Electron-cash: RNG fail!! URGENT ATTENTION NEEDED

Created on 4 Dec 2018  路  41Comments  路  Source: Electron-Cash/Electron-Cash

Just swept my Ledger Nano S into EC after doing a split of BCH into BAB and BSV, to discover that the address had been used before, in March 2016. I did not use the Split address range (used Main) in the Ledger.

Evidence: https://blockchair.com/bitcoin-cash/address/1E7ouPswtXzXyKcLZJAxjGXrDA4HXLoR8d

This is astronomically unlikely unless the RNG is faulty.

blockchain confusion invalid

Most helpful comment

@cculianu Politics? Fine pal, you asked for it. The only reason that chain retained the BCH moniker on most exchanges was through their collusion with Roger Ver and Jihan Wu, who were crowing "We've won" within an hour of the split, doing backroom deals and stealing hash power from their pools' customers to bolster the coin. I don't believe they deserve the symbol BCH, and since what is now being presented as BCH is not what I signed up for, I'll call it whatever the fuck I like.

You could have just ignored it, you know.

The platform is Win7 with all the latest security updates.

All 41 comments

Thanks for bringing this to our attention... can you provide more details on the wallet, software version, etc?

If you don't mind, I'd suggest you empty out that address qz87xj9wrlgm5z0ry3qandj9z0l0uud9nv5tyacvcv and the rest of the wallet then if possible, pass on the emptied-out wallet seed to us. I can provide an encryption key if you want to keep things private.

This is astronomically unlikely unless the RNG is faulty

Jesus. You are right in how astronomically unlikely it is. We need to investigate this. Thanks.

Also please provide the SHA256 hash of the Electron Cash distributed file you installed, just in case you still have it around. Could be some kind of altered variant...

@haiqu So I am not understanding this fully because I'm not a Ledger guy. I don't know what "Main" means in the context of Ledger, for example.

Am I understanding this correctly?

  • You had some funds in your Ledger addresses
  • You swept those funds from those Ledger addresses into a freshly generated wallet on Electron Cash (software-only wallet, no ledger)
  • You found that the Electron-Cash generated wallet had a history (tx's from 2016).

Is this the situation?

I ask because I have never used a ledger so I don't know what typical uses of it are or how it could be involved. I just know they can sign tx's and contain hidden keys. That's about as far as my knowledge in them goes.

I also don't know what 'Main' means.

(I am trying to figure out if this is definitely an Electron Cash issue or if somehow your Ledger or something else could be involved.)

How come you didn't realise the wallet had history when first creating it?

@haiqu In line with cculianu's comment, I think it is important to lay out explicitly how you swept the keys. Especially, what process did you use to create a new wallet in EC? As kyuupichan mentioned, when you originally created the wallet, it would have shown you the old transactions before performing the sweep, so it seems we are missing some context.

@cculianu Main in this context means the standard BTC derivation path of m/44'/0'/0'
If I had used the Split addresses (unnecessary because of 2-way protection at the BTC/BCH split) it would have been m/44'/145'/0'

That's how I can see the old transactions even on the BCH/BAB explorer.

@MarkBlundeberg Ledger firmware is latest 1.4.2 EC wallet is 3.3.1CS (your splitter)

I'll give serious consideration to dumping to another seed, now that I have finally recovered the coins in hidden Ledger addresses. Will get back to you about that.

SHA256 of 3.3.1CS is b307b23f86aa8ec600d43686e3bf75d41ed423ea54290632d61466f8ab904656
SHA256 of 3.3.2 is 37632f10fc64242a5c8b21b29428b44d1ab3af2dbb78a6bb27e5319a1a501962

Downloaded 3.3.2 from the official site at https://electroncash.org and 3.3.1 from github.

@haiqu can you clarify whether the problem seed in question was generated by Electron Cash (Wallet creation dialog -> Create new seed), or generated by the Ledger? It's still unclear to me which wallet you're seeing this pre-used state on.

The fact that you're talking about Main / Split sounds like it's the Ledger's RNG that is worrisome in this case, but you also said you swept into EC.

Edit: Hashes look good! :+1:

The official Ledger recovery procedure should tell you that. It includes creating a new wallet from scratch then linking to the Nano S. See: https://support.ledgerwallet.com/hc/en-us/articles/360012270054-Safely-claim-Bitcoin-Cash-SV-BSV-

@kyuupichan Note I am u/coinstash at bchchat.slack

@haiqu Right, in that Ledger support procedure they say to create two wallet files in Electron Cash:

  1. A new 'throwaway' wallet, with fresh seed created by EC.
  2. A hardware-linked wallet, with seed generated by the hardware itself.

Are you saying wallet 1 is the one that was used before?

