Neo Global Development has developed a new multi-signature utility for Neo N3 named NEXO. Multi-signature, commonly referred to as multi-sig, is a digital signature scheme that allows a group of users to manage an account jointly, requiring multiple parties to sign off on transactions before they can be executed.

NEXO distinguishes itself from similar tools like Gnosis Safe on Ethereum-based networks by utilizing the inherent protocol-level capabilities of Neo N3. This means that unlike Ethereum-based solutions, which require the deployment of a separate smart contract for each multi-sig arrangement, NEXO operates directly within the Neo protocol, eliminating the need for additional smart contract deployment and associated costs.

Neo signature verification

The verification process on Neo N3 is fundamental to understanding how NEXO functions. In Neo, addresses (regular and multi-sig) are derived from verification scripts. A regular address verification script consists of an opcode to push public key data to the virtual machine, followed by the actual key data to be pushed, then finally a call to the check signature system function:

PUSHDATA1 03faefc84682b1a1b887928414544d5ab8188d68ea14e68a0f597cdf4b01cb0099
SYSCALL System.Crypto.CheckSig

To derive the Neo public address from this script, there are two steps involved. First, the script is hashed with SHA-256, then hashed again with RIPEMD160, in this example producing the output script hash 0xde1cce4c0004e42eb5caf25f01f2f8a5844ad20b. Next, a version identifier is prepended to the script hash, allowing Legacy and N3 addresses to be distinguished. Finally, the result is encoded using the Base58Check encoding scheme introduced by Bitcoin: NLzUY9UXmYaWHJzBGok58h1PZRX5ML9EXt.

Multi-sig addresses on Neo act the same way, just with a slightly different verification script when compared to ordinary accounts. They start with an opcode to push the number of signatures required to pass verification, followed by the public key data for the signers, then an opcode to push the total number of keys used for the multi-sig. Lastly, the check multisig syscall is used:

PUSHDATA1 03c14a4195e601b4b23d411acb06e0311d5cb33e1f9322e7213d8fd86107f726a2
PUSHDATA1 03faefc84682b1a1b887928414544d5ab8188d68ea14e68a0f597cdf4b01cb0099
SYSCALL System.Crypto.CheckMultisig

This example verification script shows a 1-of-2 multi-sig, where at least one of the two key holders must provide a signature to control the account. The hash for this script is 0x27e8f96341e198982acb7f8370f21dfc3383fe3a, which may be Base58Check encoded along with the version identifier to derive the final multi-sig public address NRHuGioGBRSuAgE1nptwZ8M7nrbyaThVWv.

NEXO features

NEXO leverages Neo’s architecture to enhance user experience and security. Users can easily connect their wallets to NEXO then create or view multi-sig accounts. Account creation involves specifying the number of required signers and public keys for the address. The tool will remember the multi-sig account, allowing the designated signers to contribute their signatures as transactions are initiated. Once the required number of signatures is reached, the transaction may be relayed to the network to be finalized.

Moreover, NEXO introduces additional functionalities, such as adjustable transaction fee payment options. Any signer, or the multi-sig account itself, can be designated to cover the GAS fees, adding another layer of flexibility. The user interface of NEXO is designed to be intuitive, enabling users not only to send tokens but also to perform various smart contract invocations, thereby maximizing the utility and adaptability of the tool.

The application currently supports the NeoLine and OneGate wallets.

Users can get started with NEXO at the link below: