Completely Offline Bitcoin Transactions by grubles ...

Electrum - Simply the best thin Bitcoin client

The best, cutting edge thin Bitcoin wallet.
[link]

03-05 15:02 - 'Stealth addresses are still around and are being supported, but not directly by all of the ~half dozen Bitcoin frameworks (e.g., **[link][ *bitcoin* | *libbitcoin* | *btcsuite* | *bitpay* | *bitcoinj* | *spesmilo*] written in...' by /u/greatskaht removed from /r/Bitcoin within 7-12min

'''
Stealth addresses are still around and are being supported, but not directly by all of the ~half dozen Bitcoin frameworks (e.g., *[link]2 [ *bitcoin | libbitcoin | btcsuite | bitpay | bitcoinj | spesmilo] written in various programming languages. Stealth transactions protect the privacy of transaction recipients while mixing protects the privacy of transaction senders. It is worth noting that a Bitcoin stealth payment effectively requires 2 transactions on "the Blockchain" to complete a handshake so the recipient can later spend the stealth transaction funds sent. This requires the recipient's wallet to scan the Blockchain which is computationally time consuming. See [Stealth Address]1 to quickly learn more.
Speaking unofficially on the behalf of the libbitcoin effort, framework support for stealth addresses is still alive in v3.0. It is however, a whole different matter for wallets to utilize frameworks that support stealth transactions.
On the client side, the bitcoin-explorer (bx) command line interface is production ready (but not not for stealth address multisig support) see the image at [link]3 for framework support.
The libbitcoin server v3.0 ([link]4 ) is being refactored by Eric V. has taken shape, and is approaching completion for an official release. This new server indexes all spends, addresses and stealth payments in a in an operating system's memory-mapped file system - is definitely cutting edge work.
'''
Context Link
Go1dfish undelete link
unreddit undelete link
Author: greatskaht
1: mo*ero.*tackexchange*****qu*s*io*s/1500/*hat**s-*-steal*h-add*ess*150*#*506 2: https://github.com/** 3: https://github.com/libbitcoin/libbitcoin-explorewiki/Stealth-Commands 4: https://github.com/libbitcoin/libbitcoin-server
Unknown links are censored to prevent spreading illicit content.
submitted by removalbot to removalbot [link] [comments]

1400 Bitcoins stolen after a user installed an old Electrum wallet and then updated to a malicious version.

this is not me, im just sharing news....
I had 1,400 BTC in a wallet that I had not accessed since 2017. I foolishly installed the old version of the electrum wallet. My coins propagated. I attempted to transfer about 1 BTC however was unable to proceed. A pop-up displayed stating I was required to update my security prior to being able to transfer funds.
I installed the update which immediately triggered the transfer of my entire balance to a scammers address.
Source - https://github.com/spesmilo/electrum/issues/5072#issuecomment-683356052
The transaction - https://blockchair.com/bitcoin/transaction/ef600c380a239d9b929c6c964deaf7060e309750950a516cee65576232b0c53c
A recap of the issue by u/_benkaufman - https://twitter.com/_benkaufman/status/1299971319430352897
submitted by atrueretard to Bitcoin [link] [comments]

Can PSBTs with unique signed inputs be combined together? How?

I know Bitcoin Core and Electrum will allow my to joinpsbts to create a PSBT with the inputs and outputs of both. They also allow me to combinepsbt to take two PSBTs with the same inputs and outputs and combine signature data.
But is there a way for me to take two PSBTs with SINGLE|ANYONECANPAY signed inputs and combine the inputs and outputs into one PSBT? The SINGLE|ANYONECANPAY sighash would seem to make this possible, I just didn't see this workflow covered anywhere in BIP-174
If Core or Electrum don't support it, is there a python library that might?

