Musicoin doesn't work with trezor

[karelbilek]

It seems like there was an error added with Musicoin support for Ethereum, so people with Trezor are sending musicoins into a black hole (or maybe to some non-standard path).

Trezor doesn't officially support Musicoin. It might work with correct paths or not, I don't know, but right now, people are losing their musicoins.

See https://github.com/kvhnuke/etherwallet/pull/809 https://github.com/trezor/trezor-mcu/pull/212

For now just please turn off Trezor with Musicoin. (Probably also Ledger.)

[tayvano]

Will do. Thanks for alerting us....

[prusnak]

Musicoin support should not have been merged at all, in a first place.

There are couple of serious problems with the chain. Firstly, it does not use EIP-155 replay protection, so it will sign transactions which are not replay protected. Secondly, it does not have BIP-44 path defined, so people are already losing coins by sending them to addresses they will have big problems withdrawing from.

Please, be more diligent when merging stuff into the production. There is absolutely no indication that this has been tested, yet it was merged without questions: https://github.com/kvhnuke/etherwallet/pull/809

I know you are understaffed, but that does not justify merging things with absolutely no testing. If the thing is untested, it can wait in the merge queue until it is.

Also the title should have read "hardware wallets" instead of "TREZOR" as it does not work with Ledger either. Not sure if it works at all, to be honest.

[prusnak]

Also it is very weird that this commit (https://github.com/kvhnuke/etherwallet/commit/0489500453b67fbbf4635309ccaaacd45c3a8a4d) adds so much unrelated stuff to chrome-extension and dist directories ...

[tayvano]

@prusnak That was merged and removed / re-merged a couple commits later. I was in contact with a number of people from musicoin / users of musicoin and didn't foresee the issues that would occur.

I am going to remove and push now and deal with it when we aren't on the road.

for v4 I'm proposing no networks without eip-155 are added as defaults & that hardware wallets are disabled by default.

That said, any individual will still have the ability to add any network to their dropdown. In the case of musicoin, there is a fork being used and a few tutorials on how to add it as custom.

Would you propose that we remove non-EIP-155 support from the add-custom-node option as well?

[tayvano]

Directly regarding HW Wallets—let's approve nodeTypes instead of remove.

The full list:

ETH: "ETH",
ETC: "ETC",
MUS: "MUSIC",
Ropsten: "ROPSTEN ETH",
Kovan: "KOVAN ETH",
Rinkeby: "RINKEBY ETH",
RSK: "RSK",
EXP: "EXP",
UBQ: "UBQ",
Custom: "CUSTOM ETH"

For now I'm going to just do ETH + ETC + Ropsten + Kovan + Rinkeby + EXP

If we want to do more, let's just be sure we have correct path and whatnot. This will disable HW for usage for custom nodes, which will likely cause problems for some users........but I'm not sure what to do in the shortterm given we're on the road without access to all devices, stable internet, and enough sleep.

For talks about future: https://github.com/MyEtherWallet/MyEtherWallet/issues/128

[tayvano]

@runn1ng Shoot, I just realized this latest change removes TREZOR for RSK, which is a thing I believe you PR'd in a while back.

Can you confirm that it's okay for me to allow people to connect to RSK node with their TREZOR?

[btchip]

First time I'm hearing about MUS. I did push a specific path for Expanse though with the approval of their team (https://github.com/kvhnuke/etherwallet/pull/840). Expanse doesn't support EIP 155 afaik.

[tayvano]

Yeah I read about different EIP-155 supports last night before passing out. I don't quite know what to do. On the one hand, numerous people have been using MEW with these other networks for some time now without issue. these things were being used. The change we made was ensuring they don't have to add as a custom node or trust another domain.

However, the lack of EIP-155 support could clearly result in unexpected replays. I assume the reason we haven't seen issues yet is simply because people keep their funds separate as they were unaware that ETH / EXP were the same. The addition of these nodes means that there may be more cases where the same address has EXP and ETH (either accidentally or on purpose), which means we have a responsibility to the user to do what we can to prevent replays from happening. I also see this as an item that could be exploited socially / maliciously.

I may have to break out my explanations / FAQ / warnings regarding replays and show a warning for chains that are not EIP-155 and hope that is sufficient for the limited subsection users who are in a situation where they need to send EXP without sending ETH.

A longer term solution would be for these chains to add EIP-155, or roadblock users from sending if they have a non-EIP-155 coin and EIP-155 coin in the same wallet.

[prusnak]

Basically it MIGHT be OK, to use coin without EIP-155 replay protection when they have BIP44 path defined (so it is guaratneed they don't share the keys with other chains). But having a coin with no EIP155 and no BIP44 path specified is a problem waiting to happen. Also there is a problem with MEW that user can specify (or quite often has to specify) the BIP44 path, so average user can mess this up badly even in case BIP44 has it's path defined.

[tayvano]

And this is a problem with our place in the ecosystem. A developer friendly interface for a niche crypto community is a different things than "the" ether wallet, which we have somehow become after exponential price rise and growth over past 4 months.

