Overtorment
commented
5 years ago Hi! Can you provide onchain tx id pls..? Also, reach me on t.me/overtorment
Closed btcsessions closed 5 years ago
Overtorment
commented
5 years ago Hi! Can you provide onchain tx id pls..? Also, reach me on t.me/overtorment
btcsessions
commented
5 years ago TX id to fund the LN wallet was 12f1d350340c5b83ee9bc13ec7c829d94a0fef271cbc092e69f1a1aa1e175596
Overtorment
commented
5 years ago And txid to fund the lightning wallet?
On Mon, 21 Jan 2019 at 18:42, btcsessions notifications@github.com wrote:
TX id to fund the segwit wallet was 12f1d350340c5b83ee9bc13ec7c829d94a0fef271cbc092e69f1a1aa1e175596
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/BlueWallet/BlueWallet/issues/267#issuecomment-456166823, or mute the thread https://github.com/notifications/unsubscribe-auth/AB0x-WpEgmrtFSGkujrIr1jnLONVUV9Eks5vFgoUgaJpZM4aLUdv .
btcsessions
commented
5 years ago Sorry that's what I meant, my bad.
btcsessions
commented
5 years ago Hey guys, this came up as I was filming a how-to video on Blue. I want to be honest and transparent with everything I experience, but I also don't want to have people jumping in to exploit this (though I'm unsure how they would given that it happened through regular use).
Basically is there anything I should blur/omit or be otherwise careful about when I edit my video?
btcsessions
commented
5 years ago I've decided to wait until tomorrow before putting anything up - roughly 24 hrs from now (I'm typically supposed to post every Monday). Please let me know if there is any sensitive information that should be omitted and I will be sure to respect your wishes.
ncoelho
commented
5 years ago Hi there. This is an ongoing open bug that we are actively working on and it is sensitive. It is a race condition that happen 5 times out of thousands. Doesn’t seem a very responsible situation to openly discluse this kind of bugs.
Let me know if we can help somehow.
Overtorment
commented
5 years ago Fixed with commits I referenced. If anything - just email me directly i@bluewallet.io I'd be happy to help.
FrancisPouliot
commented
5 years ago It is impossible to spend a balance that he didn't own if he has control of the keys.
The only way to explain this is that bluewallet actually controls the private keys of the LN chanel (e.g. own's the user's funds) and that somehow there was a bug in the wallet accounting for a double balance, and the blue wallet servers managing the keys and the channels on behalf of users considered those funds as belong to the bluewallet and accepted the outgoing payment request, spending someone else's funds.
This seems to be consistent with the LNDhub documentation here. https://github.com/BlueWallet/LndHub/blob/master/doc/Send-requirements.md
If would be good to add this important info to the homepage where it says twice that "users control the private keys" (on homepage and on features page)
FrancisPouliot
commented
5 years ago ncoelho
commented
5 years ago Hi Francis, thanks for reaching out.
The users do control their private keys. it's not a full custodial solution...
Our Lightning wallets are custodial though. We are not hiding that anywhere, if it seems shady, that's definitely not the intention. We invested the time to write an article explaining all the details, that is linked on the homepage on the lightning wallets section. https://medium.com/bluewallet/bluewallet-brings-zero-configuration-lightning-payments-to-ios-and-android-30137a69f071
He also invested the time to make it an opt-out custodial. Which means that the user can choose to use their own node if he wants to do it.
Related to the bug, yes we had a race condition. Yes we probably are going to have more bugs...
Let me know where you see we are failing. No problem on fixing it.
FrancisPouliot
commented
5 years ago It's not shady, it's just not clear that it's custodial and that's confusing. I think this should be made more obvious
Hey guys, I previously had an issue with being able to withdraw funds via lightning twice via your platform. This time I encountered something a little different.
I funded my lightning wallet via the Blue Wallet segwit HD account. Sent over 200,000 sats and received double - 400,000 sats. The receive transaction showed 200,000 but the total balance showed 400,000. I was able to successfully withdraw said funds to another lightning wallet as well - I sent 395,000 out with no problems.
It's a tad worrying and I hope this isn't happening across the platform. I wasn't trying to do anything malicious and stumbled across additional funds with no effort at all via regular usage - twice. If you need further information, please let me know.