Several people have lost Neo due to a fluke in the Neon wallet and Ledger Nano S.

[OrEagle97327]

I came from - https://discord.cityofzion.io to make this post. ...We need support.

I ask all that experienced this problem, join this thread so we can compare notes.

Hopefully; we can get Neo and Ledger to join the support, instead of claim 3rd party software.

---

On December 22, I installed Neon Wallet 0.0.7. After connecting to Ledger Nano S, I transferred 108 Neo from the Bittrex exchange, using copy/paste of public key in Neon wallet. ...I kept the wallet open until I saw the transaction complete. It showed my transfer as expected. I closed the wallet and went to bed. (1:00 AM)

The next morning, I opened the Neon wallet to check it out. There was a ZERO balance. After more examination, I realized, the public key was different. That makes two public keys, and only one being addressed by Neon wallet attached to Ledger.

In my search for support, I found my way here on gethub ... https://github.com/CityOfZion/neon-wallet/issues/416. The person who posted that thread invited me to "discord.cityofzion.io" We are getting referred back here.

Coranos got involved in that discussion, and finally gave up. I quote him here: "Sir, your neo is gone. Finding the defect that caused your car to explode is not the same thing as un-exploding your car. Simmilarly, imagining ways a car can explode is not helpful, when trying to find why a specific car exploded in a specific way. Best I can do at this point is to warn people that at some point, their car may explode, and they better test their recovery process at least once before putting more than 2 NEO in any address. I've muted this thread." I feel like it is something else that blew up like a car. My "bullion/Neo" in the car/wallet is still lost. Where can we go to find the answer to recover the missing Neo? There is more than just a couple of us.

To add chaos to the problem; On Jan 10, I upgraded to the Neon wallet from 0.0.7 to 0.0.9. Now I have another public key. That makes three, the one that got the Neo, the new one I had the next morning, and the one I have now. I have uninstalled the Neon wallet and reinstalled, still the third public key. Even if I uninstall ver 0.0.9 and reinstall 0.0.7, I get the third key. (I have reinstalled it back to 0.0.9) When I run my 24 Ledger phrase, through https://coranos.github.io/neo/ledger-nano-s/recovery/, it now returns the third public key at the top of the list.

ATTENTION: All who suffered this loss; join this conversation here, Let us all compare notes, so we can get to the bottom of what happened.

[Evgeny1986]

Hello, I have also disappeared today 19 coins. My topic: https://github.com/CityOfZion/neon-wallet/issues/523

[MorganLester]

This happened to me a few days ago. Setup my wallet connected to nano fine. sent a few tests before sending the rest (only 7 coins). Yesterday reconnected app and zero balance with a 100% new address. Is there anything we can do? I can see my coins sitting in the public address (the original one created). I am guessing these are gone. I have tried recovering from 24 pass etc and nothing.

[OrEagle97327]

Looking at the immediate responses; it appears this issue is at least a month old, and still occurring.

What can be done to get the word to new and other users? CAUTION: watch out until we get to the bottom of this!!! Can we ask Neo to post their website, the source of my Neon wallet? Can we get Ledger to post a warning on the Ledger manager? Can we post the Neon wallet with better instructions?

---

Let me re-post Coranos: I've done my best to raise awareness: https://www.reddit.com/r/RaiBlocks/comments/7mij5j/ledger_nano_s_app_update/drx1566/

I've also created a walkthorugh of the steps people usually take to verify the ledger is working correctly: https://www.reddit.com/r/NEO/comments/7l1yil/instructions_on_how_to_test_your_neon_wallet_with/

also posted about the other bugs I've found: https://www.reddit.com/r/NEO/comments/7i3zcg/bug_in_neo_ledger_app_related_to_nep5_and_change/

---

I sure wish I had seen these sites about a month before they were even posted. Wild and crazy ride we are on!!

[MorganLester]

Update: I had in fact had a temp passphrase. After recovery > entering old passphrase I got the original address!

[OrEagle97327]

What is a "temp passphrase" and where did you insert it?