Update #2

Was able to cobble something together off of electrum with some ugly python. Here's essentially what I have:
``` from electrum.transaction import PartialTransaction
def dont_remove_signatures(): pass
signed_psbt = "cHNid...AAAIAA" unsigned_psbt = "cHNid...AAAAAA"
pj = PartialTransaction.from_raw_psbt(signed_psbt) pj.remove_signatures = dont_remove_signatures pj.join_with_other_psbt(PartialTransaction.from_raw_psbt(unsigned_psbt)) print(pj.serialize()) ```

Update #1

Did some digging and both Core and Electrum drop sig-data on join / combine operations by design, though this is not strictly required from the spec.

Spec:

In general, the result of a Combiner combining two PSBTs from independent participants A and B should be functionally equivalent to a result obtained from processing the original PSBT by A and then B in a sequence. Or, for participants performing fA(psbt) and fB(psbt): Combine(fA(psbt), fB(psbt)) == fA(fB(psbt)) == fB(fA(psbt))
source
Or as I interpret that...
Sign(Combine(pbstA, pbstB)) == Combine(Sign(pbstA), Sign(pbstB))
But this is not the case.

Core:

joinpsbts merges multiple distinct PSBTs into a single PSBT. The multiple PSBTs must have different inputs. The resulting PSBT will contain every input and output from all of the PSBTs. Any signatures provided in any of the PSBTs will be dropped*.
source

Electrum:

def join_with_other_psbt(self, other_tx: 'PartialTransaction') -> None: """Adds inputs and outputs from other_tx into this one.""" ... self.remove_signatures()
source
submitted by brianddk to Bitcoin [link] [comments]

The power of "import electrum" as a python bitcoin scripting engine

I've been a big fan of Electrum as a wallet for a while now. Traditionally, when I wanted to do bitcoin scripting I would use either trezorlib, pycoin, or bitcoinlib. But recently I was digging a bit deeper into the Electrum source and found it to be one of the simpler python libraries to use to craft bitcoin transactions.
One of the nicer things about Electrum as a scripting engine is that you can drop the standalone app or AppImage on a system and run your scripts directly through the console. This makes doing things on Tails or other locked down systems much easier. To run one one of your scripts (without the event loop) simply type (assuming you correct the file path):
with open(r"myscript.py", 'r') as s: exec(s.read())
Obviously only do this with scripts you've personally authored. Never run random code on your machine especially when wallet private keys are in play.
There are already some great scripting examples in the electrum\scripts folder, but most of these use the event loop which brings in a lot of overhead. I found simple TXN processing can easily be done without spawning an full electrum thread. I'd be happy to PR the samples if there is any interest in this style from the maintainers.
Here's two examples I put together that craft a BIP65 spending transaction. It turned out to be much simpler than I imagined. I did it both in bitcoinlib and electrum. The structure is very similar and should hopefully be easier to follow. Feel free to start a PythonRoastMe on it.
Two things of note. I had to disable R-value grinding (nuked while loop) so that I had parity with bitcoinlib, which hasn't rolled it out yet. This is why the TXIDs differ. I also had to override the the PartialTransaction.get_preimage_script method since it makes certain multisig assumptions that don't apply to generic scripting.
Reference: * Electrum script to spend an OP_HODL P2WSH address (txid 3a461e6...78de2b6) * Electrum script to spend an OP_HODL P2SH address (txid a8110bb...3dadc93) * BitcoinLib script to spend an OP_HODL P2WSH address (txid 3a461e6...78de2b6) * BitcoinLib script to spend an OP_HODL P2SH address (txid a8110bb...3dadc93) * TXID 3a461e6...78de2b6 (P2WSH) on the blockchain * TXID a8110bb...3dadc93 (P2SH) on the blockchain * BIP-0065: OP_CHECKLOCKTIMEVERIFY (aka OP_HODL) * BIP-0141: P2WSH symantics * BIP-0016: P2SH symantics
submitted by brianddk to Electrum [link] [comments]

Storing your coins safely while not risking loss of keys

This was originally an answer to a question that was asked here, but OP deleted their post.
This might help some newbies (especially the multisig edit at the end), so I want to make sure it's still accessible here.
The original question was whether the Electrum wallet stores a Trezor's private key when using a passphrase.
OP noticed that their Trezor wouldn't connect to their Electrum wallet when entering a different passphrase than they used when creating the wallet. Thus, OP (likely) assumed that the wallet stored the private key, as it somehow knew that a different private key was now used.
Here is my original answer (with some modifications):
IMPORTANT: I'm assuming here that you connected your Trezor by choosing the "hardware wallet" option in Electrum, rather than giving Electrum your 12/24 seed words.
TL;DR: No, your coins are safe :)
I'm assuming by passphrase) you mean the 25th (or 13th) word. When you have this feature enabled, a private key gets generated every time you enter a passphrase. When you enter the same passphrase you used to create the wallet, the wallet with your funds shows up.
Whenever you enter something different, a different private key is generated on your Trezor. This allows you to have multiple different wallets, for example by choosing the passphrases "First Wallet", "Second Wallet", "Third Wallet", or a secret wallet with a secret passphrase.
So whenever you enter a new passphrase when connecting your Trezor to Electrum, the Trezor will send a new public key to Electrum. Electrum will then derive addresses from this public key and check those for balances. It won't find any, as you used a new passphrase.
EDIT: I just realized that you said your wallet doesn't connect to Electrum when you use a different passphrase. This is simply because Electrum doesn't receive the correct public key from the Trezor and therefore Electrum thinks it's a different wallet (which it is).
When you enter the passphrase you used during creation of your wallet, the Trezor will send your actual public key to Electrum, which will then find addresses with balances, which it will show to you. EDIT (to clarify): Connecting your Trezor after creating the wallet is only necessary to send funds or verify addresses, as the public key is already stored in the wallet.dat.
The only thing Electrum actually stores is the public key, which can only be used to look at your Bitcoin, not to move them. You might want to keep this public key a secret as well though, since it links all your funds to you. This is what Electrum stores in the wallet.dat file, which you can just encrypt by choosing a password for it.
Well done using a passphrase by the way! Should someone get their hands on your Trezor, a sophisticated attacker can get the secret key off the device in 15 minutes. Using a passphrase makes this attack almost useless, as the both secret key AND the passphrase are needed to move your funds, and the passphrase is not stored on the device. A passphrase also allows you to hide funds from potential robbers that force you to unlock your wallet.
You can do this by activating the passphrase feature and sending your funds to a wallet with a secret passphrase (do NOT lose this, as losing your passphrase renders your funds inaccessible). Afterwards, you can safely deactivate the passphrase feature, so the device doesn't even ask for one should you get robbed. Simply reactivate it when you need to access your funds.
EDIT: Should you be worried that you might forget your passphrase, you should look into multisig wallets. Depending on how you set this up, you can make it more secure against theft and less likely for you to lose access to your funds.
Say for example you get four wallets: two hardware wallets, a well-protected (airgapped) laptop with Electrum, and a secure mobile wallet that allows for multisig (like Fully Noded).
You can then create a 2-of-4 multisig wallet that requires you to sign transactions with any two of these four wallets.
The increase in security comes from the fact that an attacker now needs full access to two of your devices (or their stored private keys) at once.
At the same time, the fact that you yourself now also need access to only half of your devices means that in the event of a total loss of one (or even two) of them, you can still move your funds to a new wallet.
As long as you do regular checks (e.g. first day of each month), ensuring that you still have access to all your devices' stored private keys, you can always catch a loss of keys and fix this without losing funds (by creating a new multisig wallet and sending the funds there).
This allows you to use a passphrase on your wallets without storing it anywhere physically or digitally. This would usually be very risky, as forgetting the passphrase would lead to a loss of funds, but this risk is now close to eliminated.
(The following part was not in the original answer)
Some IMPORTANT general secruity tips:
  1. Consider including trusted friends and/or family members as co-signers for a multisig wallet. This ensures that it's not even possible for you alone to hand over funds to an attacker. Depending on your level of trust, you might want to make sure that your co-signers can't collaborate to steal your funds (if you include 3 people, create at least a 4-of-n multisig). You could also deliberately make it possible for all or even just some of your co-signers to move your funds (3 co-signers, 3(or less)-of-n multisig) to make sure your funds aren't lost should pass away unexpectedly.
  2. Consider running your own full node and Electrum server (also check the alternatives), which you connect your Electrum wallet to. This ensures that you don't send your public key to anyone else. If someone knows your public key, they know how much BTC you own, making you a potential target.
  3. Always encrypt your wallet.dat (or whatever you called your wallet file), even if it's a watch-only wallet. This protects your public key (see 1. for why you want that).
  4. Create watch-only wallets: Use an airgapped) device to create a wallet with Electrum (make sure to back up the seed phrase) and export the public key. Then create a new watch-only wallet on another device (like your everyday laptop) with that public key to be able to check your funds. To create the initial wallet, you can also use any other hard- or software wallet that allows you to export the master public key.
  5. Hide, or (when using a hardware wallet with a passphrase) even delete your watch-only wallets. Hiding your funds makes you less of a target. When using a hardware wallet, recreating the watch-only wallet is fast and simple, so you don't need to store it if you don't want to check your funds every day. Note that this approach doesn't help much when you don't use a passphrase, as an attacker will obviously check the passphrase-less wallet no matter what.
  6. Keep some funds on your hardware wallet(s). If an attackers sees funds on the wallet(s), they might not force you to enter a passphrase or ask if you have any multisig wallets (lying under pressure is hard).
  7. Hide all your wallets in different places. If someone sees that you have multiple wallets lying around, they might realize you have a multisig wallet.
  8. Don't risk a robber getting (for example) two keys to your 2-of-4 multisig wallet and then racing them to move your funds with the other two keys when they leave. They're gonna come back and be pissed. If it comes to this, you need protection until the robber is caught. STAY SAFE!
