We built a gasless multisig protected password manager. Rather than using a smart contract powered multisig we are leveraging off-chain Ethereum message signing to maintain similar security practices without paying the transaction costs of storing signatures on chain. When an admin user creates their multisig all details are stored on IPFS and accessed through web3.storage. We track logins using a json bucket in the cloud. We grant the admin password access when the admin's set threshold of signatures has been met within five minutes of the admin attempting to access the password.
We started by building out our wallet connectivity with WalletConnect. The WalletConnect web3modal hook allows us to support dozens of wallet providers without extra implementation logic. In addition to WC’s connect button we’re using their hooks for interacting with the connected wallet (which we’re mainly using to sign messages in our dApp). When an admin user creates a multisig we take their passwords, encrypt them and store them on IPFS using web3storage along with their set threshold and wallet addresses that are part of the multisig.
To write data to IPFS we use the web3.storage SDK. To read data from IPFS we make a fetch request to the link constructed by the CID as well as the file name that we generated at setup time. We store all signatures on a json cloud storage provider. When an admin initiates a login we start a timer and pull the json bucket looking for signatures from the admin’s multisig in the allotted timeframe. If the threshold of signatures is met the admin user is redirected to their password vault.
The algorithm we wrote for pulling the passwords is absolutely CRACKED :)