[lostis4d]

this has just happend to me, I had 10 Neo, and someone just sent me 3 NEO, and my wallet balance has changed to 0 and no transaction history, I am using the Ledger nano S

[OrEagle97327]

My experience is minimal. Have you much experience?

My goal here is to get together and share notes.

Have you been in settings or security menus?

On Sun, Jan 14, 2018 at 8:40 AM, lostis4d notifications@github.com wrote:

this has just happend to me, I had 10 Neo, and someone just sent me 3 NEO, and my wallet balance has changed to 0 and no transaction history, I am using the Ledger nano S

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/CityOfZion/neon-wallet/issues/524#issuecomment-357524261, or mute the thread https://github.com/notifications/unsubscribe-auth/AhTnqBsPfFjo75um1UIbnf9pp8S4OfOlks5tKi4YgaJpZM4RdSwO .

[Evgeny1986]

How can we return your coins? where to turn to? I am willing to write to any authority.

[jon85943]

Have tried recovering your private key and public key pairings that are able to be produced from your 24 word phrase? I had issues that were never resolved with no transactions ever confirming and decided to try and get my private key using the BIP-39 Recovery Tool offline. When I used the tool it gave me a bunch of public/private key pairings, you may be able to find the matching keys. My key was first in the list and I just opened it in Neotracker.io.

[OrEagle97327]

Thanks Morgan for the private response we had on Discord I have been doing some review - Earlier Caronos commented: "Based on the nature of the problem, it seems to be only a ledger device problem. So as far as I know, wiping your device and resetting it should show the glitch."

I missed it back then, but I am "gun shy" - Should I empty wallet first for safety? (6figures-HotCrypto) When is it "NOT" safe to Un-plug USB connection to Ledger?

[OrEagle97327]

jon85943 - yes I have run bip-39 recovery tool - and another by someone else - plus I have come across a generic one for many coins. ( iancoleman's version) Mine returns the last address I got (in my case a third public address)

[OrEagle97327]

Do I dare reset my Nano with lots of asset out there?

[OrEagle97327]

Evgeny1986 - Are trying to return coins or recover some? The reason we are into crypto so no authority need to be involve. There are forums to go to like this one or reddit or discord, or others.

[Evgeny1986]

OrEagle97327 - Clear. I'm just very upset. Any experts can help me? as it happened, that my tokens are on a different wallet. For me it is a very large sum.

[OrEagle97327]

Evgeny1986 - I still do not understand the question. Can you describe the issue?

[stevesbrain]

@OrEagle97327 I have reset my Nano many times and recovered with the mnemonic seed. I did this before being "comfortable" storing my Neo there (i.e. I sent some testnet GAS to it, then reset it, recovered from my passphrase, and verified the testnet GAS was still there - it was). Provided your mnemonic seed is correct, you run zero risk resetting your device. The only time it should change/disappear is if you've set a passphrase on top of this (so 24 word seed + single word for an "extended" seed). Then, if you wipe the device, you'll have to restore your seed and set up the passphrase as well.

[Evgeny1986]

OrEagle97327 Yes. Now I will describe the problem. I have in my wallet Neon was 19 coins. The address of my purse: AN4FMbGefBGpBYCMJW1dKjEbm9kPjdghao A couple of days ago I went to the purse and found I had no coins. I went to https://neotracker.io/tx/8202dc123540d009c20ce3b7eb1b4e6944b39ad7b4a5074cfaf1a026f7ec0c37 I discovered that my coins transferred to the wallet AKL1VMWPsW9qHWrwh8TYz9NJGU6GC561ca

I coins never been transferred!!! my coins stolen.

[shrwnsan]

Paranoid about this now. I downgraded from 0.0.9 to 0.0.7. What should I do to prevent this from happening?

I have already signed some transactions earlier today. Am on the latest macOS as well. Greatly appreciate the insights.

Looking forward. Thanks!

[seinwave]

Echoing @stechico's comments. I haven't experienced the issue, but I'm running 0.0.9 on latest macOS.

