If you’ve been following the updates on DAO edge cases, you’ll have heard that ether from the extraBalance account is being sent to the users who own it not via a withdrawal contract, but by sending it directly to them — no need for them to take any action to claim it.

Given that the trustee wallet is a multisig, you may be wondering how this can be achieved. Are they going to spend a week painstakingly signing 11,440 individual transactions? Are they going to send the whole amount to an account controlled by a single individual so they can make the payments? As it happens, neither: thanks to a brilliant suggestion by Vitalik, it’s possible to make all the transfers trustlessly, in a manner that requires only a single transfer by the trustees. Read on to find out how.

Transaction Signing in Ethereum

Everyone knows that to create a valid Ethereum transaction, you first have to sign it using your private key, and that only signed transactions are valid. That’s true, but it’s not quite the whole truth.

The process by which signatures are validated in Ethereum is called ‘ecrecover’. This is a function that takes a message and its signature, and returns the public key (and hence the address) that signed it. In Ethereum, the ‘from’ address of a transaction isn’t explicitly included in a transaction; instead, ecrecover is called, and the address it returns is the from address of the transaction. Since only the owner of that address’s private key can generate signatures that return that address, only they can authorize the network to spend funds from their account.

What if we ignored the usual signing process, though, and just filled in whatever we liked for the transaction signature? It turns out that half of all signatures are valid in the sense that ecrecover returns a public key (and thus an address). Since we have no control over what address that is, what we’ve just done is to build a transaction that can spend funds from a seemingly random address. If we create such a transaction, then fund the generated address with some Ether, the transaction will be able to execute just like a regular one. We’ve effectively created a “single use address”, where funds can only be spent by one transaction. If we publish the transaction, and choose values for the signature field in some predictable fashion, we can prove to anyone that funds sent to that address will be usable only by that transaction, and nothing else.

Multisends with one-time addresses

The extraBalance multisend is being handled in just such a fashion. First, we generate a series of transactions that send ether to multiple addresses — 110 of them per transaction — and generate addresses for them using the process described above. For the signature fields, we fill in ‘0xDA0DA0DA0…’ — a predictable value so that you can be certain someone doesn’t actually have a private key for the generated address.

This produces a series of transactions with ‘one time addresses’ that can be used to fund them. 104 transactions is still a few too many for the trustees to easily sign, so we repeat the process one more time, building another transaction that sends ether to the 104 transactions we generated in the first step, producing a single transaction with its own unique address.

Now, anyone can verify the transactions to satisfy themselves that they send the correct amount of ether to the correct address list, and once satisfied, the trustees can authorize a payment to the root transaction’s address. After that, anyone can submit the transactions to the network, starting the whole process that will result in sending ether to everyone on the list — all with only a single signature required, and without needing to trust an individual with the funds.