For the former, the answer is fuckit let them fuckit up, they know what's going on. For the latter, you would never open up a custom path ever. And where we are today, no matter what we do, we screw someone There is no viable alternative for people who want all the paths (or to access their eth that they sent to their etc Jaxx wallet). And there are people who will somehow screw something up no matter what you do.

Our goal is to find the balance between the two. And this situation is the perfect example of how hard and dangerous that can be.

[chrisfranko]

EXP Has a chain ID of 2 for eip155

But also any ETH address with work on EXP backwards compatible.

[jhoenicke]

As I see it all currently supported coins (except Musicoin) already have eip-155 and MEW is always using eip-155 for them. Maybe one should just block coins not supporting eip-155; it puts pressure on the developers to add eip-155 support. Also it is a security risk to sign a non-eip-155 transaction, it may be replayed on the Ethereum chain, for example.

RSK and UBQ didn't use their bip/slip-44 coin id for hardware wallets, but reused the Ethereum coin id. I guess it is better to change this now. It means that early adopters users have to manually switch the path back to Ethereum to find their coins, though.

I wonder if the derivation paths could be hidden by default with a button to open it, in case users want to find their coins used with earlier versions or sent to the wrong wallet. We see similar problems with BCH/BTC now, where users send their coins to the wrong wallet. I guess the same will happen with Expanse sent to Ethereum addresses or vice versa. The average user may not even know that Expanse is not a token.

[tayvano]

@jhoenicke Thank you for your input. I think we are on the same page, although a lot of people are hitting our support box right now requesting Musicoin, so we may bring it back with a fat warning. I'm really busy atm so not tonight. 🤷

You can see discussions on updates we are going to make to the dialog here: https://github.com/MyEtherWallet/MyEtherWallet/issues/129

And wireframes here: https://github.com/MyEtherWallet/MyEtherWallet/files/1240030/select-address.pdf

Still working thru smaller details, but if you have any specific recommendations on UX for this, feel free to drop a note over there. Again, I do believe we are all on the same page though. Yay!

[trustfarm-dev]

@jhoenicke
https://twitter.com/andrebaars100/status/899621758457827328

He said trezor work with MUSIC on MEW. what Is differences?

[jhoenicke]

@trustfarm-dev

1. Musicoin uses Bitcoin private/public keys, because it doesn't set a BIP-44 path. If that is fixed it means that you don't find your address anymore.
2. Without eip-155 the following attack is possible: You send someone 1000 MUSIC to an address where he also has 1000 Ether. You ask him, if you can have the 1000 MUSIC back that you sent in error. If he does that, you replay the transaction on the ethereum chain and get his 1000 Ether.

[trustfarm-dev]

@jhoenicke I think Trezor must support for which trezor not supported coin, by default manner. It means flexible coin private key management features. So, It's Trezor product issues. If I sell product, I assume that customer is very very beginner. they always makes mistakes, So, I must prepare or prevent their mistakes.

You can support any coin for future use by customers it will makes your product more wide-usage.

In case replay attack, Now, Recent eth-related nodes supports EIP-155, I think your assumption will not possible now. I mean that No vice-direction attack.

And your indication of uint8 (char) chainid to uint32 chainid modification is very good approach, Even though ETH https://github.com/ethereum/eips/issues/155 thread shows why did you confusing with forkID and chainid.

I guess you know the wide , you will do well supports for other coin.

[Stcetjo]

@jhoenicke "Musicoin uses Bitcoin private/public keys, because it doesn't set a BIP-44 path. If that is fixed it means that you don't find your address anymore." When Musicoin node was active on MEW, I sent many coins to 0x99d915A7c195918C6F12d5E5be671F40C3D90824 and I can't access the wallet on MEW anymore using Trezor. How do I get back into the wallet now? I put in a custom node but I can't find the address anymore. Thanks.

[trustfarm-dev]

@jhoenicke I would strongly recommend which concern using another HW wallet for store their private keys to my community and my customers.

[jhoenicke]

@Stcetjo I think the path is 44'/0'/0' (a bit hard to enter, but if you ignore the popup it works).

@trustfarm-dev Why is it so difficult to add EIP-155 replay protection in Musicoin? Also make a pull-request to https://github.com/satoshilabs/slips/blob/master/slip-0044.md to get an official bip-44 path. Previously it didn't specify a path at all, so it used whatever the interface returned by default (which happened to be bitcoin addresses).

[Stcetjo]

@jhoenicke Thanks!!!!!! The path worked and your a life saver.... I thought the coins were sent to a black hole. As an FYI, if you add the musicoin custom node in MEW, the option to connect via Trezor goes away. I found a way around this by first clicking on the Trezor connect option in a regular ETH node and when it says "Connect to Trezor" do not connect. At that point add the Musicoin node and connect to it. The option to "Connect to Trezor" will still be available after connecting to Musicoin. Good Luck.

