RSS

Show HN : Building Production MPC Wallets: Architecture, Solana Implementation

nethsarask1 pts0 comments

BYOW(Build Your Own Wallet) : A Field Guide to Building MPC Wallets in 2026 - Part 1

Nethsara

SubscribeSign in

BYOW(Build Your Own Wallet) : A Field Guide to Building MPC Wallets in 2026 - Part 1<br>A practitioner's guide to building MPC wallets that actually work in 2026. Covers DKG, threshold signing with FROST, what BitForge taught the industry, and a working 2-of-3 reference implementation.

Nethsara<br>May 25, 2026

Share

For the lazy guys, here’s the implementation on GitHub. Don’t forget to star the repo ⭐

On August 9, 2023, the Fireblocks cryptography research team published one of the most consequential disclosures in wallet security history.<br>Thanks for reading! Subscribe for free to receive new posts and support my work.

Subscribe

They called it BitForge .<br>The disclosure named names Coinbase Wallet-as-a-Service, Binance, Zengo. Over fifteen widely-deployed MPC implementations, all running protocols described in peer-reviewed academic papers, all vulnerable to a class of attacks that could extract the full private key from a single compromised participant.<br>Some implementations could leak the key in 16 signatures . Others required up to a billion. But the point was the same: the multi-party guarantee that MPC promises, that no single party ever has the key was broken in production.<br>The cause was almost embarrassing. The original GG18 and GG20 papers, which much of the industry had implemented, were missing zero-knowledge range proofs around values used in their Paillier-based multiplication protocol. Nobody added them, because nobody noticed they were missing. Cryptographers writing papers don't always spell out every defensive check. Engineers reading papers don't always know which omissions matter.<br>The fix took weeks. The architectural lesson is still being absorbed.<br>If you’re reading tutorials about building MPC wallets today, there’s a decent chance the protocol they’re teaching you is one of the broken ones. There’s a near certainty they’re skipping the parts that make MPC actually safe in production: distributed key generation without a trusted dealer, share refresh, cheater identification, replay protection, hardware-backed share encryption.<br>This article is the one I wish existed when I started. It walks through how MPC wallets actually work, what the current cryptographic state of the art is, why every architectural choice matters, and how to build a working 2-of-3 threshold signature wallet for Solana that you can run today.<br>It is long. It is technical. It will not waste your time.

What Exactly Is an MPC Wallet?

A traditional wallet has one private key. Whoever holds the key controls the funds. Lose it, lose everything. Leak it, lose everything. Get phished into signing the wrong thing, lose everything. Single points of failure all the way down.<br>A multisig wallet improves on this by requiring multiple signatures. But each signature comes from a complete private key held by a different party, and the signatures are combined on-chain. The blockchain knows it's a multisig, different address format, higher fees, privacy leakage about who signed.<br>An MPC wallet is different. It splits a single conceptual private key into mathematical shares distributed across multiple parties. To sign a transaction, a threshold number of share-holders cooperate in a cryptographic protocol that produces one standard signature indistinguishable on-chain from a normal single-key signature. The blockchain doesn't know it's MPC. There is no special address format. The full private key is never reconstructed at any point, on any device.

The Core Primitives

Two primitives matter:<br>Distributed Key Generation (DKG) : A protocol where N parties collaboratively generate a shared key. Each party ends up with a share of the key. No party ever sees the full key. The protocol also outputs a group public key (the on-chain address).<br>Threshold Signature Scheme (TSS) : A protocol where T-of-N parties (where T ≤ N) cooperate to produce a valid signature using their shares. The signature verifies against the group public key like any ordinary signature. The full private key is never reconstructed during signing.<br>Together: DKG creates the key, TSS uses it. Neither involves anyone ever holding the complete secret.<br>Where the Shares Live

A typical 2-of-3 MPC wallet might distribute shares like this:

To sign a transaction, you need 2 of the 3 shares to participate in the signing ceremony. Lose your phone? Use the backup share to recover. Service compromised? They can’t sign alone. Phone compromised? They can’t sign alone either.<br>The threshold is configurable. 2-of-3 is the most common for retail. Institutional setups use larger configurations like 3-of-5 or 5-of-9 with shares distributed across geographic regions, secure enclaves, hardware modules, and key personnel.<br>Signature Indistinguishability

Here’s the property that makes MPC magical for blockchain wallets.<br>When a 2-of-3 FROST signing ceremony completes for an Ed25519...

wallet signature wallets share private protocol

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

The Mirror Is Part of the Machine

london_safari10 ptstelemetry mirror decision logs enough time

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.