  9. The easiest way to solve a problem is to never have it. Don't make yourself a target. If nobody even suspects that you have a multisig (or any wallet at all), they're probably not gonna look for it.
Please correct any mistakes you find and I will edit my post. I will also gladly add more tips to the list. I will of course credit anyone who helps.
Tip for devs who want something cool and important to work on: Make the creation and usage of multisig wallets as noob-friendly as possible. If someone expresses worries about losing access to their funds by forgetting the seed phrase, wallet pin, etc. (someone in my family actually brought this up to me), multisig wallets are the perfect solution as they add redundancy.
submitted by Fittiboy to Bitcoin [link] [comments]

Cannot create wallet with Trezor

Hi guys, I am stuck trying to create a wallet for my Trezor with Electrum 4.0.4 on Linux:
I get to the point of entering the password twice and then selecting the path. But after that it just says
'Please wait' and then the window hangs. The only way to do something is either kill the process or send a `SIGINT` signal.
Interestingly after sending a SIGINT the window unfreezes and asks me again for the password (also during the whole freeze the Trezor device writes that I should enter my password). After entering the password again I get an empty error window and on closing it everything closes.
I started electrum with `electrum -v` to get some logs:
$ electrum -v I | logging | Electrum version: 4.0.4 - https://electrum.org - https://github.com/spesmilo/electrum I | logging | Python version: 3.8.6 (default, Sep 30 2020, 04:00:38) [GCC 10.2.0]. On platform: Linux-5.8.14-arch1-1-x86_64-with-glibc2.2.5 I | logging | Logging to file: None I | logging | Log filters: verbosity '*', verbosity_shortcuts '' I/p | plugin.Plugins | registering hardware bitbox02: ('hardware', 'bitbox02', 'BitBox02') I/p | plugin.Plugins | registering hardware coldcard: ('hardware', 'coldcard', 'Coldcard Wallet') I/p | plugin.Plugins | registering hardware digitalbitbox: ('hardware', 'digitalbitbox', 'Digital Bitbox wallet') I/p | plugin.Plugins | registering hardware keepkey: ('hardware', 'keepkey', 'KeepKey wallet') I/p | plugin.Plugins | registering hardware ledger: ('hardware', 'ledger', 'Ledger wallet') I/p | plugin.Plugins | registering hardware safe_t: ('hardware', 'safe_t', 'Safe-T mini wallet') I/p | plugin.Plugins | registering hardware trezor: ('hardware', 'trezor', 'Trezor wallet') I/p | plugin.Plugins | registering wallet type ('2fa', 'trustedcoin') D | util.profiler | Plugins.__init__ 0.0044 I/n | network | blockchains [0] I | exchange_rate.FxThread | using exchange CoinGecko D | util.profiler | Daemon.__init__ 0.0023 I/n | network | starting network I | daemon.Daemon | launching GUI: qt I/n | network | setting proxy None I | daemon.Daemon | starting taskgroup. I/n | network | connecting to electrumx.ftp.sh:50002:s as new interface I/n | network | starting taskgroup. I | gui.qt.history_list | could not import electrum.plot. This feature needs matplotlib to be installed. I | gui.qt.ElectrumGui | Qt GUI starting up... Qt=5.15.1, PyQt=5.15.1 I/i | interface.[localhost:50002] | connection established. version: ['ElectrumPersonalServer 0.2.0', '1.4'] D | util.profiler | ElectrumGui.__init__ 0.1374 I/i | interface.[vmd27610.contaboserver.net:50002] | disconnecting due to: ErrorGettingSSLCertFromServer(ConnectError(gaierror(-2, 'Name or service not known'))) I/n | network | couldn't launch iface vmd27610.contaboserver.net:50002:s -- CancelledError() I/i | interface.[electrumx.ftp.sh:50002] | disconnecting due to: ErrorGettingSSLCertFromServer(ConnectError(gaierror(-2, 'Name or service not known'))) I/n | network | couldn't launch iface electrumx.ftp.sh:50002:s -- CancelledError() I/i | interface.[rbx.curalle.ovh:50002] | disconnecting due to: ErrorGettingSSLCertFromServer(ConnectError(gaierror(-2, 'Name or service not known'))) I/i | interface.[2AZZARITA.hopto.org:50006] | connection established. version: ['ElectrumX 1.15.0', '1.4'] I/n | network | couldn't launch iface rbx.curalle.ovh:50002:s -- CancelledError() I/i | interface.[2AZZARITA.hopto.org:50006] | set blockchain with height 653567 I/i | interface.[2AZZARITA.hopto.org:50006] | skipping header 653566 I/n | network | no height for main interface I/n | network | fee_estimates {25: 46526, 10: 48176, 5: 50745, 2: 50750} I/i | interface.[hsmiths4fyqlw5xw.onion:50002] | disconnecting due to: ErrorGettingSSLCertFromServer(ConnectError(gaierror(-2, 'Name or service not known'))) I/n | network | couldn't launch iface hsmiths4fyqlw5xw.onion:50002:s -- CancelledError() I/n | network | switching to 2AZZARITA.hopto.org:50006:s I/i | interface.[electrum3.hodlister.co:50002] | connection established. version: ['ElectrumX 1.10.0', '1.4'] I/n | network | fee_histogram [[99, 100899], [71, 112316], [61, 132563], [59, 156116], [57, 175394], [54, 114050], [51, 219092], [49, 195934], [48, 565137], [47, 781451], [46, 883591], [45, 259824], [44, 450143], [43, 114488], [42, 22100], [41, 49428], [40, 106542], [38, 151315], [33, 547095], [22, 620244], [13, 648588], [9, 822409], [5, 741398], [3, 1799486], [2, 651429]] I/n | network | fee_histogram [[99, 100899], [71, 112316], [61, 132563], [59, 156116], [57, 175394], [54, 114050], [51, 219092], [49, 195934], [48, 565137], [47, 781451], [46, 883591], [45, 259824], [44, 450143], [43, 114488], [42, 22100], [41, 49428], [40, 106542], [38, 151315], [33, 547095], [22, 620244], [13, 648588], [9, 822409], [5, 741398], [3, 1799486], [2, 651429]] I/i | interface.[bitcoin.corgi.party:50002] | disconnecting due to: ErrorGettingSSLCertFromServer(ConnectError(gaierror(-5, 'No address associated with hostname'))) I/n | network | couldn't launch iface bitcoin.corgi.party:50002:s -- CancelledError() I/i | interface.[electrumx-core.1209k.com:50002] | disconnecting due to: ErrorGettingSSLCertFromServer(ConnectError(OSError(101, 'Network is unreachable'))) I/n | network | couldn't launch iface electrumx-core.1209k.com:50002:s -- CancelledError() I/i | interface.[electrum3.hodlister.co:50002] | set blockchain with height 653567 I/i | interface.[electrum3.hodlister.co:50002] | skipping header 653567 I/n | network | fee_estimates {25: 46526, 10: 48176, 5: 50745, 2: 50749} I/i | interface.[hsmiths5mjk6uijs.onion:50002] | disconnecting due to: ErrorGettingSSLCertFromServer(ConnectError(gaierror(-2, 'Name or service not known'))) I/n | network | couldn't launch iface hsmiths5mjk6uijs.onion:50002:s -- CancelledError() I/i | interface.[dxm.no-ip.biz:50002] | disconnecting due to: ErrorGettingSSLCertFromServer(ConnectError(ConnectionRefusedError(111, "Connect call failed ('77.6.34.45', 50002)"))) I/n | network | couldn't launch iface dxm.no-ip.biz:50002:s -- CancelledError() I/i | interface.[electrum2.eff.ro:50002] | disconnecting due to: ErrorGettingSSLCertFromServer(ConnectError(gaierror(-2, 'Name or service not known'))) I/n | network | couldn't launch iface electrum2.eff.ro:50002:s -- CancelledError() I/i | interface.[electrum.hsmiths.com:50002] | disconnecting due to: ConnectError(ConnectionResetError(104, 'Connection reset by peer')) I/n | network | couldn't launch iface electrum.hsmiths.com:50002:s -- CancelledError() I | storage.WalletStorage | wallet path /home/bene/.electrum/wallets/default_wallet I/i | interface.[bitcoin.aranguren.org:50002] | connection established. version: ['ElectrumX 1.15.0', '1.4'] I | storage.WalletStorage | wallet path /home/bene/.electrum/wallets/default_wallet I/i | interface.[bitcoin.aranguren.org:50002] | set blockchain with height 653567 I/i | interface.[bitcoin.aranguren.org:50002] | skipping header 653566 [240/1884] I/n | network | fee_estimates {25: 46526, 10: 48176, 5: 50745, 2: 50749} I/i | interface.[localhost:50002] | set blockchain with height 653567 I/i | interface.[localhost:50002] | skipping header 653567 I/n | network | fee_estimates {25: 46526, 10: 48175, 5: 50745, 2: 50749} I/p | plugin.Plugins | loaded bitbox02 I/p | plugin.Plugins | loaded coldcard I/p | plugin.Plugins | loaded digitalbitbox I/p | plugin.Plugins | loaded keepkey I/p | plugin.Plugins | loaded ledger I/p | plugin.Plugins | loaded safe_t I/p | plugin.Plugins | loaded trezor I | plugin.DeviceMgr | scanning devices... D | util.profiler | DeviceMgr.scan_devices 0.0244 W | gui.qt.installwizard.InstallWizard | error getting device infos for bitbox02: Missing libraries for bitbox02. // Make sure you install it with python3 W | gui.qt.installwizard.InstallWizard | error getting device infos for coldcard: Missing libraries for coldcard. // Make sure you install it with python3 W | gui.qt.installwizard.InstallWizard | error getting device infos for keepkey: Missing libraries for keepkey. // Make sure you install it with python3 W | gui.qt.installwizard.InstallWizard | error getting device infos for ledger: Missing libraries for ledger. // Make sure you install it with python3 W | gui.qt.installwizard.InstallWizard | error getting device infos for safe_t: Missing libraries for safe_t. // Make sure you install it with python3 I | plugins.trezor.qt.Plugin | connecting to device at webusb:001:3 I | plugins.trezor.qt.Plugin | connected to device at webusb:001:3 I | plugin.DeviceMgr | Registering My TREZOF3342BDD7C90C7F9FBA58136 I | plugin.DeviceMgr | scanning devices... D | util.profiler | DeviceMgr.scan_devices 0.0388 I/i | interface.[localhost:50002] | skipping header 653567 qt.qpa.xcb: QXcbConnection: XCB error: 3 (BadWindow), sequence: 4028, resource id: 14687032, major code: 40 (TranslateCoords), minor code: 0 I | plugin.DeviceMgr | scanning devices... D | util.profiler | DeviceMgr.scan_devices 0.0407 
This is the point where the window freezes. Then I precc `Ctrl+C` to send a SIGINT signal and then this is the rest of the logs:
I/n | network | couldn't launch iface technetium.network:50002:s -- TimeoutError() I/n | network | couldn't launch iface e2.keff.org:50002:s -- TimeoutError() I/n | network | couldn't launch iface electrum-server.ninja:50002:s -- TimeoutError() I/n | network | couldn't launch iface xray587.startdedicated.de:50002:s -- TimeoutError() I/n | network | couldn't launch iface electrum.mindspot.org:50002:s -- TimeoutError() I/i | interface.[electrum.leblancnet.us:50002] | disconnecting due to: ErrorGettingSSLCertFromServer(ConnectError(gaierror(-2, 'Name or service not known'))) I/n | network | couldn't launch iface electrum.leblancnet.us:50002:s -- CancelledError() I/i | interface.[ex01.axalgo.com:50002] | succeeded in getting cert I/i | interface.[electrumx.schulzemic.net:50002] | succeeded in getting cert ^CE | gui.qt.installwizard.InstallWizard | Traceback (most recent call last): File "/uslib/python3.8/site-packages/electrum/base_wizard.py", line 446, in on_hw_derivation xpub = self.plugin.get_xpub(device_info.device.id_, derivation, xtype, self) File "/uslib/python3.8/site-packages/electrum/plugins/trezotrezor.py", line 315, in get_xpub xpub = client.get_xpub(derivation, xtype) File "/uslib/python3.8/site-packages/electrum/plugin.py", line 362, in wrapper return run_in_hwd_thread(partial(func, *args, **kwargs)) File "/uslib/python3.8/site-packages/electrum/plugin.py", line 355, in run_in_hwd_thread return fut.result() File "/uslib/python3.8/concurrent/futures/_base.py", line 434, in result self._condition.wait(timeout) File "/uslib/python3.8/threading.py", line 302, in wait waiter.acquire() KeyboardInterrupt I/i | interface.[ex01.axalgo.com:50002] | connection established. version: ['ElectrumX 1.14.0', '1.4'] I/i | interface.[electrumx.schulzemic.net:50002] | connection established. version: ['ElectrumX 1.15.0', '1.4'] I/i | interface.[ex01.axalgo.com:50002] | set blockchain with height 653567 I/i | interface.