Yes. The keys it generated were secondhand.

@kyuupichan I didn't realize it until I sent some coins to that address and checked the BCH/BAB explorer.

Also note well that I didn't own any Bitcoin in Mar 2016 so this couldn't possibly be an old address of mine.

OK so it seems to be not relevant about the Ledger and the whole 'main' / 'split' thing since the secondhand wallet was generated in EC. I.e., the secondhand wallet is just standard the Electron Cash derivation path m/0' or whatever. I think all those extra details were what was confusing us all.

To interested parties: for reference, the code that generates seeds in EC appears to be here: https://github.com/Electron-Cash/Electron-Cash/blob/baa2d69f47e4136600fb73e231107f7449dd8759/lib/mnemonic.py#L164-L188
I am going to dig into the ecdsa module's rng just to see what is going on there... edit: I examined the deterministic Windows build files leftover on my computer. It has ecdsa 0.13 which uses os.urandom which in turn calls CryptGenRandom on windows. Seems kosher, though paranoid people worry about this function apparently.

I mentioned Main/Split to explain why I could see the old transactions at all. Sorry, should have been more explicit about why that was important.

Hmm now I'm more confused. If the problematic wallet was generated in EC then there is no main/split. How does that affect visibility of transactions?

Shit, you're right. It's irrelevant.

If you want to send me something sensitive like the Electron Cash-generated seed here's a pubkey you can use for the Electron Cash Tools | Encrypt / Decrypt message function: 02c9bb9b5a79f6d810eb52e6ca1ab114a9b8a6a9f60aff24595567051a04e74b2f

(no rush though, make sure your coins are secure first) :-)

Thanks. Just sending the BAB to exchanges to sell now. I can't really set up another wallet until that's done.

BTW while I have you here ... some clown was telling me today that all that's necessary to split BCH is to use EC and select a BAB node, send to a new address, then select a BSV node and send to a new address. Technically I don't know enough to negate this but he's intent on spreading this message at my expense.

It requires a splitting contract, right? Surely you didn't create 3.3.1CS for nothing.

Actually that approach can indeed work due to locktime. Calin did a quick writeup here. I know of several cases where this was even done accidentally (people split their coins but didn't mean to do it). Whatever method you can think of that results in successfully getting two conflicting transactions on the two chains, is a valid splitting method.

My splitting tool is technically more secure if you're worried about deep block reorganizations. But this seems now to be a distant threat.

Cool, thanks. I'm a bit relieved actually because that's how I had to move the hidden Ledger addresses (see report about Coin Splitter not working in these.)

Please stop calling it BAB. BAB is like the new bcash. It's BCH and BSV.

Please don't be political in this thread.

Thank you.

@markblundeberg It looks like the ecdsa library in use for the seed words uses platform-specific calls (os.urandom()) to get random bytes. I wonder if this is a potential platform issue for @haiqu .

@haiqu -- what platform (OS) and version are you on? Eg Windows 7, Windows 10, Ubuntu 18.10, macOS Sierra, etc.

@cculianu Politics? Fine pal, you asked for it. The only reason that chain retained the BCH moniker on most exchanges was through their collusion with Roger Ver and Jihan Wu, who were crowing "We've won" within an hour of the split, doing backroom deals and stealing hash power from their pools' customers to bolster the coin. I don't believe they deserve the symbol BCH, and since what is now being presented as BCH is not what I signed up for, I'll call it whatever the fuck I like.

You could have just ignored it, you know.

The platform is Win7 with all the latest security updates.

That escalated quickly.

Ok, well I'm closing this comment thread, sorry. You got "issues" alright, @haiqu ... and they aren't related to EC's RNG.

I'm still interested in this, if any evidence can be produced that the mnemonic generated by Electron Cash had prior history.

@markblundeberg Here's the seed encoded with your pub key. Appreciate the efforts here, despite the BABoons who like to censor.

QklFMQIrUVPCZSXCpLDnuK5I3IgwaEcEWZ6BELqqJO8mhT5EjIoKrDybxU4ZygBfCIKXxY1ztMCS08lhCmuXRVV/tGZdeYTGqSKamYmY0cpLQek+x/tTDFV5xuco2Wsnokbcj0mkQsT48OQAtdZJRjQhAT8B/nNVZhXBGAGX2boAG1+sElCFvFHK2wChRNjkwa9n/wI=

Nobody censored you, you chimpanzee.

@cculianu why was this closed? Was it found to not be EC? Looking through the thread, it sounds possible it was.

Relax everyone :-) OK looking into it now.

