Electron-cash: deserialization protection impeding split on v3.3.2

Created on 26 Dec 2018  路  7Comments  路  Source: Electron-Cash/Electron-Cash

trying to split an address containing 10 unspent outputs I received the following error:

"Security update required (2018-002 v3.4.1). This important security provides a fix for transaction deserialization vulnerability and is recommended for all users. Transactions can only be sent after applying the update. Please visit the link for instructions on how to update to Electron-Cash 3.4.1"

Fortunately nothing was signed so the 10 outputs are intact but my understanding is Electron-Cash v3.3.2 is the last version with SV Support. Am I out of luck in splitting the 10 output address using Electron-Cash? I noticed v3.3.2 supports dropping outputs from the Send so I'm wondering if narrowing down the split operations to single unspent outputs would work and be safe (I read it's not advised).

Security & Privacy

Most helpful comment

Thanks @imaginaryusername for the reassurance on splitting indvidual outputs and while I was preparing to dust as per the Tsankov read on Medium I ended up going with the NilacTheGrim read on Reddit backed-up by @markblundeberg Coin splitting troubleshooting read which has been super useful and a major influence in preventing me from getting duped (Thanks Mark!)

Btw in my case the rogue server displayed the valid electroncash download destination (without the hyphen) which thankfully I re-typed in another window instead of clicking the link before taking pause at the suggestion to install 3.4.1. Thanks all for the great coverage of this insidious scam targeting the iconic and trusted Electrum platform.

All 7 comments

That is a scam; and if you already installed it, then hurry up and move your coins now.

See https://github.com/spesmilo/electrum/issues/4968

@cculianu @fyookball @markblundeberg @kyuupichan

Thanks! Fortunately having read the procedure several times I had the presence of mind not to consider downloading v3.4.1 so I'll be sure to select a different server and try again, viewing the list of attacker servers indeed the one I had selected from that list was 'wlseuser12.bitcoinplug.website:50002:s',

I'm still on the fence on whether to split individual outputs or all together. Any downside to splitting the outputs separately or is "Max" covering all outputs the way to go?

Also received this today. Assuming this is why the malicious servers were spun up recently.

https://file.globalupload.io/6w6dMdg1GQ.png

Jesus, this is quite the attack. :-( Image mirrored here for posterity:

image

@robdee splitting individual outputs (I assume you're using one dust each, or using locktime, either works) gives you more privacy, but is otherwise not different from using max. Using max has the advantage of simplicity and saving fees.

For the curious, the fraudulent client you download from the fake site (real site has no hyphen) steals your privkey and uploads to their server at gbdfcppl dot site. Do not download the fake client!

More info here: https://www.reddit.com/r/btc/comments/a9wrkl/electron_cash_users_beware_the_error_message/ecn8gtl/

Thanks @imaginaryusername for the reassurance on splitting indvidual outputs and while I was preparing to dust as per the Tsankov read on Medium I ended up going with the NilacTheGrim read on Reddit backed-up by @markblundeberg Coin splitting troubleshooting read which has been super useful and a major influence in preventing me from getting duped (Thanks Mark!)

Btw in my case the rogue server displayed the valid electroncash download destination (without the hyphen) which thankfully I re-typed in another window instead of clicking the link before taking pause at the suggestion to install 3.4.1. Thanks all for the great coverage of this insidious scam targeting the iconic and trusted Electrum platform.

Was this page helpful?
0 / 5 - 0 ratings