Open gmart7t2 opened 4 weeks ago
I didn't provide a seed phrase that triggers the bug. So here's one:
$ cat wallet.json
{
"accountPath": "m/86'/0'/0'/0/0",
"name": "cat",
"mnemonic": "scale scale scale scale scale scale scale scale scale scale scale scale"
}
Bad address:
$ yarn cli wallet address
yarn run v1.22.22
$ node dist/main wallet address
Your address is bc1pg50hvw3nu9vhkavugm7sjktv6zn7l09zheq3dujkh7nvxc845y7q9nedp2
Done in 1.76s.
Good address:
$ yarn cli wallet address
yarn run v1.22.22
$ node dist/main wallet address
Your address is bc1pttc5kl78vuhhknkp99ersd8r275nwsjf977qdf58s5e28494e4jq596mnp
Done in 1.74s.
$
There's a bug that causes the wrong address to be generated if the wallet's public key starts with a zero byte. This is the case for 1 in 256 wallets.
This can lead the user to send funds to an address for which he doesn't have the private key, causing loss of funds. I was lucky and used a different program to generate the address from the seed phrase so my funds were recoverable.
Here's a demonstration. I cloned the repository and built it:
I copied in a wallet that has a public key that starts with a zero byte, displayed its address and balance. The address is wrong, and the balance appears to be empty:
I replaced one of the module files with a modified version, and now a different address is generated, and the balances are displayed correctly:
Here's the change in the modified module file:
BN.toBuffer() is being called with {size:32} as its only parameter, but the length is meant to be in the 2nd parameter.
There is a different BN.toBuffer() in
node_modules/bitcore-lib-inquisition/lib/crypto/bn.js
which is likely what is meant to be being called.