[ex01.axalgo.com:50002] | skipping header 653567 I/n | network | fee_estimates {25: 46526, 10: 48176, 5: 50745, 2: 50749} I/i | interface.[electrumx.schulzemic.net:50002] | set blockchain with height 653567 I/i | interface.[electrumx.schulzemic.net:50002] | skipping header 653567 I/n | network | fee_estimates {25: 46526, 10: 48176, 5: 50745, 2: 50749} I/n | network | couldn't launch iface dragon085.startdedicated.de:50002:s -- TimeoutError() I/i | interface.[btc.electroncash.dk:60002] | succeeded in getting cert I/i | interface.[mxhwmwa3nt2si4ufszm24whlpkruu74jle27ys2fyjuiifbbrub6thyd.onion:50006] | disconnecting due to: ErrorGettingSSLCertFromServer(ConnectError(gaierror(-2, 'Name or service not known'))) I/n | network | couldn't launch iface mxhwmwa3nt2si4ufszm24whlpkruu74jle27ys2fyjuiifbbrub6thyd.onion:50006:s -- CancelledError() I/i | interface.[electrum2.villocq.com:50002] | disconnecting due to: ErrorGettingSSLCertFromServer(ConnectError(gaierror(-5, 'No address associated with hostname'))) I/n | network | couldn't launch iface electrum2.villocq.com:50002:s -- CancelledError() I/i | interface.[btc.electroncash.dk:60002] | connection established. version: ['ElectrumX 1.15.0', '1.4'] I/i | interface.[btc.electroncash.dk:60002] | set blockchain with height 653567 I/i | interface.[btc.electroncash.dk:60002] | skipping header 653567 I/n | network | fee_estimates {25: 46526, 10: 48176, 5: 50745, 2: 50749} I/i | interface.[btc.electrum.bitbitnet.net:50002] | connection established. version: ['ElectrumX 1.15.0', '1.4'] I/i | interface.[btc.electrum.bitbitnet.net:50002] | set blockchain with height 653567 [169/1884] I/i | interface.[btc.electrum.bitbitnet.net:50002] | skipping header 653567 I/n | network | fee_estimates {25: 46526, 10: 48176, 5: 50745, 2: 50749} I | plugin.DeviceMgr | scanning devices... D | util.profiler | DeviceMgr.scan_devices 0.0394 W | gui.qt.installwizard.InstallWizard | error getting device infos for bitbox02: Missing libraries for bitbox02. // Make sure you install it with python3 W | gui.qt.installwizard.InstallWizard | error getting device infos for coldcard: Missing libraries for coldcard. // Make sure you install it with python3 W | gui.qt.installwizard.InstallWizard | error getting device infos for keepkey: Missing libraries for keepkey. // Make sure you install it with python3 W | gui.qt.installwizard.InstallWizard | error getting device infos for ledger: Missing libraries for ledger. // Make sure you install it with python3 W | gui.qt.installwizard.InstallWizard | error getting device infos for safe_t: Missing libraries for safe_t. // Make sure you install it with python3 I/i | interface.[bitcoin.aranguren.org:50002] | skipping header 653567 E | daemon.Daemon | GUI raised exception: ReRunDialog(). shutting down. I | gui.qt.ElectrumGui | closing GUI I | daemon.Daemon | shutting down network I/n | network | stopping network I/n | network | couldn't launch iface electrum.hodlister.co:50002:s -- CancelledError() I/n | network | couldn't launch iface orannis.com:50002:s -- CancelledError() I/i | interface.[localhost:50002] | disconnecting due to: CancelledError() I/i | interface.[electrumx.schulzemic.net:50002] | disconnecting due to: CancelledError() I/i | interface.[ex01.axalgo.com:50002] | disconnecting due to: CancelledError() I/i | interface.[2AZZARITA.hopto.org:50006] | disconnecting due to: CancelledError() I/i | interface.[btc.electroncash.dk:60002] | disconnecting due to: CancelledError() I/i | interface.[electrum3.hodlister.co:50002] | disconnecting due to: CancelledError() I/i | interface.[btc.electrum.bitbitnet.net:50002] | disconnecting due to: CancelledError() I/i | interface.[bitcoin.aranguren.org:50002] | disconnecting due to: CancelledError() I/n | network | taskgroup stopped. I | daemon.Daemon | stopping taskgroup I | daemon.Daemon | taskgroup stopped. I | daemon.Daemon | removing lockfile I | daemon.Daemon | stopped E | __main__ | daemon.run_gui errored Traceback (most recent call last): File "/uslib/python3.8/site-packages/electrum/gui/qt/installwizard.py", line 118, in func_wrapper run_next(*out) File "/uslib/python3.8/site-packages/electrum/base_wizard.py", line 193, in on_wallet_type self.run(action) File "/uslib/python3.8/site-packages/electrum/base_wizard.py", line 115, in run f(*args, **kwargs) File "/uslib/python3.8/site-packages/electrum/base_wizard.py", line 225, in choose_keystore self.choice_dialog(title=title, message=message, choices=choices, run_next=self.run) File "/uslib/python3.8/site-packages/electrum/gui/qt/installwizard.py", line 106, in func_wrapper out = func(*args, **kwargs) File "/uslib/python3.8/site-packages/electrum/gui/qt/installwizard.py", line 594, in choice_dialog self.exec_layout(vbox, title) File "/uslib/python3.8/site-packages/electrum/gui/qt/installwizard.py", line 429, in exec_layout raise GoBack from None electrum.base_wizard.GoBack The above exception was the direct cause of the following exception: Traceback (most recent call last): File "/usbin/electrum", line 380, in  d.run_gui(config, plugins) File "/uslib/python3.8/site-packages/electrum/daemon.py", line 566, in run_gui self.gui_object.main() File "/uslib/python3.8/site-packages/electrum/gui/qt/__init__.py", line 363, in main if not self.start_new_window(path, self.config.get('url'), app_is_starting=True): File "/uslib/python3.8/site-packages/electrum/gui/qt/__init__.py", line 247, in wrapper return func(self, *args, **kwargs) File "/uslib/python3.8/site-packages/electrum/gui/qt/__init__.py", line 271, in start_new_window wallet = self._start_wizard_to_select_or_create_wallet(path) File "/uslib/python3.8/site-packages/electrum/gui/qt/__init__.py", line 313, in _start_wizard_to_select_or_create_wallet wizard.run('new') File "/uslib/python3.8/site-packages/electrum/base_wizard.py", line 115, in run f(*args, **kwargs) File "/uslib/python3.8/site-packages/electrum/base_wizard.py", line 153, in new self.choice_dialog(title=title, message=message, choices=choices, run_next=self.on_wallet_type) File "/uslib/python3.8/site-packages/electrum/gui/qt/installwizard.py", line 131, in func_wrapper raise ReRunDialog() from e electrum.base_wizard.ReRunDialog I/p | plugin.Plugins | stopped 
submitted by bIacktemplar to Electrum [link] [comments]

Weird behavior when scripting electrum's ECPrivkey(...).sign_transaction(...)

Update

Nevermind... Electrum is performing low-value R-grinding and bitcoinlib and CoinBin are not. For anyone interested, the grinding code his here. Nuking the while look makes the sigs the same.
A few days ago I used bitcoinlib to create a OP_CLTV transaction. Tonight I did the same with Electrum 4.0.4 via python and my sigs don't match.
The TXN I'm trying to match is:
The TXN has the following characteristics:
When I try signing the sighash (pre-image hash) using both bitcoinlib and Electrum 4.0.4, I get different results. I coded the TXN through another wallet as well (CoinBin), and bitcoinlib seems to be producing the proper signature, but Electrum's seems off.
I'm sure there is something simple I'm missing, but I can't figure it out.
Here's a test script to illustrate the differences:
``` from bitcoin.core.key import use_libsecp256k1_for_signing from bitcoin.core import x, b2x from bitcoin.wallet import CBitcoinSecret from electrum.ecc import ECPrivkey from electrum.bitcoin import EncodeBase58Check
use_libsecp256k1_for_signing(True) sechex = '535b755a4c265772c4f6c7e0316bfd21e24c9e47441989e14e8133c7cb2f41a3' hashhex = '9039c54c1c34aa12b69b4dda962f501bb6c9cdb6745014ef326f5d4d0472aa99' seckey = CBitcoinSecret.from_secret_bytes(x(sechex)) sig = seckey.sign(x(hashhex)) b_wif = str(seckey) b_pub = b2x(seckey.pub) b_sig = b2x(sig) seckey = ECPrivkey(x(sechex)) sig = seckey.sign_transaction(x(hashhex)) e_wif = EncodeBase58Check(b'\x80' + seckey.get_secret_bytes() + b'\x01') e_pub = seckey.get_public_key_hex(compressed=True) e_sig = b2x(sig) assert b_wif == e_wif assert b_pub == e_pub print("wif:", b_wif) print("pub:", b_pub) print("sighash:", hashhex) print("bitcoinlib sig:", b_sig) print("electrum sig: ", e_sig) 
```
The resultant sigs are:
Thoughts?
submitted by brianddk to Electrum [link] [comments]

[PSA] Electrum and Eclair both support Testnet-LN to learn about LN

Update

I rewrote this post to clean it up a bit and add more context.
With the last few drops of Electrum it's been much easier to use LN. I've played around with Electrum-desktop on testnet. Everything worked great, and it is a great way to learn about channel capacity and invoices without having to put real money at risk. Electrum has a "swap" button to adjust capacity but I think it may be broken on testnet presently. There are a few ways to adjust capacity / liquidity that I'll discuss below.

Get Electrum running

  1. Install Electrum 4.0.2 and run it on testnet enabling LN.
  2. Get testnet BTC and send it to Electrum
  3. Open a channel in Electrum with either a known entity, or use their channel suggestion
  4. Wait an hour or so for the channel to open.
  5. Perform a submarine-swap operation to give you a 50/50 capacity
  6. Wait for the swap to complete

Balance capacity

LN channels have a (local) sending capacity and a (remote) receiving capacity. To verify your local/remote capacity click on the channel and view "Details". New channels default to 100%/0% local/remote capacity, meaning you can send, but not receive. There is also some rule that requires you to be below 90% local before you can receive anything. So if you need to receive payments on LN before you spend 10% of your local capacity you will need to find a way to balance local/remote. As mentioned before, the easiest is just to spend (try starblocks), but if you don't have anything to spend on there are some other options

Test Node Visibility

Once you free up some receive capacity, you also need to ensure that your node is reachable. In the default config your node will not be publicly visible. Electrum will handle the last hop for you, but your sender still need to at least be able to route to one of the nodes you have receive capacity on. This may occationally fail causing "Path not found" errots when sending, or when others send to you. In the Electrum preferences there are some options to run local watchtowers and keep the app resident. This will help since your wallet needs to be running for it to receive payments. But even if you enable all options sometimes you will just end up on an isolated node. If this happens, take care to ensure you connect to nodes that are highly connected to others (view 1ml highly connect list).
If you want to test your visibility, just paste an invoice in this thread and hopefully someone can try to send you some tBTC-LN.
submitted by brianddk to Bitcoin [link] [comments]

BuilderException when running Electrum in Kivy mode from source on desktop

Update:

There is a themeing makefile that I missed in the FAQ which is the cause of the issue.
Electrum is a fairly major Android open-source bitcoin wallet written in Kivy. In theory, the same source should render on desktop as well, but I can't seem to get it to work. I'm getting the following error:
``` kivy.lang.builder.BuilderException: Parser: File "/src/electrum.git/electrum/gui/kivy/main.kv", line 214: ... 212: rgba: 0.192, .498, 0.745, 1 213: BorderImage:
214: source: 'atlas://electrum/gui/kivy/theming/light/card_bottom' 215: size: self.size 216: pos: self.pos ... Exception: Unable to found None atlas ```
The referenced path electrum/gui/kivy/theming/light only contains PNG files.
The full Kivy log and python traceback are included in the Github issue linked above.
Anyone familiar with the Electrum source? Any clues as to what is happening other than File Not Found
submitted by brianddk to kivy [link] [comments]

