I have created a wallet using bitcoinlib. The wallet is named 'my-awesome-wallet55.' When I try to open my existing wallet with a newly generated mnemonic phrase, the behavior I expect is an exception or security error, however the wallet opens anyway. I can manually check the private keys to create my own security check, but shouldn't trying to open an existing wallet with the wrong key fail? Seems like a pretty big security issue otherwise.
from bitcoinlib.wallets import Wallet, wallet_create_or_open
from bitcoinlib.keys import HDKey
from bitcoinlib.mnemonic import Mnemonic
# Creating a new Mnemonic phrase to try and open an existing wallet with
passphrase=Mnemonic().generate(strength=256, add_checksum=True)
# Use new phrase to create key
key = HDKey.from_passphrase(passphrase, witness_type='segwit', network='testnet')
# In my opinion this should fail because I provided the wrong key, but it returns the wallet
w = Wallet('my-awesome-wallet55', main_key_object=key)
# Statement showing that our private keys are different
print("key.private_hex: " + key.private_hex + "\nw.main_key.key_private.hex(): " +
w.main_key.key_private.hex())
if key.private_hex == w.main_key.key_private.hex():
# We don't make it here because our private keys don't match
print("Wallet 'my-awesome-wallet55' authenticated")
w.utxos_update()
print("Balance: " + str(w.balance()))
print("Wallet address: " + w.get_key().address)
w.info()
else:
# Instead we make it here and still have access to the wallet
print("Wallet Authentication failed")
w.utxos_update()
print("Balance: " + str(w.balance()))
print("Wallet address: " + w.get_key().address)
w.info()
Is there a standard way for authenticating a wallet using bitcoinlib? Based on what I have here, it seems someone only needs to know the name of a wallet to gain complete access over it.
UPDATE:
After getting Frank's question, I updated the code to try and send a transaction:
from bitcoinlib.wallets import Wallet, wallet_create_or_open
from bitcoinlib.keys import HDKey
from bitcoinlib.mnemonic import Mnemonic
passphrase=Mnemonic().generate(strength=256, add_checksum=True)
#passphrase='lumber romance negative child immense grab icon wasp silver essay enjoy jewel mom demise fit moral device hand capable toilet spirit age enforce deny'
print(passphrase)
key = HDKey.from_passphrase(passphrase, witness_type='segwit', network='testnet')
#wallet_create_or_open('my-awesome-wallet55', keys=passphrase, witness_type='segwit', network='testnet')
w = Wallet('my-awesome-wallet55', main_key_object=key)
print("key.private_hex: " + key.private_hex + "\nw.main_key.key_private.hex(): " + w.main_key.key_private.hex())
if key.private_hex == w.main_key.key_private.hex():
print("Wallet 'my-awesome-wallet55' authenticated")
w.utxos_update()
print("Balance: " + str(w.balance()))
t = w.send_to('tb1qprqnf4dqwuphxs9xqpzkjdgled6eeptn389nec', 4000, fee=1000)
t.info()
else:
print("Wallet Authentication failed")
w.utxos_update()
print("Balance: " + str(w.balance()))
t = w.send_to('tb1qprqnf4dqwuphxs9xqpzkjdgled6eeptn389nec', 4000, fee=1000)
t.info()
Here are the results:
Sonnys-MBP:TelegramBTCWallet sonnyparlin $ python test.py
unfold royal atom rule electric ice quote spin fiber quality lady just garment nature secret six garden comic carpet mom endless lamp family arctic
key.private_hex: 23ac38dc5293ee53918c8dfe18abc28975c8fa6963c876302aa4473ddca2f14a
w.main_key.key_private.hex(): 8c11283bf21e9344930ab9519742d6f59cd220528e0be17886d27a21c9c127c7
Wallet Authentication failed
Balance: 95000.0
Transaction 5e729021da81a5e6fc3b3d88b5bf136d09c78b0ac9a08be2cf1c90107e7ae27c
Date: None
Network: testnet
Version: 1
Witness type: segwit
Status: unconfirmed
Verified: True
Inputs
- tb1q7dx79l3maq2cqynpjzxqxsk3v6jhhaggzl07c3 0.00095000 tBTC badb9dbe2b4741310137de774e058aaf6cbba28e2f36c11640b241284f780f86 1
segwit sig_pubkey; sigs: 1 (1-of-1) valid
Outputs
- tb1qprqnf4dqwuphxs9xqpzkjdgled6eeptn389nec 0.00004000 tBTC p2wpkh U
- tb1q9wg0vnqx63ng39s80gwqqffe2z7c5vvh0f4h3g 0.00090000 tBTC p2wpkh U
Size: 139
Vsize: 139
Fee: 1000
Confirmations: 0
Block: None
Pushed to network: True
Wallet: my-awesome-wallet55
I published this to the bitcoinlib developers as a bug, which they confirmed, you can follow it here:
https://github.com/1200wd/bitcoinlib/issues/206#issuecomment-991265402