Incorrect SolFlare & Ledger instruction page

[SMcCandlish]

Problem

Your "SolFlare Web Wallet" page at https://docs.solana.com/wallet-guide/solflare is very outdated and provides completely incorrect instructions. It tells people to create a keystore-file account at SolFlare.com, download and verify this file, and upload it into the Ledger device. It is not possible to follow these instructions or anything like them, because SolFlare no longer uses keystore files at all. Thus there is no clear way to use a Ledger device (Nano X, etc.) to store Solana at present.

Proposed Solution

Figure out how to actually use modern SolFlare wallets (or some other Solana wallet) with Ledger, and update the instructions.

[SMcCandlish]

At some risk (given SOL's minimum transaction size) I've made some progress on this. And the news is not all good.

What I did was:

• I created an account/wallet (actually a derivation path, with several derivable account addresses) as Solflare.com, using their password and 24-word passphrase system. I selected the default derivation path option.
• Inside this account is an option to "import" a Ledger wallet. Is is under Settings > Main Account > Import a Ledger wallet. It has you connect the device, unlock it, and open the Solana app on it (which you have to install through Ledger Live > Manager, beforehand).
• You then click a button on the site to proceed.
• This may take several well-timed tries, because the app on the device will not stay open without active input for more than a few seconds (seems to be a bug/misfeature, since there are configuration options, etc., in such apps, but no way to use them before the app closes).
• When it finally works, if you are on Windows, it is apt to throw up a bunch of rapid-fire warnings about device access; Windows is confused and thinks you're using a thumbprint reader. If it asks you to touch your security device again (and again and again) just keep re-opening the Solana app on the Ledger. It eventually worked for me.
• When asked by SolFlare, I told it to use the same derivation path as I chose for my initial SolFlare account. For the device, this was not the default option, but it seemed sensible to have them match.
• This produced a list of derivable account addresses on the device. I picked the first one. This was then apparently imported as an account/address into SolFlare associated with my original SolFlare ones. SolFlare asked me to give it a name (I picked something like "Ledger Nano X - Solana 1", but it ignored this name and just used "Solana (SOL)". [Semi-correction: The chosen name is actually used in one place, the "Select account" widget at top right in the SolFlare UI.]
• Clicking "Receive" gives the alphanumeric address and a corresponding QR code.
• I then used Coinbase to send SOL to this address, and it did work. SolFlare reflected the transaction in under 1 minute. It is unclear whether anything about this has been saved to the device, and whether the account imported from the device has any 24-word recovery phrase attached to it (seemingly not; see below).
• I switched to another browser (from Chrome to Edge), went to SolFlare.com, put in the 24-worder, and was able to access the same SolFlare deriv path and associated addresses, but the address imported from my Ledger was not among them. So, no permanent link is being made between Ledger deriv path/addresses and the SolFlare ones. It seems to be stored in cookies or something on a per-browser basis.
• In Edge, I attempted again to import the account from the Ledger. Similar spamming of security messages from Win10. But I did eventually get it to work, and the SOL is in there. (Technically, it's on the blockchain, the address stored in the device is valid, and access to any SolFlare account, combined with access to that Ledger device, will permit access to the SOL stored on the blockchain for that address that's on the device and imported [rather temporarily] into SolFlare.)

My conclusion thus far is that if you have a usable SOL wallet at SolFlare, you can recover the SOL address and value from the Ledger, but only if the Ledger is working and in your possession. If you lose the Ledger or it becomes broken, you're s.o.l. in the slang sense, because there is no 24-word recovery phrase, nor a keystore file, for the SOL account/address in the Ledger. [Edit: I don't see any documentation or other evidence anywhere that the Ledger's own 24-worder permits recovery of anything but data added by the official Ledger Live app/driver, and I'm not sure whether/how the deviced may keep track of random data added by third-party applications.]

If my concern is accurate, then this is clearly a problem, and defeats the purpose of the Ledger in the first place, so I'm going to move my SOL out of that account and into the SolFlare address that does have a recovery phrase (or back into Coinbase), unless/until such time as there's a way to back up the SOL account/address/deriv-path in the device with a recovery phrase specific to it. My suspicion is that the SOL app for Ledger dates to when SolFlare provided a keystore file, which served as such a backup [for addresses generated on SolFlare and imported into Ledger - an import direction that no longer appears possible], and has not been updated to do something else, like output a 24-worder for you, in the interim [for addresses generated on Ledger and imported to SolFlare].

[SMcCandlish]

PS: I've notified both the SolFlare Discord and the Ledger bug-bounty address about this issue ticket, so the Solana, SolFlare, and Ledger people should all be aware of it, and between them either be able to come up with a solution to the problem, or come up with complete and accurate instructions for doing things safely if this problem is illusory.

[hesido]

Thanks, I'll be immediately moving my Solana back to the exchange. This is of paramount importance.

[SMcCandlish]

Keep in mind this is an initial issue report, and I may have done something wrong or being wrong about something, and there may be updated instructions to post that will clear everything up. (That said, there's nothing wrong with moving SOL back to another wallet in the interim, other than a minor transaction fee.)

[hesido]

There may be no two ways around it, but the requirement of having to turn on "blind signing" for most operations already is problematic for me. I hope that is mitigated to some extent in the future and is not a problem inherent to the hardware.

