MPC solved the key management problem. But it left a bigger one untouched: knowing what you’re actually signing.
Multi-party computation (MPC) wallets have become the institutional standard for crypto custody. Their strength lies in cryptographic design: by distributing control of a private key across multiple parties or devices, they eliminate single points of failure and ensure no single entity can act unilaterally. The result is a custody solution that satisfies both technical rigor and regulatory expectations—a foundational breakthrough for secure asset management in Web3.
But infrastructure in crypto tends to evolve in response to risk. First, there was the threat of compromised private keys—single points of failure that made wallets an easy target. MPC emerged as the answer, redefining how keys are managed by distributing control across parties. That innovation led to widespread adoption, as custodians, funds, and exchanges embedded MPC into their workflows. But now, a new family of threats has emerged—not at the level of key custody, but in the complexity of the transactions themselves. Even with basic simulation features in place, critical risks often remain undetected. Without deeper context, users can still approve transactions that look routine but behave maliciously.
MPC wallets have brought real security to key management—but approving a transaction isn’t just a cryptographic act. It’s a decision. And without a deeper understanding of what’s actually being signed, even the most secure systems can be caught off guard.
Gal Sagie, co-founder & CEO @ Hypernative
The story of MPC starts with a puzzle—and a prodigy at Stanford. In 1982, Andrew Yao posed what looked like an academic game: two millionaires comparing wealth without revealing it. Yao’s Millionaires’ Problem wasn’t trivia—it was a radical proof that secrecy itself could be computed. His innovation sparked what became secure multi-party computation: a method for jointly computing over private data without exposing the inputs.
For years, MPC remained mostly theoretical, admired for its elegance but limited in practical use. Then came crypto. In a world where private keys control real money and trust is expensive, Yao’s ideas provided the technical foundation needed to unleash the forces of decentralization. In a twist of history, decades after his MPC breakthrough, Yao renounced his U.S. citizenship and accepted a Chinese passport, later earning public praise from President Xi Jinping for his contributions to the “great rejuvenation of the Chinese nation.”
At the heart of an MPC wallet is a simple promise: no single person or single machine can move funds alone. Instead of generating and storing one private key in one place, the wallet splits the key into pieces—called shards—across multiple devices, geographies, or individuals. When it’s time to sign a transaction, each participant (for example a person and two machines) contributes a partial signature derived from their share. Only when enough partials are combined—meeting the predefined threshold—is a valid signature reconstructed and sent to the blockchain.
This structure offers significant security advantages. There’s no honeypot key to steal, no single point of compromise. Even if one signer is hacked, the attacker can’t execute a transaction without breaching the other entities at the same time. It’s a clever design—well-suited to the realities of modern institutions operating across teams, time zones, and trust boundaries.
But this model only governs who can sign a transaction—not what is being signed. Most MPC flows focus on authorization, not inspection. A signer might see the destination address, token type, and a short summary—but rarely the full smart contract call or its potential downstream effects. If that transaction interacts with a malicious contract, invokes a newly upgraded proxy, or escalates privileges behind the scenes, there is no built-in mechanism to detect it. As long as the required threshold is met, the transaction is approved and broadcast.
The result is a subtle but dangerous vulnerability: multiple signers can jointly authorize a transaction none of them fully understands. In crypto, this is known as blind signing—a situation where the process is contextually unaware. And it’s precisely the kind of opening attackers look for.
Attackers have learned how to craft transactions that appear routine on the surface but contain malicious payloads beneath. They use proxy contracts with freshly upgraded logic, hide token approvals inside of complex smart contract actions, or transactions or sweeps that look procedural but escalate access in the background. The complexity of these interactions is a feature, not a bug. It allows malicious intent to hide in plain sight—especially in workflows where neither signers nor wallet systems are equipped to fully simulate or contextualize what a transaction will do once executed—meaning no one truly knows what they’re approving.
The challenge isn’t that MPC splits control—it’s that the information available at signing time is often too limited to support informed decisions. While the underlying architecture may rely on multiple key shares, the approval flow typically involves one or more users interacting with a wallet interface. That user may see basic transaction details, but without a deeper inspection layer, they have little visibility into the full behavior or intent of the transaction. Once they approve, the transaction is executed—regardless of whether its consequences were fully understood.
In high-stakes institutional environments, this can lead to devastating consequences. Assets are drained, permissions are lost, and reputations are damaged—all with signatures that were technically valid, but contextually blind. These attacks are often discovered only after the damage is done, because the systems involved lack both real-time simulation and cannot quickly recover when the damage is done.
Blind signing collapses the distinction between secure key infrastructure and safe outcomes. It assumes that if legitimate users sign legitimate payloads, those transactions must be trustworthy. But in a permissionless environment full of adversarial code, that assumption can be dangerously incomplete.
In traditional finance, large transactions rarely move without some form of internal review—risk checks, compliance validation, counterparty analysis. In Web3, where execution is immediate and irreversible, that kind of scrutiny must happen before a transaction hits the chain. While many teams still conduct manual reviews, they’re often forced to operate with incomplete context, limited visibility, and growing uncertainty around what a transaction actually does. As a result, institutions are left choosing between speed, security, and certainty—facing a familiar trilemma, now at the transaction layer.
Some MPC wallets have begun integrating simulation features that preview token flows or contract calls—an important step forward. But these surface-level checks often lack threat classification, behavioral baselines, or detection of intent misalignment. For institutions, that gap still leaves room for costly errors.
What’s still missing is a layer that goes beyond surface previews to fully capture intent and downstream impact. Many simulation tools now show where funds are going—a meaningful step forward—but often stop short of answering the harder questions: Is this address associated with known threats? Has this behavior occurred before? Does it match typical usage patterns? Without that additional context, institutions may still be signing with blind spots—relying on human intuition to detect risks that are often deeply embedded in code. Simulation isn’t just a feature; it’s how you bring foresight into the signing flow—and turn intent into intelligent execution.
As MPC wallets evolve, simulation is becoming a standard expectation. But not all simulations are created equal. Hypernative Guardian builds on that momentum—adding intent awareness, deep contract analysis, and policy enforcement to help institutions go beyond visibility toward verifiable, automated protection.
Instead of relying on human intuition in the heat of a signing flow, Guardian applies programmable logic to every transaction—classifying addresses, simulating behavior, enforcing custom policies, and predicting threats before signatures are executed. It doesn’t just show you what might happen; it makes clear whether the transaction should be allowed at all. The result is not just safer signing—it’s automated decision-making aligned with your institution’s risk, compliance, and operational frameworks.
To learn how Guardian integrates with your existing MPC stack and stops malicious transactions before they hit the chain, read the full breakdown: Guardian for Web3’s Institutional Moment.
Reach out for a demo of the Guardian, tune into Hypernative’s blog and our social channels to keep up with the latest on cybersecurity in Web3.
Secure everything you build, run and own in Web3 with Hypernative.
Website | X (Twitter) | LinkedIn
.jpg)