Importing wallet with Mnemonic phrase lets me use any phrase and it still works

[sonnyparlin]

I have created a wallet using bitcoinlib. The wallet is named 'my-awesome-wallet55.' When I try to open my existing wallet with a newly generated mnemonic phrase (a different phrase than the one the wallet was created with), the behavior I expect is an exception or security error, however the wallet opens anyway and even lets me spend bitcoin. See the example below with comments.

from bitcoinlib.wallets import Wallet, wallet_create_or_open
from bitcoinlib.keys import HDKey
from bitcoinlib.mnemonic import Mnemonic

passphrase=Mnemonic().generate(strength=256, add_checksum=True)
#passphrase='lumber romance negative child immense grab icon wasp silver essay enjoy jewel mom demise fit moral device hand capable toilet spirit age enforce deny'
print(passphrase)

key = HDKey.from_passphrase(passphrase, witness_type='segwit', network='testnet')
#wallet_create_or_open('my-awesome-wallet55', keys=passphrase, witness_type='segwit', network='testnet')

# In my opinion this should fail because I provided the wrong key, but it returns the wallet
w = Wallet('my-awesome-wallet55', main_key_object=key)

# Statement showing that our private keys are different
print("key.private_hex: " + key.private_hex + "\nw.main_key.key_private.hex(): " + w.main_key.key_private.hex()) 

if key.private_hex == w.main_key.key_private.hex():
    # We don't make it here because our private keys don't match
    print("Wallet 'my-awesome-wallet55' authenticated")
    w.utxos_update()
    print("Balance: " + str(w.balance()))
    t = w.send_to('tb1qprqnf4dqwuphxs9xqpzkjdgled6eeptn389nec', 4000, fee=1000)
    t.info()
else:
    # Instead we make it here and still have access to the wallet and I'm able to send money
    print("Wallet Authentication failed")
    w.utxos_update()
    print("Balance: " + str(w.balance()))
    t = w.send_to('tb1qprqnf4dqwuphxs9xqpzkjdgled6eeptn389nec', 4000, fee=1000)
    t.info()

Here is the output, as you can see it failed the if/else test because the private keys do not match and then sends bitcoin:

Sonnys-MBP:TelegramBTCWallet sonnyparlin $ python test.py 
unfold royal atom rule electric ice quote spin fiber quality lady just garment nature secret six garden comic carpet mom endless lamp family arctic
key.private_hex: 23ac38dc5293ee53918c8dfe18abc28975c8fa6963c876302aa4473ddca2f14a
w.main_key.key_private.hex(): 8c11283bf21e9344930ab9519742d6f59cd220528e0be17886d27a21c9c127c7
Wallet Authentication failed
Balance: 95000.0
Transaction 5e729021da81a5e6fc3b3d88b5bf136d09c78b0ac9a08be2cf1c90107e7ae27c
Date: None
Network: testnet
Version: 1
Witness type: segwit
Status: unconfirmed
Verified: True
Inputs
- tb1q7dx79l3maq2cqynpjzxqxsk3v6jhhaggzl07c3 0.00095000 tBTC badb9dbe2b4741310137de774e058aaf6cbba28e2f36c11640b241284f780f86 1
  segwit sig_pubkey; sigs: 1 (1-of-1) valid
Outputs
- tb1qprqnf4dqwuphxs9xqpzkjdgled6eeptn389nec 0.00004000 tBTC p2wpkh U
- tb1q9wg0vnqx63ng39s80gwqqffe2z7c5vvh0f4h3g 0.00090000 tBTC p2wpkh U
Size: 139
Vsize: 139
Fee: 1000
Confirmations: 0
Block: None
Pushed to network: True
Wallet: my-awesome-wallet55

Is this the expected behavior? If so, how do I authenticate a wallet using the Mnemonic phrase?

[mccwdev]

You're right, I have added an extra check in commit https://github.com/1200wd/bitcoinlib/commit/1e77bed61507c775791a2f05e89c4bbfe4849041

[sonnyparlin]

Thank you, when do you think I can expect to see these changes make into a production release? Not sure how you guys do your releases...

[mccwdev]

Just released version 0.6.3

[sonnyparlin]

Thanks! You might want to run the same check the function wallet_create_or_open, I believe the issue still exists there, but I've confirmed your fix for opening via Wallet(name, main_key_object).