On Tue, Sep 7, 2021 at 3:17 PM S. McCandlish @.***> wrote:

Keep in mind this is an initial issue report, and I may have done something wrong or being wrong about something, and their may be updated instructions to post that will clear everything up. (That said, there's nothing wrong with moving SOL back to another wallet in the interim, other than a minor transaction fee.)

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/solana-labs/solana/issues/19665#issuecomment-914254937, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA4ODUH3GKXFNMXRETN5SW3UAX7GXANCNFSM5DQLWIYA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[tjulien-ledger]

Hello @SMcCandlish, I think there is some confusion regarding how mnemonic phrases and Ledger devices function. I will try to explain as best as I can while answering the points you raised :)

- The "SolFlare Web Wallet" page at https://docs.solana.com/wallet-guide/solflare is very outdated and provides completely incorrect instructions. It tells people to create a keystore-file account at SolFlare.com, download and verify this file, and upload it into the Ledger device.

It appears as though there has been an update of Solflare wallet but instructions actually never stated to create a keystore and upload it to the Ledger device. You should actually use either a keystore file or a Ledger device (more secure) to create accounts: “As a non-custodial wallet, your private keys are not stored by the SolFlare site itself, but rather they are stored in an encrypted Keystore File or on a Ledger Nano S or X hardware wallet.”

- It is not possible to follow these instructions or anything like them, because SolFlare no longer uses keystore files at all.

You are correct in the sense that Solflare appears to have quit using keystore files (for account creation) but if you own a Ledger device, you should not use keystore files at all. In case you already had a keystore file, there is a link in Solflare when you select the option that redirects to instructions on how to easily recover accounts generated using a keystore file: https://blog.solflare.com/how-to-transfer-from-a-keystore-to-a-mnemonic-phrase-with-solflare-x-77b575899fa2 You should follow instructions in the documentation explaining how to use Solflare with a Ledger device and not using the keystore file or Mnemonic.

- I created an account/wallet (actually a derivation path, with several derivable account addresses) as Solflare.com, using their password and 24-word passphrase system. I selected the default derivation path option.

When you create an account using a 24-word passphrase, all the keys and addresses are generated from this 24-word passphrase. As such, it is very important to ensure you never share it as it can be used to restore all of your accounts.

- Inside this account is an option to "import" a Ledger wallet. Is is under Settings > Main Account > Import a Ledger wallet. It has you connect the device, unlock it, and open the Solana app on it (which you have to install through Ledger Live > Manager, beforehand).

Your Ledger device has already been initialised with a different 24-word passphrase so the addresses you will see displayed for it are not the same as the ones that will be displayed if you use the 24-word passphrase generated using Solflare. You actually have two separate accounts each having their own addresses.

- This may take several well-time tries, because the app on the device will not stay open without active input for more than a few seconds (seems to be a bug/misfeature, since there are configuration options, etc., in such apps, but no way to use them before the app closes).

It is not very clear from your explanations but the behavior you are describing seems to correspond to what would happen if you had Ledger Live open on the Manager tab while trying to open the Solana app. The Ledger Live manager will automatically close apps to take you to the dashboard of the device as you must be on this dashboard in order to install new apps. If you exit the manager or close Ledger Live, you would not face this issue. In general, it’s best not to have several wallets open at the same time that are connected to the device as it can cause some communication issues. Please make sure you only have one wallet open at a time.

- I switched to another browser (from Chrome to Edge), went to SolFlare.com, put in the 24-worder, and was able to access the same SolFlare deriv path and associated addresses, but the address imported from my Ledger was not among them. So, no permanent link is being made between Ledger deriv path/addresses and the SolFlare ones. It seems to be stored in cookies or something on a per-browser basis.

As I explained above, the 24-recovery phrase you are using is not associated with your device, it will generate its own keys and addresses. Your device has its own recovery phrase that is inputted when you initialize it for the first time. It must be stored in a secure location as it can be considered as your backup in case you ever break or lose your device and wish to access your accounts. If you wish to access the addresses associated with your Ledger, you must connect it and import it in Solflare.

We will contact Solflare to make sure instructions for keystore files and migration to mnemonic are updated but you may safely use Solflare with your Ledger device, just make sure you always use the “import Ledger” option and not enter a mnemonic or 24-word recovery phrase. In the meantime, I strongly encourage you to visit our help-center for more explanations on how to use Ledger devices and reach out to our success team if you need some clarifications.

Thomas JULIEN, Product owner Nano apps at Ledger.

[t-nelson]

Excellent response @tjulien-ledger !

[SMcCandlish]

Yes, thank you for the detailed reply. I better understand what it's doing now, though the instruction page I opened this report about clearly needs an update. :-) It would probably help to clarify that the 24-word mnemonic used by the Ledger device also covers third-party app data (like that created by the Solana app for Ledger), not just "official" Ledger Live data. It really wasn't clear to me that the 24-worder for the built-in supported cryptos would also be usable to restore add-on ones like Solana, especially since the original instructions were about using a keyfile generated on an external website, and yadda yadda.

[g00nix]

It also says in the docs that SolFlare.com is a community-created web wallet built specifically for Solana.

This is not true, as the SolFlare wallet can not be found anywhere on GitHub. It looks like proprietary software and not like a community-created wallet.