Closed catch-21 closed 2 months ago
Thanks yeah this was also picked up in the audit, lightning seed was not using the bip39 passphrase to derive it's seed and that was being used as the wallet's backup account.
I have a fix for this but to avoid migrating this node for all existing users it will be patched in the fresh start app we're doing. Will update here when that app is ready to be tested.
Tested on 898a58a42979ef8bee906b10182c8a12399e1d16 Restore appears to correctly use the passphrase now for LN and profile. Closing.
Describe the bug
The lightning and contacts backup do not consider the BIP-39 passphrase. They are always restored regardless of passphrase used. Therefore, if your wallet uses a passphrase and you either forget to enter it or enter the wrong passphrase when restoring, although your on-chain transactions and balance will not show, your lightning-related activities and contacts will restore. This could also be a problem for those who want to use multiple accounts derived using different passphrases for the same 12 words, e.g. a fake dummy account.
Reproduce
Screenshots / Recording
https://github.com/synonymdev/bitkit/assets/74595920/cc257642-ef43-4e88-9de4-080f3f0847cf
Operating system
Android 13 TKQ1.220829.002
Bitkit version
v1.0.0-beta.113
Log output
No response