Beginner guide to Electrum on Testnet-LN allowing you to learn without cost.

Update

I rewrote this post to clean it up a bit and add more context. The original can still be found here
With the last few drops of Electrum it's been much easier to use LN. I've played around with Electrum-desktop on testnet. Everything worked great, and it is a great way to learn about channel capacity and invoices without having to put real money at risk. Electrum has a "swap" button to adjust capacity but I think it may be broken on testnet presently. There are a few ways to adjust capacity / liquidity that I'll discuss below.

Get Electrum running

  1. Install Electrum 4.0.2 and run it on testnet enabling LN.
  2. Get testnet BTC and send it to Electrum
  3. Open a channel in Electrum with either a known entity, or use their channel suggestion
  4. Wait an hour or so for the channel to open.
  5. Perform a submarine-swap operation to give you a 50/50 capacity
  6. Wait for the swap to complete

Balance capacity

LN channels have a (local) sending capacity and a (remote) receiving capacity. To verify your local/remote capacity click on the channel and view "Details". New channels default to 100%/0% local/remote capacity, meaning you can send, but not receive. There is also some rule that requires you to be below 90% local before you can receive anything. So if you need to receive payments on LN before you spend 10% of your local capacity you will need to find a way to balance local/remote. As mentioned before, the easiest is just to spend, but if you don't have anything to spend on there are some other options

Test Node Visibility

Once you free up some receive capacity, you also need to ensure that your node is reachable. In the default config your node will not be publicly visible. Electrum will handle the last hop for you, but your sender still need to at least be able to route to one of the nodes you have receive capacity on. This may occationally fail causing "Path not found" errots when sending, or when others send to you. In the Electrum preferences there are some options to run local watchtowers and keep the app resident. This will help since your wallet needs to be running for it to receive payments. But even if you enable all options sometimes you will just end up on an isolated node. If this happens, take care to ensure you connect to nodes that are highly connected to others.
If you want to test your visibility, just paste an invoice in this thread and hopefully someone can try to send you some tBTC-LN.
submitted by brianddk to brianddk [link] [comments]

Calculate txn_id from raw txn_hex

I'm trying to calculate a txn_id from raw txn_hex. The procedure works fine for legacy TXNs but gets non-expected results on Segwit TXNs. I compared this snippet of code to what txn_id was produced by Electrum and the blockchain.com TXN decoder:
  1. Take in TXN in hex
  2. Convert the hex to binarray
  3. Double hash binarray
  4. Reverse the resultant digest because of endianness
  5. Display in hex.
t0 is my legacy testnet TXN and t1 is my segwit testnet TXN.
Thoughts?

