Account Demolisher

Multisig

Coordinating a closure across multiple signers using Refractor or partial XDR.

Accounts with more than one signer at non-trivial weight cannot close in a single signing pass. The demolisher detects this during the audit and routes the closure through a multisig coordination view at /plan/[id].

Two coordination methods are supported.

Refractor

Refractor is a third-party signature collection service for Stellar transactions. The demolisher uploads the canonical (unsigned) envelope to Refractor and gives you a shareable URL.

Share the URL with every co-signer. Each one opens it, connects their own wallet (or pastes the XDR into their wallet of choice), signs, and pushes the signed envelope back to Refractor. Refractor merges the signatures. The coordination page polls Refractor every two seconds and updates the progress bar as each signature lands. When the required threshold is met, the demolisher submits the merged envelope to the network.

The whole flow stays non-custodial. Refractor only holds the envelope. The secret keys never leave their respective wallets.

What the coordination page shows

  • The truncated transaction hash and a Copy link button.
  • A "signatures still outstanding" counter sourced from Refractor's desiredSigners minus the collected signatures.
  • The list of signers Refractor expects (each rendered as Pending until threshold is met).
  • The canonical XDR so you can verify it independently in a tool like Stellar Lab.
  • A button linking back to /demolish for whoever is opening the page.

If Refractor has not yet inspected the envelope for required signers (this can happen briefly after a fresh upload), the page surfaces the "Refractor has not reported a signer set for this transaction yet" placeholder. It will populate once Refractor runs its inspector.

Partial XDR

If you don't want to use a third-party service, the demolisher also supports a fully local signing path through partial XDR exchange.

  1. The demolisher exports the canonical envelope as a base64 XDR.
  2. Each signer imports the XDR into their wallet, signs, and sends the partially-signed envelope back.
  3. The demolisher imports each partial envelope through the Drop signed envelope files here or Or paste base64 XDR controls on the coordination page.
  4. The signatures are merged into the canonical envelope after three checks:
    • The hash of every partial must equal the canonical hash (no cross-transaction signatures get merged).
    • The signature must verify against a candidate signer (derived from the canonical envelope's required signer set).
    • Signatures are deduplicated by their wire-format bytes.
  5. Once the threshold is met, the merged envelope is submitted to Horizon.

This path requires no third-party service, only an out-of-band channel between signers for exchanging the partial XDR files (encrypted email, Signal, whatever you use).

Which to use

Refractor is faster if every signer is online and has access to the URL. Partial XDR is the right choice if any signer prefers not to involve a third party, or if you are coordinating with a hardware wallet that signs offline.

Both paths produce the same merged envelope and submit the same closure to Stellar. The demolisher does not require one or the other.

Allowance viewer

Audit and revoke SEP-41 token allowances on any Stellar account.

Security

What the demolisher signs, what it never signs, and the threat model.

On this page

RefractorWhat the coordination page showsPartial XDRWhich to use