I've seen that @coranos has tried valiantly to reproduce the bug, without success. That's encouraging to me.

All the same, would love a security blanket here. Has there yet been a successful diagnosis of the problem?

Thanks for all of your input, guys. Obviously a legitimate concern.

[ghost]

So, @stechico this is not the same problem as the problem I've been looking at.

Your coins were stolen. Your ledger address remained the same, but the coins were transferred elsewhere. The problem I was looking at is where your ledger address changed, and the coins were still at the old address.

For anyone that had the address change on them, were you able to claim gas at the first address, before it changed?

The only way I've been able to reproduce the problem is by creating noise on the USB line which flipped a few bits. That shouldn't be considered a "normal" scenario.

[OrEagle97327]

@seinwave I do not know of a solution yet. Still believing one will be found.

I lost my Neo while using Neon wallet, ver 0.0.7. Wallet ver 0.0.9 has some good upgrades.

@coranos Would unplugging the USB from the Ledger at the wrong time, create the noise you refer to?

I am maintaining this thread to post warning and support to others who follow. One user whom has been in these conversation has lost 1900 Neo or more. Make my 108, kinda paltry. (still painful)

[ghost]

Unplugging the USB or just having it not fully seated would cause the noise, yes, or a frayed wire.

Claiming gas would test that scenario, as you can only claim gas with a valid key combination.

[OrEagle97327]

I hate to ask this.... (shuda,kuda,wuda)(undocumented feature)

Is there a possibility, ...one of these "scenario" creates 'paraphrase" wallet without-paraphrase? ...Has the symptoms!!

This comes to me while reading the Ledger page on advanced techniques https://ledger.zendesk.com/hc/en-us/articles/115005214529-Advanced-Passphrase-options

---

PASSPHRASE ATTACHED TO A PIN

In your Nano S, go to SETTINGS > Security > Passphrase > Attach to a PIN

With this feature, you can create, open and manage a second (and hidden) wallet attached to a specific passphrase, wallet accessible when you connect your Nano S with another PIN code. As long as your session will be open with this PIN code, you will be able to access it. When you disconnect your Nano S or when you quit the standby mode, you will be asked a PIN code, then you can choose to reopen this one or enter the main PIN code.

Open the "Settings" of the Nano S
Select "Security"
Select "Passphrase"
Select "Attach to a PIN"
Enter a second and new PIN code
Confirm this new code
Enter and confirm a secret passphrase (100 characters max)
Enter your first main PIN code to validate

Then during the rest of your session until the Nano S is disconnected, you will run an hidden wallet. Next time you will enter your PIN code, you will choose which PIN code you want to enter, main one or second one. You can't set a third PIN code. If you ever set a new PIN code attached to a passphrase, it would erase the first one. To manage more than 1 hidden wallet you need to use the "temporary passphrase" option.

---

Got lottsa experience and knowledge over the last several days, guess I paid for an education. (noStudentLoan)

[ghost]

you could definitely have done that, but then to recover you should be able to just use the same pin and it'll use the same hidden wallet. or just use the same passphrase.

I don't know much about the "hidden passphrase" options, but messing with it and forgetting what you did would definitely screw you over.

[OrEagle97327]

I am theorizing, ...there is a wallet on the Ledger "without" a passphrase. (the first public key) ...Has the symptoms!!

[OrEagle97327]

Juss thinkin outside the box...

Can bip-39 recovery tool be used to attempt to return the wif on; "...second (and hidden) wallet..." not " ...attached to a specific passphrase..." ??

be a murukal wudeniit

[ghost]

Uh, um, that's quite a box.

By default, the recovery tool does not require a passphrase. So by default it returns the wallet not attached to a passphrase.

There is no second hidden wallet with "no" passphrase, it's a second hidden wallet "with" a passphrase.

The first wallet, the one you see by default, is the one "without" a passphrase.

[OrEagle97327]

I have been conferring with others who have suffered loss due to this fluke.
I did "not" do any of the steps to set up a passphrase. Others say the same.