UPDATE

Found the relevant source in Electrum transaction.py:1036
Basically you strip the flags and tx_witnesses listed in the wiki spec
```python

!/usbin/env python3

[repo] https://github.com/brianddk/reddit ... python/txn_hash.py

[ref] https://www.reddit.com/g4hvyf

from hashlib import sha256
def txid(tx): bin = bytes.fromhex(tx) txid = sha256(sha256(bin).digest()).digest()[::-1].hex() return txid

Raw Legacy

t0 = ('0200000001cd3b93f5b24ae190ce5141235091cd93fbb2908e24e5b9ff6776ae' 'c11b0e04e5000000006b4830450221009f156db3585c19fe8e294578edbf5b5e' '4159a7afc3a7a00ebaab080dc25ecb9702202581f8ae41d7ade2f06c9bb9869e' '42e9091bafe39290820438b97931dab61e140121030e669acac1f280d1ddf441' 'cd2ba5e97417bf2689e4bbec86df4f831bf9f7ffd0fdffffff010005d9010000' '00001976a91485eb47fe98f349065d6f044e27a4ac541af79ee288ac00000000')

Raw Segwit

t1 = ('0200000000010100ff121dd31ead0f06e3014d9192be8485afd6459e36b09179' 'd8c372c1c494e20000000000fdffffff013ba3bf070000000017a914051877a0' 'cc43165e48975c1e62bdef3b6c942a38870247304402205644234fa352d1ddbe' 'c754c863638d2c26abb9381966358ace8ad7c52dda4250022074d8501460f4e4' 'f5ca9788e60afafa1e1bcbf93e51529defa48317ad83e069dd012103adc58245' 'cf28406af0ef5cc24b8afba7f1be6c72f279b642d85c48798685f86200000000')

UPDATE Raw Segwit with flags and tx_witnesses stripped

t2 = ('02000000' '0100ff121dd31ead0f06e3014d9192be8485afd6459e36b09179' 'd8c372c1c494e20000000000fdffffff013ba3bf070000000017a914051877a0' 'cc43165e48975c1e62bdef3b6c942a3887' '00000000')
print(f"t0: {txid(t0)}\nt1: {txid(t1)}\nt2: {txid(t2)}")

TXN_IDs from the above python

t0: cb33472bcaed59c66fae30d7802b6ea2ca97dc33c6aad76ce2e553b1b4a4e017

t1: b11fdde7e3e635c7f15863a9399cca42d46b5a42d87f4e779dfd4806af2401ce

t2: d360581ee248be29da9636b3d2e9470d8852de1afcf3c3644770c1005d415b30

TXN_IDs from Electrum

t0: cb33472bcaed59c66fae30d7802b6ea2ca97dc33c6aad76ce2e553b1b4a4e017

t1: d360581ee248be29da9636b3d2e9470d8852de1afcf3c3644770c1005d415b30

```
submitted by brianddk to Bitcoin [link] [comments]

Electrum Wallet hacked. 200 BTC stolen so far (nearly $800,000). Details inside...

The hacker setup a whole bunch of malicious servers.
If someone's Electrum Wallet connected to one of those servers, and tried to send a BTC transaction, they would see an official-looking message telling them to update their Electrum Wallet, along with a scam URL.
The hacker has already stolen 200 BTC (nearly $800,000), at this one address (he has multiple receiving addresses).
UPDATE: The hacker seems to be consolidating his stolen BTC here (243.6 BTC; nearly $1 million):
UPDATE: Now I'm being quoted in news articles.
ADVICE: Ignore any "update" notifications in Electrum. I'm not 100% certain, but if you never downloaded the "update", your wallet & funds should be ok. As for usage, I'd personally avoid using Electrum wallet for a few days, until the devs figure everything out (the vulnerability hasn't been fully plugged yet).
submitted by normal_rc to CryptoCurrency [link] [comments]

If you use Electrum, in case you get a error message that tells you to update please ignore (ongoing phishing attack).

Details here: https://github.com/spesmilo/electrum/issues/4968
copy paste from SomberNight in the github issue:
TL;DR: There is an ongoing attack against users where servers raise exceptions when a client broadcasts a transaction; in this case the error text is displayed as is in the client GUI. The attacker has spawned lots of servers on different /16 IPv4s to increase his chances of being connected to. The error messages are trying to get the user to download and install malware (disguised as updated versions of electrum).` 
apparently previous Electrum versions allow richtext in error messages sent by the server, so the upgrade warning might look legit to people...
Always remember to verify pgp / gpg signatures of bitcoin software you install.
submitted by fmlnoidea420 to Bitcoin [link] [comments]

Maybe /r/Bitcoin should pin the Electrum phishing warning for a longer period?

Maybe /Bitcoin should pin the Electrum phishing warning for a longer period?
Just had a look at electrum's github issue tracker... Another wave of phishing attack just happened. :-(
https://github.com/spesmilo/electrum/issues/5056

Till now, Electrum servers are not controlled by the developers, anyone may set up their own server & join the network.

If the user is still running vulnerable versions (<=3.3.2) of Electrum, the attacker could send him/her a phishing message:

Phishing message

Above "update required" message is fake. Though, an update is in deed necessary. Remember the real official site of Electrum:

https://electrum.org
https://github.com/spesmilo/electrum
It's always good to verify digital signatures, instruction for Windows users is here.
BTW, The real Electrum 3.3.3 actually implemented "update notification" feature😂, which requires digital signature to keep safe.

The previous issue thread discussing this kind of phishing attack: https://github.com/spesmilo/electrum/issues/4968
submitted by KiFastCallEntry to Bitcoin [link] [comments]

Electrum Version 4.xx | GOT SCAMMED |

I lost $250!
Still unsure how they pulled it off...
I used 100% the official version of Electrum back in december (last transaction)
Thank god i purposely moved funds back into the wallet i was going to use, instead of using it as a main wallet.

https://imgur.com/a/kHDOjyT
seen on a different thread

this was the message...

Please for the sake of god, use a hardware wallet you guys, it'll be less convenient, but much safer.
I normally browse this subreddit, i wish i seen this :(

upvote to spread awareness
https://prnt.sc/orws8p

1MGeSQ1YYxuQGXFkeXcNbZwZsW2rKuNa8K
this is one of their addresses, showing my $250 along with $22,000 USD more :(

Hello,
We have reviewed the transaction details provided and this transaction does not belong to a BitPay invoice (X).
If you have sent your bitcoin to any address not associated to BitPay or a BitPay merchant, there is nothing that BitPay can do to recover your payment for you.
We noticed that you said you were using Electrum wallet, are you using a version 4.x? If so, we regret to inform you that your funds have likely been stolen.
The official source of the Electrum wallet is https://electrum.org/#download
Per the above website, the Latest release is Electrum-3.3.8.
There has been reports of a phishing attack against the Electrum wallet which you can read more about at https://github.com/spesmilo/electrum/issues/4968.
It looks like this was an attack that gave an update notification from within the app, telling you to upgrade the app. If you followed these instructions, it downloaded a malicious version of the Electrum wallet to your device, and stole your funds.
To follow a recommendation from Electrum's website, you should not download Electrum from another source than electrum.org, and need to learn learn to verify GPG signatures if you are trusting open source software with your money.
You can read more in depth about this exploit at https://blog.coinbase.com/electrohunt-part-1-hunting-for-the-phishing-campaigns-on-the-electrum-network-b10529162e63.
If you have any funds left in that wallet, it is highly recommended to move them to another wallet immediately (do not transfer from the compromised version, use your 12 word seed phrase to import the wallet to another wallet app, then transfer the funds to a new wallet with a different 12 word seed phrase)
Please let us know if you have any questions.
Check out our How To Library on YouTube!
submitted by JeffBezos3 to Bitcoin [link] [comments]

KYC-Tezos wallets vulnerable to "blind sig" attack

KYC-Tezos wallets vulnerable to
Summary
Most KYC-Tezos wallets we tested are vulnerable to a simple yet catastrophic attack that can lead to loss of all funds on wallet (blind signature vulnerability). These wallets connect to a server (the RPC node) but they do not build the raw tx like normal cryptocurrency wallets, nor do they check the binary provided by the RPC before signing it. Should the RPC get hacked (or turn malicious) it will provide clients a malicious tx to sign: with no way to parse the binary, the unsuspecting user will sign a tx which sends 100% of their funds to the attacker's address. (Update: since publishing this post some wallets have fixed the issue, see table below)

Ledger
Ledger users are not safe. This video shows how funds can be stolen from a Ledger device.

Demo
To demonstrate the vulnerability we also expose a malicious RPC to test your wallet against it (warning: funds could be lost).


