The WazirX hack that resulted in the loss of $230 million in July 2024 exposed critical vulnerabilities in how even major cryptocurrency exchanges manage their multisignature wallet infrastructure. As the industry continues to analyze what went wrong—with Bitcoin hovering around $58,000 and the total crypto market cap still recovering from the early August sell-off—there has never been a more important time for advanced users and organizations to understand how to properly configure multisignature wallets. This tutorial walks through the technical setup of a production-grade multisignature wallet configuration, drawing on the lessons learned from the WazirX incident to help you avoid the same mistakes.
The Objective
This guide will walk you through setting up a secure multisignature wallet using open-source tools that give you full control over the signing process. By the end of this tutorial, you will have configured a multisignature wallet that requires multiple independent devices to authorize transactions, with each signing device running its own verified software stack and displaying transaction details independently of any third-party custody provider.
The configuration we will build uses a 3-of-5 signing scheme, meaning that any 3 of the 5 authorized signers must approve a transaction before it can be broadcast to the network. This provides security against both external attackers who would need to compromise multiple devices and internal threats who would need to coordinate with multiple authorized signers. The 3-of-5 scheme also provides redundancy: up to 2 signing devices can be lost or destroyed without losing access to the funds.
Prerequisites
Before beginning this tutorial, you will need five hardware signing devices. We recommend using a combination of different hardware wallet brands to avoid single-vendor vulnerabilities. Suitable options include Ledger Nano S Plus or X, Trezor Model T, Coldcard Mk4, BitBox02, and Keystone Pro 3. Each device should be purchased directly from the manufacturer or an authorized reseller, never from secondary markets where devices may have been tampered with.
You will also need a dedicated air-gapped computer for wallet coordination. This is a machine that has never been and will never be connected to the internet. A refurbished laptop with WiFi and Bluetooth physically removed from the motherboard is ideal. This machine will run the wallet coordinator software that creates and broadcasts transactions, but it will communicate with the signing devices through offline channels such as SD cards or QR codes.
Install a fresh copy of a security-focused operating system such as Tails or Ubuntu on the air-gapped machine, verifying the installation media checksums on a separate internet-connected device before transferring them. Install the latest version of Sparrow Wallet for Bitcoin or Electrum for a multi-currency setup on the air-gapped machine, downloading the software on your internet-connected device, verifying the PGP signature, and transferring it via USB to the air-gapped machine.
Step-by-Step Walkthrough
Step 1: Initialize each hardware wallet independently. On each of your five signing devices, perform a fresh initialization using the device’s built-in setup process. Generate a new seed phrase on each device and write it down on the provided recovery card. Never photograph, screenshot, or digitally record your seed phrases. Store each recovery card in a separate physical location such as a bank safe deposit box, a home safe, or with a trusted family member. The key principle is that no single physical event such as a fire or burglary should be able to destroy more than one recovery card.
Step 2: Create the multisignature wallet on the coordinator. Launch Sparrow Wallet on your air-gapped machine and select File then New Wallet. Choose the Multi Signature wallet type and set the policy to 3-of-5. Add each of the five hardware wallets as a keystore by connecting them one at a time via USB and following the on-screen prompts. Sparrow will read the extended public key from each device and use them to generate the multisignature wallet configuration.
Step 3: Verify the wallet configuration on each device. This is the most critical step and the one that was skipped in the WazirX attack. After creating the wallet, go to each hardware device’s display and verify that the wallet configuration shown on the device matches the configuration shown in Sparrow. Specifically, verify that the receiving address, the list of co-signers, and the signing policy (3-of-5) all match. Any discrepancy indicates that one of the components has been compromised and the wallet should be recreated from scratch with fresh devices.
Step 4: Configure transaction signing workflow. When you need to send funds, create the transaction in Sparrow on the air-gapped machine. The software will display the full transaction details including the destination address, the amount, and the miner fee. Verify these details carefully before proceeding. Then connect each signing device one at a time and authorize the transaction on the device’s screen. Each device should independently display the destination address and amount for you to verify before signing. If any device shows different details than what Sparrow displays, do not sign and investigate the discrepancy.
Step 5: Broadcast the signed transaction. Once the required number of signatures (3 in our configuration) have been collected, Sparrow will combine them into a fully signed transaction. Export this transaction to an SD card or QR code, transfer it to your internet-connected device, and broadcast it to the network using a blockchain explorer’s broadcast feature or a full node running on the connected device.
Troubleshooting
Device shows different transaction details than the coordinator: This is the most serious error you can encounter and it indicates a potential compromise. Do not sign the transaction. Disconnect the device, move the funds to a newly created wallet with fresh devices, and investigate how the discrepancy was introduced. This was the exact warning sign that was missed in the WazirX attack.
Unable to sign with a specific device: Verify that the device’s firmware is up to date and that it was properly initialized as part of this multisignature wallet. If the device was recently updated, verify that the update was legitimate by checking the firmware signature against the manufacturer’s published signing key on a separate device.
Transaction rejected by the network: This usually indicates an insufficient miner fee. Recreate the transaction with a higher fee rate. In periods of high network congestion, you may need to use a fee estimator to determine the appropriate rate for timely confirmation.
Lost one of the signing devices: In a 3-of-5 configuration, you can still authorize transactions with the remaining 4 devices. However, you should immediately create a new multisignature wallet and migrate your funds, since the lost device reduces your security margin. If the lost device’s seed phrase is also compromised, assume the attacker knows one of your five public keys and migrate immediately.
Mastering the Skill
Once you have mastered the basic multisignature setup, consider implementing time-locked recovery keys as an additional safety measure. A time-lock adds a secondary spending path that becomes available after a specified period, allowing you to recover funds even if multiple signing devices are simultaneously lost or destroyed. This configuration is more complex but provides an important safety net for long-term holdings.
For organizations managing significant cryptocurrency reserves, consider implementing a hierarchical multisignature structure where different transaction amounts require different numbers of signers. Small transactions might require only 2-of-5 signers for efficiency, while large transactions require all 5 signers for maximum security. Sparrow Wallet and other advanced coordinators support these conditional signing policies.
Practice your recovery procedure regularly by simulating the loss of one or more signing devices and verifying that you can still authorize transactions with the remaining devices. This practice ensures that your recovery procedure works as expected and that all authorized signers are familiar with the process. Document your complete wallet configuration, including the make and model of each signing device, the signing policy, and the physical location of each recovery card, and store this documentation in a secure location accessible to your designated successors in case you become incapacitated.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before making investment decisions.
wazirx losing 230m because of bad multisig config is embarrassing. should be required reading for anyone running exchange infrastructure
paperhandz $230M lost because someone probably had a single signer on a shared device. the guide in this article could have prevented it with a 3-of-5 setup
kofi is right, most of these hacks come down to bad multisig configs. the tech works but the implementation is where things fall apart
the wazirx hack was $230M on what was basically a single sig pretending to be multisig. this guide should be mandatory reading for every exchange CTO
The hardware signing device setup is crucial. We use a 3-of-5 with Ledger, Coldcard, and SeedSigner. Never keep all signers from the same vendor.
agree on mixing vendors. supply chain attacks are real, one firmware compromise and youre done
Svetlana D. mixing vendors is key. we run trezor + coldcard + seedsigner. if one firmware has a bug the other two catch it
production grade multisig guide and zero mention of testing on testnet first? please people, practice before you use real funds