As I study this; ...the symptoms are just like there is a "passphrase" wallet just waiting for us to access.

Am I too far outside the box, for this to be possible? With my limited experience, I know not, how to test or search this kind of theory.
I would like to hear Ledger has looked into this kind of possibility. Does the CityOfZion community, have specialist in the Ledger security settings, willing to consider this?

Is this a matter of; Who pays for the research?
...I have 108 Neo, to donate to the community, as a reward fund, when the solution is found. Tell me what more I can do to keep the community involved in finding the solution. Others have suffered also. While painful, I will be fine. Just has to be worth someone's time. Neo should be all over this. The others will appreciate it, I am sure. I have read that over 3000 Neo has been lost to this "undocumented feature" That is just the ones we have heard about.

[shrwnsan]

@coranos Yah, what I've mentioned in terms of precaution was in the scenario of this problem, "where your ledger address changed, and the coins were still at the old address."

From what I gather so far from the thread:

1. Don't set a passphrase on the default, first one that comes "without". Does that mean leaving it alone, its more likely to be recovered with the linked recovery tool?

2. Make sure to have the USB wire and the Ledger be in a position that's stable when in use with the computer; to avoid freakish bit updates caused by faulty wires, etc.

Anything else for those of us that are in the high-level area of this subject? Thanks

[numero41]

He everyone,

I have EXACTLY the same issue, but with myEtherWallet/Ledger Nano S

You can find my post here : https://github.com/kvhnuke/etherwallet/issues/1528

Do you have any news on this? Did any of you managed to have an answer from Ledger support? They don't even answer to me.... No one seems to care, it's so scaring...

[numero41]

Same issue here with Ripple : https://www.reddit.com/r/ledgerwallet/comments/7pwp4h/ledger_ripple_app_changed_receive_address/

[numero41]

Another thread : https://www.reddit.com/r/ledgerwallet/comments/7r0qxf/xrp_zero_balance_and_wrong_receive_address_on/

[numero41]

I made a single post on Reddit to try to bring some attention on this issue : https://www.reddit.com/r/ledgerwallet/comments/7rd798/should_we_be_concerned_about_the_ledger/

[ghost]

Always try to send from the new address to a wif address (or to my donation address).

I have an idea on how to detect when this error occurs, but it'll be a month or two before I can implement it. The general idea is to send an encrypted public key along with the plain public key and then decrypt it on the client side. It's basically a checksum that can only fail if the encryption fails.

But to do this I need to know how to encrypt/decrypt rather than just sign, which requires research.

[stevesbrain]

@numero41 Some people have had the issues due to malfunctioning USB cables, but beyond that I'm not sure

[numero41]

Hi, Could this issue be related to this from last year?? bitpay/bitcore-lib#97 iancoleman/bip39#58

[numero41]

@coranos

Ledger seemed to have updated the bip39 recovery tool (maybe it's related??) :

https://support.ledgerwallet.com/hc/en-us/articles/115005197905-Restoring-your-Ethers-ETH-or-ETC-without-a-Ledger-Nano-S The github repo : https://github.com/iancoleman/bip39

The last commit is 3 days old, but the html file is older, should I re-compile it to have the latest offline version?

[OrEagle97327]

Following the thread above, I notice, through comments, "iancoleman" is the owner of the bip39 repository. Is "iancoleman" available for input here and the other threads listed with similar problems.

---

Can the Bip39 tool, be updated to do "wild card" searches for "passphrase" ?? i.e. " . " - "???jk?M*" - or other combinations. (novice here, trying to think outside the box) Are the other public/private keys in the list now exposed to security risks? (We all now have a private and public key to someone else's wallet)

[OrEagle97327]

I saw the below phrase that has me wondering if something like this may be causing this Neo problem. and other post(s) for Ledger issues

I remember running the Ledger apps from Ledger website, until I discovered the shortcut(s) in Chrome apps.

??? - "...potentially had left the Ledger chrome app running background." - ???