[tayvano]

As an FYI—DBIX is another network that just submitted a PR that doesn't support EIP-155. (We will not be adding)

https://github.com/kvhnuke/etherwallet/pull/953

[prusnak]

@tayvano thank you, much appreciated!

[ghost]

Hi I didnt check my wallet for some time and i have this same problem that @Stcetjo have. Now when im changing to music node , website is refresh and trezor option to connect is disappear so i cant connect to my wallet . Please help .

[Stcetjo]

Read my note above, give that a try, see if it works. To make Trezor option available you need to go to MEW and choose a node that has trezor as an option. Click on trezor so it gives you the "connect" option but DO NOT connect yet. When you see the option to connect, change your node using the top right menu. Change it to Musicoin, and the trezor option to connect should still be on the page.

[ghost]

Hi @Stcetjo Thanks for reply . I'm doing exactly like you said. But when im changing to music node , website is changing and trezor option disappearing. I'm using chrome browser.

[tayvano]

Hey guys,

I'm sorry that you're having issues but our priorities are to keep the site safe. Musicoin should have never been added and never been added with TREZOR option enabled. It was my fault to not realize the extent of complications adding a new network would have.

Do you have MUSICOIN on your TREZOR device? What path is it on?

@dternyak FYI ^^ apparently the non-clean state was a "feature" being used by some.

[trustfarm-dev]

Hi all. Now MEW doesn't support musicoin with trezor. So to music trzor users, guide export in eth node export their wallet first and backup their wallet with json format . And next json file import and using musicnode.

It is temporal process until trezor support musicoin.

Now more detailed user guide for this case. I m not know well trezor behavior. So if they give information then i ll also propaget information.

Thnx all.

On 2017년 9월 28일 (목) 오전 5:57 Taylor Monahan notifications@github.com wrote:

Hey guys,

I'm sorry that you're having issues but our priorities are to keep the site safe. Musicoin should have never been added and never been added with TREZOR option enabled. It was my fault to not realize the extent of complications adding a new network would have.

Do you have MUSICOIN on your TREZOR device? What path is it on?

@dternyak https://github.com/dternyak FYI ^^ apparently the non-clean state was a "feature" being used by some.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/kvhnuke/etherwallet/issues/912#issuecomment-332652969, or mute the thread https://github.com/notifications/unsubscribe-auth/ARiiccdhkTAVsid4jR7sHWr4zaj2syKMks5smrbJgaJpZM4O8wQ4 .

[ghost]

Hi @tayvano Thanks for reply Yes i have musicoin there. I dont remember what path it was , it was default set by trezor. I hope you can help will me to withdraw my coins. Thanks

[cristianb84]

I am having exactly same issue as bartgb. Few days ago Stcetjo suggestions worked with MUSICOIN custom node, but now, when you change the node, the website refresh the content so the Connect to TREZOR disappears. How can we can access our wallets ? Thank you,

[Stcetjo]

Sorry that was the best I had... If you can some how get to the trezor connect page with the musicoin node then if you put your coins in the default path 44'/0'/0' then you should be able to get access.

[cristianb84]

There has to be a way to access the coins that you already had. Maybe anyone else have a solution for this :( ....

[Stcetjo]

I just tried again, and you are correct, the page refreshes after connecting to the musicoin custom node. before it did not and I was able to connect using a trezor/ledger and there was no problems.

[trustfarm-dev]

Hi all. Is it can do old version of MEW then can revice trezor access? There still remained old version First patched version of Mew . music is on

Https://Mcdnode.trustfarm.io

And check it can revive and backup wallet. Thnx all.

On 2017년 9월 29일 (금) 오전 9:00 Stcetjo notifications@github.com wrote:

I just tried again, and you are correct, the page refreshes after connecting to the musicoin custom node. before it did not and I was able to connect using a trezor/ledger and there was no problems.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/kvhnuke/etherwallet/issues/912#issuecomment-332995205, or mute the thread https://github.com/notifications/unsubscribe-auth/ARiicTHbM5x5eVb85KtqxJXFO0F_VCtMks5snDMDgaJpZM4O8wQ4 .

[ghost]

@trustfarm-dev It worked , thank you thank you thank you :)

[trustfarm-dev]

@bartgb That's Great Sound!!! Backup your wallet first and store it paper and use hw wallet or anyother way. and refer following links.:: ^^ https://trustcoinmining.com/bbs/board.php?bo_table=blockchain&wr_id=9

[Varunram]

Just updating this thread that Musicoin will be enabling EIP-155 replay protection in its upcoming release and we will be contacting the MEW team to re-enable Musicoin once that's done.

[trustfarm-dev]

@Varunram , It is good. It will be discussed when to fork in musicoin community. Source code has ready to enable anytime. But, I've tested internally, another node must update eip155 enabled node sw. So, It can be enabled in network. just my own node has enabled eip155, it doesn't work on network. Additionally, it will be companion update with EIP 150 (gas fee change, prevent contract ddos).

Anyway, EIP155 will be applied soon. it is clear!!

[gamalielhere]

Closing this issue. Don't hesitate to reopen if needed.