Sign-CLI is a tool designed to facilitate secure message signing for Cube wallets, in the exceptional case of Cube failure. While leveraging the Multi-Party Computation (MPC) key scheme, this tool directly communicates with Cube’s Guardian network to facilitate signing of on-chain messages, allowing users to access their funds in the case of exchange failure.
This tool has been designed to ensure that in cases of Cube exchange failure for more than 48 hours users can access their funds.
NOTE: This tool will never share or publish any sensitive information you provide. Specifically, no data transmitted to the Guardian network contains any part of your wallet's secret key. The secret key is used locally within this tool to generate the public key and then to partially sign messages. Only the public data and signed messages are shared with the Guardian network.
- Retrieve wallet information, and operate through Guardian validators in a scenario where Cube exchange is failing for Force Majeure event.
- Sign messages for blockchain transactions.
- Maintain security through distributed key management.
- pnpm package manager
- Node.js (version 12.0 or higher)
- User’s personal secret key share
- Confirmation of Cube Exchange's failure by Guardian network
Definitions
Secret Key Share: The numbers on the PDF that you should have received upon Cube Vault creation. This identifies you and provides the credentials necessary to perform these actions.
Force Majeure Event: Any event beyond Cube’s reasonable control, including but not limited to flood, extraordinary weather conditions, earthquake, or other act of God, fire, war, insurrection, riot, labor dispute, accident, action of government, communications, power failure, or equipment or software malfunction or any other cause beyond Cub’s reasonable control.
First you must clone this code repository to your machine using GitHub (https://github.com) . If you are unfamiliar with this process, you can follow these instructions for Cloning a Repository.
In your terminal, navigate to your cloned repository and run these pnpm commands:
cd sign-cli
pnpm run setup
You should now be able to run the cube-sign-cli to see the help page.
pnpm cube-sign-cli
Before performing any transactions, you must first prepare your key share:
Ensure that you have your secret key from your PDF which you should have received on wallet creation. The secret key must be pasted in a file on your machine.
pnpm cube-sign-cli prepare-sign \
--secretKeyFile </path/to/your/secret-key> \
--outputKeyShareDir </path/to/output/directory>
This one-time command:
- Retrieves your subaccount IDs
- Gathers and stores locally the key metadata necessary to sign transactions with the Guardians
After preparation, you can sign any transaction message for a subaccount using the prepared key share. Note that the use of this command to sign arbitrary messages will only be permitted by the facilitating entity (Cube or independent Guardian network) in the special circumstances laid out in this document. During normal operations, you may only withdraw funds through your account on the Cube Exchange platform.
pnpm cube-sign-cli sign \
--subaccountId CHOSEN_SUBACCOUNT_ID \ # one of the subaccount Ids returned during prepare-sign
--message "YOUR_MESSAGE" \ # the on-chain message you wish to sign
--keyShare /path/to/prepared/keyshare \ # this is the file that was stored in the outputKeyShareDir during prepare-sign
--signatureType [schnorr|curve25519|ecdsa] \ # the signature type required by the chain that your message is for
--decentralized [true|false] # flag which determines which entity to carry out the sign process with
# 'true' (default): communicate with the Guardian network to sign message
# 'false': communicate with the Cube Guardian to sign message
This command:
- Kicks off the Multi-Party signing process with the Guardian network
- Returns the signature needed to submit the on-chain message
It is important to understand the transaction protocols for the chains on which you plan to move your funds in order to properly compose and format the message to be signed. There are many public documentation resources available for each chain which will describe the structure and contents of valid transaction messages, and messages must be in this format when signed in order to be submittable to the chain.
Optionally, you may test the functionality of this signing tool with the sign-smoke-test command. This smoke test will generate a message for you based on your public key and the current time and run the sign process on this message. The Guardian network has agreed to allow only messages of this generated structure to be signed during normal operations (ie. when Cube Exchange is active). The message and signature generated as a result of this test cannot be used to withdraw funds from your wallet.
Note: prepare-sign must be run first to get a subaccountId and your full keyShare.
pnpm cube-sign-cli sign-smoke-test \
--subaccountId CHOSEN_SUBACCOUNT_ID \
--keyShare /path/to/prepared/keyshare \
--signatureType [schnorr|curve25519|ecdsa] \
--decentralized [true|false] # flag which determines which entity to carry out the sign process with
# 'true' (default): communicate with the Guardian network to sign message
# 'false': communicate with the Cube Guardian to sign message
- Never share your secret key share elsewhere
- Store your secret key and key shares in a secure, offline/local location
- Verify all transaction details before submitting signed message
This tool provides users with access to their funds through the Guardian network in the event of Cube Exchange failure. The process involves:
- The User
- Guardian Network Validators
By requiring 2 of 3 key shares, we ensure no single party can unilaterally control your funds.
If you encounter issues:
- Verify your network connection
- Confirm the the secret key share file matches the wallet creation PDF
Use of this tool implies understanding of its purpose and associated risks.
Version: 1.0.0