa itself is not a single point of failure. We do this by proving that you can recover funds with software that is neither controlled by Casa nor relies upon our services being operational.

Until recently, our Sovereign Recovery guide only mentioned Electrum, as it was the only widely used software that supported multisignature wallets along with all of the hardware devices Casa supports. This is no longer the case as other multisig projects have come onto the market over the past year. As of its recent 1.0 release we are pleased to report that Specter Desktop is a viable option for recreating Casa wallets!

You can find our Specter Desktop Sovereign Recovery guide at the bottom of this post; we will also maintain instructions on the open source Wallets Recovery project.

Why have we released guidance for how to use Specter Desktop? While it is a bit more complicated to set up than Electrum, it also fulfills another often-requested level of verification from our clients - the ability to check balances and transaction history against your own node. For a deeper dive into why this is desirable, check out my article about financial sovereignty. Specter actually requires that you connect it to a full node you control and will even automatically configure itself to talk to a locally running node.

Watch-only wallets

While the Sovereign Recovery process is only meant to be used in a (highly unlikely) emergency, Casa clients may wish to utilize a separate watch-only wallet for their day to day operations. Why bother to set up a watch-only wallet? To further reduce your reliance upon Casa by independently verifying the integrity of generated addresses, balances, and transaction history to ensure that Casa’s software is not compromised or faulty.

A malicious multisig coordinator is an interesting theoretical attack that has been getting more discussion lately by security researchers. It’s worth noting that while this type of attack could be of critical severity, at time of writing we have never seen this attack actually executed in the wild. There are a multitude of loss vectors that are far more common than this particular scenario.

The issue comes down to how addresses get generated. The Casa app has been built to specifically distrust the receive address information given to it by the server; there are cryptographic verifications performed by the app against the extended public key data it receives and the app also independently derives addresses. Casa also enforces internal security protocols that make it impossible for a single rogue employee to deploy malicious code on their own.

Nonetheless, you could assume that somehow the Casa app, servers, and databases have all been compromised by an attacker. In this case the final backstop is independent verification. How do you independently verify the integrity of generated addresses? You could use only hardware that supports setting cosigner public key information, though the current state of this functionality is not particularly user friendly in our experience. Instead, you can use a watch-only wallet that runs on software over which Casa has no control.

How does a watch-only wallet give you this assurance? It's a result of the fact that multisig addresses are constructed from a hash (fingerprint) of the entire redeem script. The redeem script includes all of the public keys and describes how many signatures from that set of pubkeys are required in order to spend funds. Changing a single byte of that redeem script completely changes the hash and therefore the address. Thus, if malicious Casa software displayed an address to you that changed anything about the spending requirements for those funds, it would not match the address derived by the watch-only wallet.

If you follow the Sovereign Recovery guide, you can use the resulting setup as a watch-only wallet, or you can follow a slightly different guide that does not require having your hardware devices on hand. We have watch-only wallet guides available here in our knowledge base.

NOTE: if you set up a watch-only or recovery wallet using third party software, DO NOT DEPOSIT funds into addresses unless the address is displayed in the Casa App! You could run into gap limit issues that result in some of your funds not displaying in the Casa App.

Sovereign Recovery with Specter Desktop

On to the instructions for recovering funds from an m-of-n Casa bitcoin wallet without using Casa software or servers:

  1. Install Bitcoin Core
  2. Generate rpcauth for your node with this script
  3. Recommended bitcoin.conf for Bitcoin Core:
  4. Install Specter Desktop and make sure it can talk to Bitcoin Core. We recommend this guide.

For each Hardware Device:

  1. Plug in device to your computer
  2. Click “Add new device”
  3. Select device type
  4. Enter a name for the device
  5. Click “Edit”
  6. Delete any pre-filled derivation paths
  7. Click “Add custom derivation”
  8. Use “Casa” for the purpose field and paste in the hardware wallet derivation path from your Sovereign Recovery email
  9. Click “Add”
  10. Click “Get via USB” - note that for Ledger devices you need to unlock the Ledger and open the Bitcoin app
  11. Click “Add Device”
  12. Click “Add another device” and repeat for other hardware devices

For signing with a mobile key:

  1. Click “Add Device”
  2. Select “Bitcoin Core (hot wallet)”
  3. Select “Import”
  4. In Casa App, tap Mobile Key -> “Import or Export Backup” -> Export Private Key
  5. Write down the seed phrase onto paper; you will not be able to export it again
  6. Type the seed phrase into Specter’s import text box
  7. Click “Next”
  8. Enter a name for the device
  9. Click “Edit”
  10. Delete any pre-filled derivation paths
  11. Click “Add custom derivation”
  12. Use “Casa” for the purpose field and paste in the hardware wallet derivation path from your Sovereign Recovery email
  13. Click “Add”
  14. Click “Add Device”

For a Casa Recovery Key or a Mobile Key that won’t be signing:

  1. Click “Add Device”
  2. Select “Other Device”
  3. Enter a name for the device.
  4. Click “Edit”
  5. Delete any pre-filled derivation paths.
  6. Click “Paste xpub”
  7. Paste in the Casa extended public key from your Sovereign Recovery Email
  8. Derivation path should be “m/”
  9. Click “Add Device”

Once all devices are created:

  1. Click “Add new wallet”
  2. Click “Create multisignature wallet”
  3. Select all of the devices
  4. Click “continue”
  5. Name the wallet
  6. Highlight “Nested Segwit”
  7. Ensure that the number after “Using” matches the number of signatures required to transact
  8. Check “scan for existing funds”
  9. Ensure that “use this key” is selected for the appropriate Casa derivation path on each signer
  10. Click “create wallet”

If everything went well, you’ll see a new wallet with a “rescanning blockchain” progress percentage. If the blockchain scanning completes and does not find your funds, then you likely entered the wrong public key or derivation path somewhere during the process.

Once scanning is complete, you can construct and sign a transaction to sweep your funds to a new wallet.

Sovereignty is in your hands

We encourage every Casa client to go through the Sovereign Recovery setup process as part of their onboarding. You’ll increase your confidence in the security of your funds, reduce your reliance upon Casa, and sleep better at night!

Lopp's updates. Right to your inbox.

Casa's CTO Jameson Lopp regularly reports on the bitcoin security + privacy landscape. Sign up for our weekly security newsletter to stay in the know.