How to Rekey Wallet Accounts from Mainnet Node Goal Cmds

I want to change the mnemonic phrase (25 words) for a few wallet accounts because of the whole MyAlgo Wallet debacle, but first want to understand what I am doing exactly.

Is this the same as rekey?

For the rekey example below, so this sets the rekey value for the account. But, what is this rekey value?

Is this a compiled version of the new mnemonic phrase (25 words) password for the account?

What is this rekey value? and were do I “make it” or “get it” before rekeying?

Is the mnemonic phrase (25 words) same as “spending key” ?

goal clerk send --from L42DW7MSHP4PMIAZSDAXYTZVHTE756KGXCJYGFKCET5XHIAWLBYYNSMZQU \ --to L42DW7MSHP4PMIAZSDAXYTZVHTE756KGXCJYGFKCET5XHIAWLBYYNSMZQU \ --amount 0 \ --rekey-to NFFMZJC6H52JLEAITTJ7OIML3XCJFKIRXYRJLO4WLWIJZB7N6CTWESRAZU \ --out rekey.txn

goal clerk inspect rekey.txn

2 Likes

Both the base64 representation of a private key and the private key mnemonic are considered private keys. This is what I called mnemonic phrase (25 words).

Is the assumption that the (base64 private key) is used to make the “public key”. Public key being what I called “wallet account address”, and since the public key can never change, we rekey the account to use the “spending key” going forward as a way of resetting the account mnemonic password.

Is that the right way to understand.

1 Like

Mnemonic is representation of private key AND public key.

When you rekey to other mnemonic the private key of the original address is not used anymore (watchout that multisig will still use that private key), and when you rekey you tell algorand blockchain that this new public key is used to sign txs with your old public key. So signing will be done using new private key for the assets stored at old public key. This relation between the address and signing address is stored on algorand blockchain. And there is also feature that you can rekey between public key address, smartsig account and multisig account in any direction. (Every dapp developer should check if someone is not rekeying their smart contract)

2 Likes

so a compromised multisig wallet cannot be rekeyed?

The documentation says in link above for account A the --rekey-to flag is to be account B.

So is there any way to just reset the mnemonic password for account A? Or only way is to rekey account A by making account B the “spending key” for account A.

Account B’s mnemonic password is now responsible for approving Account B and approving Account A transactions.

If that’s the only way it works… I guess I have 2 choices, just transfer assets out of Account A to some new Wallet Account that I newly make, or live with having Account B always be responsible for Account A.

Please clarify as I was assuming, all wrong, that you can in some way reset the mnemonic password for an account. That’s what I thought rekey meant.

This link below explains how to rekey for multisig account. Same as above, but Account B or Account C can be approvers of Account A transactions.

Compromised multisig account can be rekeyed to new set of signators by rekeying multisig to new set of multisig. If you do not rekey the multisig account, even if you rekey the specific signator account the compromised private key will still be used. I dont think this is the bug, but it is how it works. In aramid we have the system based on algorand multisig and we studied the rekey feature quite to depth. Thats why it is implemented in AWallet…

I have made video on how to rekey multisig: Algorand multisig feature - YouTube

I dont get it why after 4-5 years of algorand in mainnet, in all officially supported wallets there is no multisig rekeying support. The multisig should be the absolute basic feature for all corporations.

1 Like

Thank you very much for your reply, I agree that it is crazy that no official wallet supports this function, which is crucial in the corporate environment. This also explains how accounts with millions of ALGOs were so easily stolen

Just to check if I understood it correctly:

We have to create a new multikey account, let’s call it ACCOUNT B (sigB1, sigB2, sigB3), then ACCOUNT A (sigA1, sigA2, sigA3) will be rekeyed to ACCOUNT B and signed with (sigA1, sigA2, sigA3), after that the transactions of ACCOUNT A will be signed by the new (sigB1, sigB2, sigB3)

Yes.

ACCOUNT A is rekeyed to ACCOUNT B with signatures of threshold of settings account A (sigA1, sigA2, sigA3).

Later when creating transaction you specify sender as Account A, and you sign it with msig configuration of Account B with threshold of signatures of (sigB1, sigB2, sigB3)

1 Like