[numero41]

For me, I am quite sure that the app WAS running in the background....

[numero41]

Ledger CTO just answered in my thread on reddit that they are not aware of our issues. I mentionned my ticket Id and @OrEagle97327 one, but if you are aware of others, feel free to answer here : https://www.reddit.com/r/ledgerwallet/comments/7rd798/should_we_be_concerned_about_the_ledger/dsxls5e/

[numero41]

If we had a correct contact with the support, we could mention them a lot of details, but since they don't answer, it's very frustrating to try to figure out everything by ourselves :(

[numero41]

Ok, maybe this app thing is a lead. I saw on several forums and Ledger public forum that when their app didn't show any balance, they were asked to clear their app cache, or even uninstall/reinstall it.

Alexandre's only answer from the support to my ticket was to do so -because they had errors in their API-, and I just answered him that my issue was not related to the chrome app.

BUT that seems to mean that their bug was related to an issue with the address, right?

So my idea is : IF I plugged my Ledger with a defective version of the app, maybe this one was "initialized" with a defective address. And then when went to connect to the online wallet, this address was referenced in the Ledger as the default one. After unplugging the Ledger / closing the app / re-plugging the Ledger, the "good" address (which is not the good one for us unfortunately) could have pop up again, in a definitive way...

What do you think?

[numero41]

I posted the idea here on reddit : https://www.reddit.com/r/ledgerwallet/comments/7rd798/should_we_be_concerned_about_the_ledger/dsxragt/

[cosmic-springs]

I sent 1 NEO with the intention of buying DBC the coins haven’t arrived in my wallet and the transaction is showing an invocation, I’m sure that means a lot more to you than me. Will I ever see my NEO or DBC coin again and if so, either would be great. Hope you can sort this out for me, I love the innovation and am willing to invest but things such as these make me realise how fragile it all is. Hope you can help me out with this.

[numero41]

@OrEagle97327 Did you make a post on Reddit about your issue? If yes, could you point me to it, if not, would you mind make one, or add a commet on my common post? Thanks

[cosmic-springs]

Hi.

Thanks for contacting me, I hope you can help, a small problem compared to some but not to me. I attempted to buy DBC coins with 1 Neo on 19/01/2018, 03:45:24

Transaction hash: c3bd44408ed16eace9851f89f35d30e48a2a372a5f5de746e042636664ea8de8

From wallet address: AU6GkGRt4jeESJnM56mz9uJiwacNMTHjzH

To wallet: AahTMWKL2q2ffJcPGVYoZsRcvcE21hjGaQ

If you could help me out I would be indebted.

Keep up the good work, the future looks bright.

Thanks.

On 22 Jan 2018, at 9:56 PM, numero41 notifications@github.com<mailto:notifications@github.com> wrote:

@OrEagle97327https://github.com/oreagle97327

[OrEagle97327]

@numero41 Just posted this to your Reddit post

---

I have felt Ledger needs to have a larger role in the Neon wallet issue. This helps us distinguish a common issue/solution. Hopefully we can work together to find the solutions needed make this industry work smoothly.

---

Thanks for all your input - I have been running out of ideas without you.

[numero41]

Ok, well our issues seem very identical, and the common thing is the Ledger... As I said before, for me it seems related to a wrong derivation path set internally in the Ledger. But we need some feedback from the support!!! I am very motivated to solve my and your issues, because for me it's a lot of money lol... otherwise I would have give up, I feel so stressed, angry and upset these days...

[cosmic-springs]

Mine is a small problem compared to some. I attempted to buy DBC coins with 1 Neo on 19/01/2018, 03:45:24 Transaction hash: c3bd44408ed16eace9851f89f35d30e48a2a372a5f5de746e042636664ea8de8 From wallet address: AU6GkGRt4jeESJnM56mz9uJiwacNMTHjzH To wallet: AahTMWKL2q2ffJcPGVYoZsRcvcE21hjGaQ Neither arrived Does Neo have any customer support or have we just been scammed??