j4y_naKomodo



Offline



Activity: 56

Merit: 0







NewbieActivity: 56Merit: 0 Re: [ANN] [888] [SCRYPT] OctoCoin ◦ The Power of Eight ◦ Don't Blink December 13, 2017, 09:36:11 PM #4304 _________________________________________________



*** ALERT * WATCHONLY-GUI BUG * ALERT ***

____________________________________________

Greetings, friends at OctoCoin! As Komodo Platform has been working around the clock to fine-tune the multiple GUI's that are the face of our Agama multiwallet and It is a simple bug, but it warrants your attention. This is a potential money cost bug.



OctoCoin (888) - As a Bitcoin-protocol cryptocurrency, your GUI wallet(s) may be susceptible to this bug.



ISSUE: 'watchonly' addresses appearing as your own in GUI wallet; users could potentially send funds to the address, unaware it is not theirs or available for withdrawal. You can import <any address> and it becomes a 'watchonly' address. The GUI will display the address as yours, add its funds to your balance, and accept deposits, but cannot be withdrawn. This could be a normal address, my address, a p2sh address, satoshi's address, etc. This can be confusing to an end-user and will lead to many headaches for the developer, as is always the case with misplaced funds.



FOUND: in Komodo Platform's Agama multiwallet (fixed) and zcash4mac GUI swing wallet (@jl777b: "newest QT wallet seems ok about watch only, but not sure of older and when it was fixed")



ex. @grewalsatinder found the bug in his zcash swing wallet:



Quote from: jl777B "satinder used zcash4mac, ie. the zcash osx GUI, not ours... the assumption is no GUI out there properly handles watch only addresses, until proven that they do... agama also had this bug, which we found and fixed, so it seems a very common bug to have"

SOLUTION: For the 'watchonly' address or any address not yours, the value 'ismine' returns false. Any such address gets filtered out.



QUESTIONS:

How does your recommended GUI deal with watchonly addresses?

Does your GUI display watchonly addresses as different than actual addresses in the wallet?

We need to experiment a bit to see which approach gets a better response triggering the bug. People WILL lose money if they send funds to a watchonly address.



Quote from: jl777B "the t3 addresses in the 'Own Addresses' column! and they absolutely cant be as they are p2sh addresses. it is clear proof that the bug is very real and anybody that understands a p2sh address will understand it cant be something in your wallet. it is usually a multisig address, so only if it is a 1of1 multisig (possible but very silly) can you have a p2sh address that is spendable, but the wallet wont even know it... normal addresses can also be watchonly, which makes this even worse. in that case it would appear in the list of addresses just like all the others. even if you are able to spot p2sh addresses visually, it wont be enough"

I've been tasked with spreading awareness and facilitating discussion of this bug, so please let me know if you have any questions. I'll get you some answers and we can minimize the impact. We wanted to reach out directly to the developers of the 60+ coins featured on Agama and BarterDEX as the bug may have a direct impact on you (via your own GUI wallet).



- Jay Greetings, friends at OctoCoin! Ashas been working around the clock to fine-tune the multiple GUI's that are the face of our Agama multiwallet and BarterDEX atomic swap protocols, there have obviously been many bugs found and many debugged. However, one bug in particular was found not only in our Agama GUI wallet, but also in the zcash4mac GUI swing wallet.- As a Bitcoin-protocol cryptocurrency,'watchonly' addresses appearing asYou can import and it becomes a 'watchonly' address. The GUI will display the address as yours, add its funds to your balance, and accept deposits, but cannot be withdrawn. This could be a normal address, my address, a p2sh address, satoshi's address, etc. This can be confusing to an end-user and will lead to many headaches for the developer, as is always the case with misplaced funds.in Komodo Platform's Agama multiwallet (fixed) and zcash4mac GUI swing wallet (@jl777b: "newest QT wallet seems ok about watch only, but not sure of older and when it was fixed")ex. @grewalsatinder found the bug in his zcash swing wallet: https://i.imgur.com/sVd0QTL.png For the 'watchonly' address or any address not yours, the value 'ismine' returns false. Any such address gets filtered out.We need to experiment a bit to see which approach gets a better response triggering the bug. People WILL lose money if they send funds to a watchonly address.I've been tasked with spreading awareness and facilitating discussion of this bug, so please let me know if you have any questions. I'll get you some answers and we can minimize the impact. We wanted to reach out directly to the developers of the 60+ coins featured on Agama and BarterDEX as the bug may have a direct impact on you (via your own GUI wallet).- Jay