Vulnerable wallets

RPC address WHOIS record Can set custom RPC? Vulnerable?
Atomic n/a n/a No Yes
Galleon tezos-prod.cryptonomic-infra.tech Anonymous (Panama) Yes No (fixed in 0.7.0b+)
Guarda mainnet.tezrpc.me Anonymous (US) No Yes
Kukai mainnet.tezrpc.me Anonymous (US) No No
Librebox mainnet.tezrpc.me Anonymous (US) Yes No
Magnum tezos.mgnm.rocks (updated) Anonymous (Russia) No No (fixed in v137+)
T3Wallet n/a n/a No Yes
Tezbox Web mainnet.tezrpc.me Anonymous (US) Yes No (fixed)
Tezbox Chrome mainnet.tezrpc.me Anonymous (US) Yes No (fixed in 13.0.0)
Tezbox MacOs mainnet.tezrpc.me Anonymous (US) Yes No (fixed in 4.0.0+)
Tezbox Windows mainnet.tezrpc.me Anonymous (US) Yes No (fixed in 4.0.0+)
Tezos Blue n/a n/a No No (fixed in v0.4.3+)
TezBridge mainnet.tezbridge.com Anonymous (Panama) Yes Yes
WeTez n/a n/a No Yes

Why it matters
Cryptocurrency wallets were meant to be trustless, but most KYC-Tezos wallets are not. When you're signing any tx with these wallets you're trusting the server (RPC) to send your money where you actually want it to go. Even if you trust the sourcecode of your wallet and are not using a web wallet, you're still vulnerable. The RPC you rely upon could turn malicious (e.g. be hacked) at any moment in time, with no way for you to detect it.

How the attack works
  1. RPC turns malicious (e.g. gets hacked)
  2. Wallet securely connects to malicious RPC via HTTPS
  3. Wallet provides JSON of tx to build
  4. RPC provides malicious binary sending funds to attacker's address
  5. Wallet blindly signs binary
  6. RPC broadcasts tx: funds are now lost

In a variant of the attack, the unsuspecting user will set a malicious RPC as custom RPC in their wallet. There are multiple ways someone could be tricked to do that (see Electrum hack below).

Causes
More than wallet developers themselves, we deem KYC-Tezos developers inadequacy and lack of understanding of an adversarial environment as the culprit for this simple yet potentially catastrophic vulnerability.
1.Wrong design
The RPC exposes a JSON API to build the tx, which is then provided to the client for signing, and returned to the RPC for broadcast. This is not how a blockchain wallet should work: txs should be built and signed locally, and only then pushed to a server.
2.OCaml binary with no serialization specs
In the KYC-Tezos APIs there is no spec for the transaction binary format. tezos-data-encoding is the library responsible for encoding a tx, so the tx format is tightly coupled with the the serialization of OCaml objects. An OCaml binary with no spec is what led GUI wallet developers, who are not using OCaml, to just trust the binary provided by the RPC instead of parsing and checking it.

A secure channel with your attacker
SSL security between client and server won't help: if the RPC turns malicious, it will first establish a secure connection as usual and then provide a malicious tx to sign. Hiding in plain sight, KYC-Tezos APIs actually hint [1] to the vulnerability. The "solution" they suggest is securing the connection, which as already explained does not solve the issue at all while providing users a false sense of security.

Hiding in plain sight: a hint from KYC-Tezos APIs

What happened to Electrum
Recently more than $750,000 were stolen by an attacker spawning malicious Electrum servers and stealing BTC from Electrum users. [2][3]
The attack succeeded despite Electrum being way more secure than KYC-Tezos wallets: with Electrum the tx is generated by the client and not by the server.

Malicious RPC demo
Set this custom RPC in your wallet to test the vulnerability:
https://demo.tzlibre.io/malicious/ 
WARNING: IF YOUR WALLET IS VULNERABLE FUNDS WILL BE LOST AND SENT TO FOUNDATION BAKER 1 (tz3RDC3Jdn4j15J7bBHZd29EUee9gVB1CxD9)
As safety measure this demo RPC only manipulates recpient's address, and not the transaction amount as well.
If your wallet is vulnerable and not listed above yet, please let us know.

How we fixed it
We fixed the vulnerability in LibreBox by checking portions of the tx (such as destination address, amount, etc) after a reverse-engineering of the tx format itself.

Suggested next steps
  • KYC-Tezos users: do not sign any tx with a vulnerable wallet until the vulnerability is addressed.
  • Wallet developers: immediately start warning your users of the danger, until binary txs are parsed and checked. If you resolved the issue or if your wallet is not listed, feel free to contact us to update this post.
  • Tezos Foundation: immediately release specs for the binary tx format, and improve documentation to a more decent standard.

Update (1/14/2019): in a previous version of this post Kukai was wrongly listed as vulnerable. Kukai has never been vulnerable to the attack. Tezbox Web has fixed the vulnerability, while Tezbox Chrome, Tezbox MacOs, Tezbox Windows remain vulnerable.
Update (1/15/2019): Magnum has fixed the vulnerability in v137 and changed the RPC from mainnet.tezrpc.me to tezos.mgnm.rocks
Update (1/16/2019): Tezos Blue has fixed the vulnerability on Github [4], but their 3 apps remain vulnerable to date.
Update (1/17/2019): TezBox has fixed the vulnerability on Chrome, MacOs, Windows. Tezos Blue has fixed the vulnerability on all 3 apps with v0.4.3
Update (1/18/19); Galleon has fixed the vulnerability in version 0.7.0b

References
[1] https://tezos.gitlab.io/alphanet/introduction/various.html#signer
[2] https://github.com/spesmilo/electrum/issues/4968
[3] https://www.zdnet.com/article/users-report-losing-bitcoin-in-clever-hack-of-electrum-wallets/
[4] https://github.com/tezos-blue/client/commit/7eb335df64f4b72706fa2252dd369edca903ee93
submitted by tzlibre to tzlibre [link] [comments]

Trezor Troubleshooting Guide

I've noticed some redundancy in some of the issues raised on this subreddit, thought I'd start a generic troubleshooting thread of what I've found useful. I'd appreciate any suggestions mods or other experts might have.

I - Prerequisite

  1. Read the FAQ
  2. Read the Users manual
  3. Read the Developers guide
  4. Search the Wiki
  5. Try the trezor Troubleshooter

II - Trezor connectivity / stuck spinning circle

  1. Try different cable / USB port / computer
  2. Try without crappy Antivirus software.
  3. Manually add the bootloader registry value just to be paranoid.
  4. Install WinUSB driver with Zadig.
  5. Try disabling browser extensions / ad-blockers.
  6. Try Chrome Guest Mode (easiest way to disable extensions)
  7. Try different browser (Chrome / Chromium / Firefox / Brave)
  8. Try WebUSB
  9. Try Android
  10. Try VirtualBox
  11. Try old-wallet.trezor.io
  12. Try beta-wallet.trezor.io
  13. Try beta-wallet.trezor.io/next

III - Updated FW, coins are gone

  1. Try Legacy Account section.
  2. Did you use the right seed?
  3. Did you use the right passphrase?
  4. Did you enter the recover seed words in the order the Trezor asked you to (hint: not first to last)?
  5. Did you verify that your recovery seed words are in the word list?
  6. Did you check all accounts (click add account) for transactions, or check all MEW ETH accounts (next page) as well?
  7. Did you check your transaction history (Legacy and Segwit) to see if anyone moved coins while you were dormant?
  8. Did you regularly do a dry-run recover to verify that you actually possess the recovery seed that the Trezor is operating with?
  9. Check to see if your brother-in-law found your seed and stole your coins.
  10. Check to see if the digital copy of your seed was hacked.

IV - Can't / Don't want to update FW.

  1. Try performing a dry-run to ensure you have the right seed.
  2. Say a prayer and hope you have the right passphrase.
  3. Use an old version of Electrum / MyCrypto / MEW to see if you can find TXN history.
  4. Use an old version of Electrum / MyCrypto / MEW to move most funds.
  5. Use an old version of trezorctl to move the other funds.
  6. Buy a second Trezor and update that.

V - I'm new to this, How should I backup my seed / passphrase.

  1. Make it simple, your kids / kin may be the ones doing the recovery.
  2. Make it secure in a lockbox or safe or something reasonable.
  3. Make it accessible in case there is market volatility.
  4. Make it resilient and redundant in case there is a fire / zombie apocalypse.
  5. Don't make it digital, hackers are smarter than you are.

VI - I forgot my PIN now I can't access my device

  1. Say a prayer and hope you have the right seed.
  2. Say a prayer and hope you have the right passphrase.
  3. Wipe your device then recover with the seed / passphrase to reset PIN.
  4. Don't forget again.

VII - I forgot my seed / passphrase, what now

  1. Nothing, you effectively put physical currency in an incinerator, no getting it back.
  2. Realize that you've learned a valuable lesson that will serve you well in the future.
  3. Advocate to others the importance of following section [V] above.

VIII - I want support for CrappyForkCoin and I want it now!

