Brute Force Seed Word Sorting Tool

[KeyJockey]

Hey guys... weird problem here, hope someone can help.

I tried to get my niece set up with Copay wallet awhile back, just for her to learn about bitcoin etc and have some fun with it. Sent her about a dollar's worth to play with and she never really did anything with it, but I think was enjoying just watching the value fluctuate up and down at least, LOL.

Anyway, she just got a new iPhone and didn't keep her old phone before installing Copay again on the new one... SEED WORDS were at least saved in a notepad file (yeah, I know) however... so I figured Okay, No Problem and went to just restore the old wallet so she'd see that the BTC value was still safe and sound.

But... uh oh... no go.

12 seed words isn't being accepted. I'm getting an error that says 'invalid' on attempts to restore, tried already on a few different instances of Copay (phone, pc, mac, etc...) but all fail with the same error).

It's only a dollar worth of bitcoin at risk here so no biggie really BUT in all honesty this is fairly frightening anyway as if it can happen with a dollar, could it happen with my PRIMARY STORE of BTC that's entrusted to a Copay multi-sig wallet setup? Yikes....

Seed words that my niece had saved were:

true turn art success morning chapter novel coconut orchard metal basic foam

...anyone who can figure out what's happened here, you can have the dollar LOL

Thanks 😄

[isocolsky]

Hi, I'm trying to generate the extended private key from your 12 words but I get an error. I checked all words individually to make sure they belong to the BIP39 list and they actually do. So I think there is an issue with the checksum. Could it be possible the words were not written in the correct order?

[KeyJockey]

Well, that's why this is so weird... anything's possible of course, BUT I'm 99.9% sure this was just a simple copy and paste of the original seed words, from the Copay backup screen to my niece's notepad entry on her iPhone... it's highly doubtful she'd have manually typed it.

Unfortunately she doesn't have the old phone anymore, so I'm unable to check it... all we have is that notepad entry with the 12 words (which I'd have thought is always enough, but in this case something clearly went wrong... again, fairly alarming that this could happen! :cold_sweat:

[isocolsky]

There is no way to copy-paste the 12 words for a livenet wallet in Copay. Also, we haven't had any other report about this but will keep investigating. Thank you for reporting.

[KeyJockey]

Hmm... okay. Sorry it's been awhile since I created a new Copay wallet. So I'll ask my niece about it, IF maybe somehow the words are out of order, how she typed/saved the notepad text.

Not sure she'll remember and again it's only a dollar LOL so she probably won't care... but in any case I'd like to try and get to the bottom of what happened here if possible anyway.

{Edit} How many ways would it be possible to sort the 12 words, assuming they are just out of order, but still the correct words? Not for a human to try I mean, but maybe some software method to brute-force this and try every possible combination? Or is that still not feasible?

(My math is probably wrong, I'm not good at stuff like this and couldn't code my way out of a paper bag, LOL, but just guessing if it's 12-factorial...? Then, what, like about 480 million tries?)

[gabegattis]

The checksum in "true turn art success morning chapter novel coconut orchard metal basic foam" does not match.

[gabegattis]

And yes there are 12! permutations without repetition of those words. Iterating over those is no big deal. The problem is knowing when you found the right seed. The checksum only includes 4 bits of data, so roughly 1 of every 16 permutations will have a valid checksum. So just validating the checksum doesn't help much.

In order to know you have the correct permutation, you actually have to derive the HD seed, use the seed to derive keys and addresses, and check those addresses on the blockchain. This makes it much slower than simply iterating through all 480 million permutations. If you already knew the HD pub key, you could just check it, bypassing the slow blockchain checking part.

So a brute force search is definitely doable, but not worth it for recovering just $1.

[bitjson]

@gabegattis – that sounds like a fun https://github.com/bitpay/bitcore demo project...

[gabegattis]

It would be, though preferably you would write everything except for checking the blockchain in C so it would be reasonably performant.

[KeyJockey]

Hey guys... yeah, while the $1 worth of bitcoin in this situation is hardly worth the effort, honestly I'd like to see someone develop a tool for this anyway, just because it seems to me that IF this can screw up this way for my niece using Copay -- when as far as I could tell as an expert user assisting her -- with everything done RIGHT -- then it's only a matter of time before it's gonna happen again for someone with some serious funds trapped in the wallet!

Honestly I have NO IDEA how it was possible that the seed words got recorded in a wrong order.

Seems to me that -- for whatever reason it happened -- this IS a fairly trivial thing to have happen, maybe easily overlooked, and if the result here is that the entire wallet backup is compromised???? Yikes.

That's a very frightening scenario when otherwise I think the "seed word system" is a very strong, capable and easy to use and understand system for most people (me included).

Copay having a "recovery tool" for this scenario ready and waiting would be very reassuring, and so maybe this "trivial" test case here with the lost dollar (LOL) can serve as a real-world proof of concept?

[gabegattis]

@KeyJockey I think I might make that a personal project of mine. Yesterday, I made a quick-and-dirty JS script to validate checksums on the permutations. I would like to rewrite it in C during my free time when I get a chance. The blockchain checking part would still be pretty slow and would require an address-indexed bitcoind running locally, but it should still be doable.

[isocolsky]

In many of these cases there is a way to recover at least one address of the wallet in question. In this case, it is possible that @KeyJockey can get the destination address for the transaction transferring the $1. That way, we only have to derive the m/44'/0'/0'/0/i (for 0 < i < 5 or so) path and compare with the known address.

[KeyJockey]

Just BUMP'ing this issue, guys... actually I'd forgotten about it and just came upon it again after looking at current Copay issues sorted by most-comments: surprised to remember one of my OWN topics was there near the top of the list LOL

Anyway no posts since last October? Anyone have anything more to update on this or is it moved to the back burner low priority side project or something...

[fizex0]

I recently faced similar issue, and got it solved, i think you also set a password with this seed, you need that to restore wallet, otherwise recovered wallet will be empty, i have restored mine, i can try yours if you send that password

[tegabitz]

hello guys as the owner of this article said, its only a matter of time before someone with some serious funds enters a similar situation. I'm sad to report that i have such an issue as well with over $700 gone. Its a multisig wallet. A 3-4 wallet(bitpay). as you can probably tell atleast three signatures are needed to work with the funds, but i currently have just two signatures, the other two...well lets just say they are the reason i am seeking your assistance. one of the faulty party atleast has his recovery phrase which isn't working, the rp has a password as well, nothing working and the last person doesnt have her's. really annoying situation. please help, i know you are all technical, i really need help. please find time to help, please.

[banantunder]

Guys, I registered only for this. I'm not a programmer, but I tried to input this 12-word seed into Electrum, assuming that there was a simple mistake. I tried to swap the first two words, enter "arm" instead of "art", "medal" instead of "metal"... and this third one worked. Yep, a single misspellt letter in "metal"... Sadly the funds were gone about a month earlier from now, I just wanted to tell you this.

Also, I'm disappointed in the BIP39 wordlist itself... How can one include similar words differing only 1 letters in an industry-standard seed-generating dictionary??

[BGalliotti]

Hello @RoePipi Thanks for reaching out to us.

So what you are saying is you modified a couple of words, for other valid words, and it worked, right?

Please let us know if you have any additional questions. Kind regards.

[banantunder]

Yes, and it tells an important story: With BIP39, we'd like to lighten user experience, but we're creating another possibilities for errors. We shouldn't have almost identical words in the database (ie. differing only in 1 letter).