@haiqu I loaded up your seed and it shows 0 transaction history on any addresses therein (no balance on either BCH or BSV chains). I also loaded up the coinsplitter software's "Tools | Coin Splitter (CDS)" menu which reveals the split contract address, prcavpvn9443atmclqgqendfr6g2yal50slrj9elej which is identical to the address indicated in your first comment (transaction here ). So it looks like I've correctly reconstructed the Electron Cash 'throwaway' wallet that you used for splitting, however it does not have any prior history on any of the P2PKH addresses.

Conclusion: There is no flaw in Electron Cash RNG, you just misinterpreted what you were seeing in Electron Cash.

Here's what I suspect happened:

The prior balance that you saw was on your Ledger's 'Main' wallet derivation path(path m/44'/0'/0'), which you had never viewed before. You connected your Ledger to Electron Cash, and viewed that derivation path for the first time in Electron Cash, and you were shocked to see prior history. Previously you would have just been using the 'Split' wallet derivation path which is what Ledger uses by default for BCH, from what I understand. (m/44'/145'/0').

So, why would you have a prior history if you never used BTC before? The most likely explanation is if you bought your Ledger from a reseller and did not manage to reset it to use a fresh, high-entropy seed. Good thing your coins never got stolen! Either the seller did not plan to steal, or you got lucky because they were focussed on stealing BTC and thus did not check the BCH coin type derivation path. Does this sound like it could be what happened?

@JustinTArthur It was closed because I don't believe it to be an Electron Cash issue after investigating the RNG for 4 hours yesterday. The RNG is cryptographically secure. Also see Mark's comment above ^^

Thanks!

@markblundeberg The Ledger was bought direct from Ledger in France and was initialized correctly. While your reseller theory is convenient, MITM attacks on Ledger devices were not known in Mar 2016 and the Nano S hadn't even reached the market yet.

Once you set up a wallet with the provided seed you would have seen zero balance on both chains because I emptied that wallet. However the transaction history on the address generated showed four transactions which didn't belong. These were visible on both the EC wallet and the blockchain explorer. If I understand it correctly you should have been able to view the full history even without the Ledger wallet attached, and also should be able to find all previously used addresses by selecting the Addresses tab and clicking Receiving/Used. The top address 1E7ouPswtXzXyKcLZJAxjGXrDA4HXLoR8d was the one with the collision.

Previously on the Ledger I was using the main m/44'/0'/0' derivation path for BCH, since the Split path was an unnecessary complexity added by Ledger and was not needed due to two-way replay protection for the first split (BTC->BCH). Since the above address was generated by EC any history would not have been visible on the Ledger wallet, which uses an entirely different 24 word seed.

There's definitely more to this, even if that "more" is that I won the biggest lottery on earth and actually did get a collision with a working RNG. If you're happy that it's safe I'll leave it at that. Meanwhile a bchchat.slack user u/maxdifficulty tells me he's found at least one error with the RNG but that it would only cause 1 or 2 bits of error. His investigation continues.

Looking at what you've said again (about not being able to see the transactions) it seems that I've made an error. These addresses must have come from the Ledger device.

That's even more of a concern, since it indicates some procedural error in their initialization. Might need to talk to their tech support.

Yes, that address (1E7ouPswtXzXyKcLZJAxjGXrDA4HXLoR8d) does not appear in the wallet generated by the EC seed you sent me ... first address there is 124w2Vy8dBjZLnircEfWev8UUdxtqNAe3R.

You could be onto something with Ledger initialization. That's a possibility I was considering but sounds crazy -- that the Ledger RNG has issues.

Yeah Mark.. There are also hacked/pwned ledgers out there with intentionally bad RNGs or worse.

It would be really sad if even the legit Ledgers had an RNG vulnerability actually... I hope not.

OK, I just loaded up the Ledger using their Chrome app and did find those dodgy transactions. I think the reason I never noticed them before is that the screen only shows the last 20 transactions or so.

Definitely contacting Ledger now. This is an original Ledger from the factory so no chance of pwnage here.

Thanks gents.

the reason I never noticed them before is that the screen only shows the last 20 transactions or so

How come you did not notice them when you bought the device?

Got to the bottom of this at last. The four transactions (2 in, 2 out) were in fact my first BTC transactions ever. They were done on a Ledger Nano (early version, not the Nano S) and I re-used the 24-word key when I purchased the Nano S. I didn't purchase any more BTC for another 6 months, by which time I had completely forgotten about these earlier purchases.

It took a lot of digging through old accounting records but I finally found them.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

KarolTrzeszczkowski picture KarolTrzeszczkowski  路  6Comments

ProfessorVenkman picture ProfessorVenkman  路  5Comments

markblundeberg picture markblundeberg  路  4Comments

uncleschaeflit picture uncleschaeflit  路  6Comments

EchterAgo picture EchterAgo  路  6Comments