  1. Figure out what the fork_id is for CrappyForkCoin and write your own coin JSON file.
  2. Use your JSON file to compile your own CrappyForkCoin trezor FW.
  3. Flash your CrappyForkCoin trezor FW to your personal trezor.
  4. Use trezorctl to make CrappyForkCoin transactions.
  5. Read the wiki on how to add coins just to make sure.
submitted by brianddk to TREZOR [link] [comments]

200BTC Already Hacked. Electrum users beware of the ongoing Phishing/Hack.

Hello fellow Binance users, although this does not relate to Binance in anyway directly, I know there are a lot of us using bitcoin software wallet - Electrum to store/transact BTC. I have learned there is an ongoing Phishing attempt where when sending out a transaction you might see a page asking you to perform a "Security Update" This leads to a phishing site where you will be asked to download a malicious program which once installed somehow steals the seed & password from Electrum wallet and wipes it clean. Please be safe and share this everywhere possible to keep your fellow crypto users safe.
Links to Related articles below: https://www.reddit.com/Electrum/comments/a9x374/my_electrum_just_got_hacked/?ref=share&ref_source=link
https://github.com/spesmilo/electrum/issues/4968
submitted by SamZFury to BinanceExchange [link] [comments]

Can DDoS attacks harm your server and how to prevent them?

DDoS (distributed denial-of-service) attack is one of the most common forms of cyber-attacks these days. Their scale already exceeds one terabit per second and over 2000 of such attacks are being observed daily by Arbor Networks. So, should you care? Surely! It’s important to secure your network to stay calm and ensure uninterrupted services to your customers.
Possible Harm
DDoS attacks disturb regular tasks of a targeted computer system by flooding it with bogus traffic from numerous compromised machines. As a simple example, if your e-commerce site is under DDoS attack, your customers are withheld from placing new orders. If it’s a call center, your clients cannot make or receive calls. If it’s a booking engine, your clients are not able to make new reservations. In other terms, your service is being denied. Still, can these service disruptions make a lasting impact on your system and harm your customer base? Let’s try to answer this point by point.
How to avoid DDoS?
As DDoS attacks keep growing in volume and frequency, we should prevent them from making harm to your projects. You should plan ahead to secure your network and minimize the impact of such intrusion. So how to prevent ddos attacks?
Conclusion
Hackers are getting better each day with more and more methods available for finding vulnerable systems on the Internet. Nevertheless, there are now a lot of ways to protect your business and avoid DDoS attacks whatsoever. Do not hesitate to take preventative actions in advance and you will sleep well at night.

Originally posted at https://blog.cherryservers.com/ddos-attacks-and-their-prevention
submitted by diablom1980 to devops [link] [comments]

Differences in segwit text message (not txn) signing between Trezor FW and Electrum SW

SOLVED

Trezor seems complaint with BIP-0137, electrum is not. Created a feature request on github
I noticed that when signing TEXT messages with Trezor there seems to be a difference in the first byte of the signature between Electrum and Trezor.
Does anyone recall if this was ever put to a BIP or are the standards simply diverged at this point? I do recall some discussion on the bitcoin mailing list last year about this, but honestly I didn't follow it much.
submitted by brianddk to Electrum [link] [comments]

Electrum compromissed node/server spreading phishing

Something weird happened to me today when I was sending a small amount of bitcoin to another wallet. I am using electrum (and I use electrum and bitcoin for a long time) and when I hit "send" a weird pop up appeared asking me to "update my electrum to the version 3.4" and it's showed a link for a github repo. I'm not the smartest guy in the world but I'm here time enough to see a lot of different scams so what I did was, I went to electrum official site and didn't saw anything there about any update and the current version on the official site is 3.3.3 (the popup asked me to update to 3.4). So come to my mind something about "fake wallet repo on github", somebody posted here and was already discussed, so, I went to the electrum github direct from electrum site, their github was "spesmilo" and the one on the popup was "electrum-wallet", something like this. At this point I knew that something was wrong.

After all this journey I tried to send the transaction again and the same popup appeared (I know, it wasn't smart keep trying to send the transaction after this) and then I remembered about a similar attack on monero (https://www.reddit.com/Monero/comments/8cyi32/getting_error_message_sending_tx_with_new_gui/) and I thought, "maybe the server is compromissed". I opened my electrum server configuration and instead of let the software select a random server I picked up any server, I saved and tried to send the transaction again. Success and the transaction arrived on destination wallet.

Well, let's go to the bad thing, yes, I was an idiot and didn't took screenshot or even saved the server that I was using when the message appeared, it's would be helpfull here, I know, sorry for this but I was kind of scared so my brain didn't worked very well.

I don't know if this is an old attack or not but anyway guys, stay alert.

And sorry for bad english, english is not my first language.


tl;dr: Beware with popup asking to update your electrum when you try to move your coins, some compromised servers are spreadin "phishing".

submitted by JustinB1ber to Bitcoin [link] [comments]

200BTC Already Hacked. Electrum users beware of the ongoing Phishing/Hack.

Hello fellow Binance users, although this does not relate to Binance in anyway directly, I know there are a lot of us using bitcoin software wallet - Electrum to store/transact BTC. I have learned there is an ongoing Phishing attempt where when sending out a transaction you might see a page asking you to perform a "Security Update" This leads to a phishing site where you will be asked to download a malicious program which once installed somehow steals the seed & password from Electrum wallet and wipes it clean. Please be safe and share this everywhere possible to keep your fellow crypto users safe.
Links to Related articles below: https://www.reddit.com/Electrum/comments/a9x374/my_electrum_just_got_hacked/?ref=share&ref_source=link
https://github.com/spesmilo/electrum/issues/4968
https://user-images.githubusercontent.com/29142493/50359293-8780b500-055c-11e9-8cfd-83b342edeffb.png
submitted by SamZFury to binance [link] [comments]

How to get ElectrumG quickly. Bitcoin Brief - Electrum Attacked, Lightning in Browser, Litecoin at UFC 3rd Jan BTC Chart Update / Visual Map Of The Current Lightning Network / List Of Segwit Wallets Hardware Wallet vs Malware. Demo of Electrum Phishing & Clipboard Malware (Trezor, Ledger, Keepkey) EB69 – Thomas Voegtlin - Electrum, SPV Wallets And Bitcoin Aliases

Electrum; Bitcoin thin client. Contribute to spesmilo/electrum development by creating an account on GitHub. github.com. Initializing a Hardware Wallet. If you want to use a hardware wallet ... use the following search parameters to narrow your results: subreddit:subreddit find submissions in "subreddit" author:username find submissions by "username" site:example.com find submissions from "example.com" Spesmilo is a Python-based RPC front-end for bitcoind/Bitcoin-Qt, which is no longer maintained or active. Reported to be broken as-of bitcoind version 0.6. Principal authors: genjix and Luke-Jr Talk:Spesmilo. From Bitcoin Wiki. Jump to: navigation, search. Contents. 1 Dead? 2 Core; 3 First time startup; 4 Python API; 5 Cloud backup; Dead? According to the forums thread, this project no longer works as of bitcoind version 0.6. The last edit in the gitorious repository was Saturday July 16 2011. I vote that this wiki page either be deleted or the text changed to accurately reflect the ... Spesmilo Symbol Proposed by u/randbtcacct I propose ₷ or the "Spesmilo" as the satoshi unit symbol from r/Bitcoin ___ Posted by u/iamziyou. ___ Posted by u/Samsung_Galaxy_S9 Card ___ Einige Reddit-Nutzer waren skeptisch, ob Satoshi überhaupt ein separates Symbol braucht. This is the satoshi symbol, remember satoshi is still bitcoin. from r ...

[index] [41302] [42271] [20668] [38504] [34259] [19170] [34876] [4734] [17] [6619]

How to get ElectrumG quickly.

Richard briefly demonstrates how to download ElectrumG - BTG's in-house developed fork of the original Electrum SPV wallet ( https://github.com/spesmilo/elec... Gource visualization of electrum-server (https://github.com/spesmilo/electrum-server). Electrum server Coinbase: Brian Armstrong, Bitcoin, Cryptocurrency and More, BTC Price Prediction stay home BLABLATOYS - ΠΑΠΑΔΟΠΟΥΛΟΣ ΣΩΤΗΡΗΣ 3,133 watching Live now Powering an estimated 5-10% of all Bitcoin transactions, Electrum is one of the leaders of the Bitcoin wallet space. The open-source walled was started in 2011 and played a key role in the ... If you are new to Crypto, my suggestion is that you start with buying ~$150 worth of Bitcoin, Ethereum, Litecoin @ Coinbase and get familiar with storing it, moving it around, etc.

#