Note: This blog is not a recommendation or advice. Any feature should be used after careful consideration and at your own discretion.
What Is Key Import?
"Key import" allows providers to migrate existing wallets from another solution to theirs, replacing the pain of transferring funds to a new wallet (with a new wallet address).
However, when importing a full private key (e.g., from Metamask) into an MPC-based wallet, several things need to be considered, as discussed below.
The Problem
The main promise of MPC is that a key is generated in a “distributed” manner, meaning the private key never exists as a whole. Instead, several key shares are created, and they communicate with each other from their secured storage to sign a transaction, without reconstructing them to a full key (as done with Shamir Secret Sharing).
Importing a full private key breaks the "no single point of failure" promise of MPC. If the private key existed as a whole at any given point in time, “splitting” it into several key shares within the MPC wallet does not provide the same security guarantee. If the private key was leaked or stored somewhere and later on discovered, before splitting into shares, then even years later, the funds can still be stolen.
The UX vs. Security Dilemma
The decision to use "Key Import" presents a significant trade-off between user experience and security:
- User Experience First - For B2C wallets with low amount of funds per user, prioritizing UX by using the "Key Import" feature can be beneficial, particularly when migrating a large number of users. If applied, it is recommended that at a later stage, specific users will be encouraged to transfer funds to a new MPC-based wallet once a certain threshold is reached.
- Security First - In Sodot’s view, it is advised not to use this feature for self-custodial B2B wallets or custody solutions holding significant funds. Although more painful, it is recommended to onboard customers to new MPC wallets solely. Also worth mentioning is that Insurers often refuse to cover wallets with imported keys.
Conclusion
Importing private keys into MPC wallets can enhance user experience, but it must be approached with caution, informing the end-users of the risk and a plan to mitigate them.
For additional information, feel free to reach out.