8.0 KiB
Spending Policy
This special mode will stop you from signing transactions if they exceed a spending policy you define beforehand. Once enabled, many features of the COLDCARD are disabled or inaccessible.
You might want to use this feature when traveling with your COLDCARD.
Spending Policy: Multisig (formerly CCC)
We also support a mode where the COLDCARD is a multisig co-signer and only performs its signature when a spending policy is met. The other multisig signers are free to sign or not sign as appropriate.
Multisig mode is more advanced and requires use of multisig addresses, new UTXO, and cooperating multisig on-chain wallets.
This document will only discuss the "Single signer" version of Spending Policy. Both modes can be active at the same time, but if a transaction would be signed by Multisig policy, then we assume it's also okay to sign your main key as well.
Before You Start
When a Spending Policy is in effect, there are limitations in effect:
- Firmware updates are blocked.
- There is no way to backup the COLDCARD.
- Seed vault and Secure Notes are read-only (and can also be hidden).
- Settings menu is inaccessible.
- BIP-39 passphrases may be blocked (optional).
We recommend getting the COLDCARD fully configured and setup for typical transactions before enabling the Spending Policy.
Setup Spending Policy
Visit Advanced / Tools > Spending Policy menu and choose
"Single-Signer". First some background information is shown,
then you are prompted to define the "Bypass PIN". This PIN code
is only used when you need to disable the spending policy, but is
also the only way to do so once enabled... so don't loose it.
Once the "Bypass PIN" is confirmed, you will arrive at menu for related settings. Use "Edit Policy..." to change the spending policy and define a Max Magnitude (limit number of BTC per transaction), Velocity (minimum time gaps between signed transactions). You can define a whitelist of up to 25 destination addresses (leave empty for any). Finally you can enroll your phone in 2FA (second factor) so that you must open an Authenticator app on your phone before transactions are signed.
Other Security Settings
In addition to policy itself, there are a number of on/off switches which affect operation of the COLDCARD while the Spending Policy is in effect:
Word Check
If enabled, you will have to enter the first and last seed word after the Bypass PIN as an additional security check.
Allow Notes
On the Q, secure notes and passwords may be visible or hidden using this setting. In either case they are strictly readonly.
Related Keys
BIP-39 passphrase entry, Seed Vault usage will be blocked unless this setting is enabled. Even when enabled, the Seed Vault is always readonly and cannot be changed.
Other Menu Items
Last Violation
If you have recently tried and failed to sign a transaction, the reason for the transaction being rejected can be viewed and cleared, using menu item "Last Violation". It is shown only if a Spending Policy violation (attempt) has occurred since the last valid signing.
This is meant as a debugging tool, and the information stored is terse.
Remove Policy
This will remove your spending policy completely and remove the Bypass PIN. Your COLDCARD will be back to normal.
Test Drive
Experiment with how the COLDCARD will function if the Spending Policy was enabled. You can try to sign transactions that should be rejected and view the menus in the new mode without rebooting.
Choose "EXIT TEST DRIVE" on top menu to return to the Spending Policy menu. Reboot will also restore normal operation without any special challenges.
ACTIVATE
This step will enable the Spending Policy and return to the main menu with it in effect. When you reboot the COLDCARD, the policy will still be in effect. You must use the Bypass PIN, followed by the normal main PIN, possibly followed by entering the first and last words of your seed phrase, before you can disable and change the policy.
We recommend test-driving the feature before doing that.
Tips and Tricks
Money Manager Mode
You could setup a Coldcard for another person, perhaps a family member, and enable web 2FA authentication. There does not need to be any other spending policy limits (velocity could be unlimited).
Then enroll your own phone with the required 2FA values, and keep both that and the spending policy bypass PIN confidential.
The holder the the Coldcard will need a 2FA code from your phone when they want to spend. They can call you for the 6-digit code from the 2FA app on your phone. This is not hard to provide over a voice call.
Because a spending policy is in effect, they will not be able to see the seed words, other private key material, so regardless of any spoofing or phishing, they cannot move funds without your help.
You should record the bypass PIN, so it can be revealed somehow, should you die. You do not need to share the risks associated with holding a copy of the seed words.
Passphrase Considerations
If you are using the same BIP-39 passphrase for everything, you should probably do a "Lock Down Seed" (Advanced/Tools > Danger Zone > Seed Functions) first. This takes your master seed and BIP-39 passphrase and cooks them together into an XPRV which then is stored as your master secret. (Replacing the master seed phrase.) This process cannot be reversed, so other funds you may have on the same seed words are protected. Once you are operating in XPRV mode, you can define a spending policy, and know that it is restricted to only that wallet.
When operating in XPRV mode, the "Passphrase" menu item is not shown because BIP-39 passwords cannot be applied to XPRV secrets.
Trick PIN Thoughts
When doing your game theory w.r.t to bypass mode and this feature, remember that you should assume the attacker already has your main PIN. That's how they know they cannot spend all your coin, because they either tried to, or noticed the menus are very limited. They also have all your UTXO locations and total wallet balance (because they can export your xpubs to any wallet and load balance from there).
Therefore, a trick pin that leads to a duress wallet after giving up the bypass unlock PIN, will not fool them. Best would be to provide a false bypass PIN that is in fact a brick/wipe PIN.
Lock Out Changes to Policy
In the Trick Pin menu once Spending Policy has been enabled, you will find the Bypass PIN listed. You could delete or "hide" it. Hiding it is pointless since you cannot get to the trick PIN menu while the policy is in effect. Deleting the PIN however, is useful because it assures changes to spending policy are impossible. To recover the COLDCARD when this move is later regretted, under Advanced, there is "Destroy Seed" option which will clear the seed words and all settings, including the spending policy.
Unlock Policy & Wipe
We've provided a new trick PIN that pretends to be the unlock spending policy pin, so the login sequence is correct... but it will wipe the seed in the process. It will be obvious to your attackers that you've wiped the seed because the main PIN will lead to blank wallet now (no seed loaded).
Delta Mode and Spending Policy
If, from the start, you gave your "delta mode PIN" to the attackers, then when they bypass the policy (after also getting the bypass PIN from you), they will still be in Delta Mode.
They could attempt unlimited spending, but transactions signed will not be valid. If they try to view the seed words or generally export private key material, they will hit many of the "wipe seed if delta mode" cases.
Forgotten Bypass PIN Code
If you've enabled a spending policy and still remember the main PIN,
but cannot disable the feature because you've forgotten the Bypass
PIN, your only option is to use Advanced > Destroy Seed. After
some confirmations, this erases the master seed, all settings, seed
vault items, secure notes, and trick pins. It's basically a factory
reset except for the main PIN code which is unchanged. Once you've
done that, you can enter your seed words from backup (or restore a
backup file) and continue to use the COLDCARD again.