Seed Phrase Bug Bounty
danfinlay opened this issue · comments
As part of our commitment to the best security we can offer, the MetaMask team is planning to continuously offer a bug bounty on our seed phrase functionality, we are starting the bounty at 1 ether, but anyone is free to add to the bounty as they like.
As we have written about before #2577, and have awarded a bounty for in the past, sometimes users have reported that the seed phrase they were originally given does not restore their original accounts.
We have continued to receive rare but concerning accounts of similar experiences: #2904 #3042 #4756 #4697
The bounty will be paid to anyone who can demonstrate a condition in MetaMask's code base, either through automated tests or manual reproduction, where MetaMask would show a user a seed phrase on first setup that would not work for later restoring their accounts.
Thanks for your interest and participation, we're available to answer any questions about our key management here.
This issue now has a funding of 1.0 ETH (1189.64 USD) attached to it.
- If you would like to work on this issue you can claim it here.
- If you've completed this issue and want to claim the bounty you can do so here
- Questions? Get help on the Gitcoin Slack
- $47191.73 more Funded OSS Work Available at: https://gitcoin.co/explorer
I had same issue with MetaMask chrome extension, a month back, i can reproduce what happened with my account. As i have not read MetaMask's code base, my understanding of seed phrase is limited. But what happened is still a issue.
i can reproduce what happened with my account
If you can reproduce a problem that meets this description reliably, you'll be eligible for this bounty, no need to understand the code.
If you'd like to disclose it in secret, please submit your reproduction steps to support@metamask.io
On reading documentation and concept of loose accounts, what happened with my account was, i had imported few accounts with "import account" option, but after reinstalling metmask extension, these imported accounts were gone, luckily i had private keys for these imported accounts, so i had to import these again. In that sense "seed phrase" will only create HD wallet, and will recover only addresses in its derivation path?(Not the previous full state of your account).
That's right, the seed phrase is not a password to some server we maintain, it is the secret from which we derive the accounts that you create with MetaMask. It can't help with restoring any other information.
Glad you figured it out!
Why is this closed?
@danfinlay Is this one still open? cc @owocki
Sorry, I didn't mean to close this!
working on some issues with gitcoinbot erroneously commenting on issues... looks like it might have happened here. sorry yall, working on it!
just put in a fix for the gitcoinbot craziness. gonna monitor for the next few hours to make sure we're all good.
Hi @danfinlay
METAMASK is really a good wallet. I am a fresh user of METAMASK, and teach my girlfriend to use it. Last night when we use it to join an ICO campaign. We got the TERRIBLE problem. DEEP SAD! We lost our all accounts although we take down the seed prase.
the reproduce progress as below:
-
we created an account, setted a password and took the seed prase,this is Account 1;
-
then we created Account 2, 3, 4, 5…… it very easy and there is no seed prase or password (I think this is the important reason)
-
then we use the address to join the ICO, but we clear all the cache of the browser (this is why my accounts lost )
-
when we login the metamask use the seed parse and reset the password, we only find the Account 1. the other accounts lost.
That's quite terrible! We lost many tokens which cost us a lot. And I didn't find a good way to get back the account. Maybe never. It really a big BUG, and Why don't you alert users to avoid it? Some advices as below:
- Alert all the user one seed parse can only recover the first Account.
- if you clear the cache of the browser, you will lose all the accounts.
- you should download or takedown every acoount's private key.
Good product but with quite big BUG for fresh users. Hope others good luck. :( a sad day for me.
EDIT: @DavidFnck if you press create account it will restore the rest, only account 1 shows but the rest will be there if you create account again
One thing to note, when I clear cache and use the password, it claims to be wrong (it was copied from a text file for testing) so I had to use the seed phrase to restore
@DavidFnck The accounts should be restored one-by-one when you perform "create account" in the fresh MetaMask.
EDIT: @DanielMReed edited their comment to say this as well.
I'm offering up to 20% of my account balance as a bounty if I can gain access to my original address again after being effected by this bug. The bounty I'm offering is worth than the bounty of this issue no (#3127) alone. The issue I created is no #3258 it has been closed but not solved and is the same issue as this one.
My original address balance can be seen here and is where I'll pay the bounty out from on regaining access:
https://etherscan.io/address/0xbc70688f0394d98c6016f670d2e2515d0ef63533
If the balance increases in value so does the bounty I'm offering i.e 20% of whatever my address is worth at the time of gaining access.
Hi @BGzetro, can you check if your seed phrase is in correct format?
- 12 words
- only one space between words
- no extra spaces/characters at the beginning of the seed phrase or at the end
- no capital letters
You can use Notepad++ to check. Copy-paste your seed phrase into a new file. Open the View menu, open "Show Symbols", and select "Show all characters". You should not see CR, LF, array, two consecutive dots, dots at the beginning and the end.
Only the smallest difference can restore/create completely different account.
Thanks for the help. I followed your procedure and I can confirm there are no capital letters or double spaces, only a single dot was showing between words.
@lazaridiscom As far as i'm aware on note pad++, when you go to "show symbols" spaces are shown as a single dot, as a single dot is shown it indicates a single space between words as it should be so nothing is wrong with my seed. The issue is something else.
@danfinlay Could this bug be related to #2577
-
When an account was first created a user would click on 'create vault' but it was selected multiple times.
-
Multiple vaults are then created but only the seed for the first vault is shown immediately and generation of the other vaults are stalled for some reason.
-
The seed phase continues to show the first vault seed phrase despite the subsequent vaults generation completing.
-
The last vault to finish the generation process overwrites the first vault.
-
The seed recorded is for the first vault which had been overwritten, this in unknown to the user. The user sends tokens to their vault which their seed doesn't relate to and on account restore the seed they recorded instead restores the 1st vault, the one which had been overwritten and didn't have any tokens stored on. The user loses access to the correct vault as they were never shown the correct seed phrase on account creation.
You and @seesemichaelj original mentioned something about this occuring back in November last year.
@lazaridiscom I tried what you said with metamask and generated 15 additional accounts and none matched my original address. I also tried doing the same through myetherwallet so could view 5 addresses related to my seed phrase in order at the time and their balances related to my seed. I checked over 200 address and none showed any balance as none of the addresses matched my original. I feel like I was given an incorrect Seed phase by metamask to copy down inrelation to my original generated address i.e the one I was given was for another string of ethereum addresses.
I'm not sure what the correct term is but what I feel has happened on account creation is 2 different accounts were created sort of in parallel somehow at the same time (this should not happen), I was shown a seed phase for one account related to a string of Ethereum addresses but only one account could link to my password upon account creation, the one that linked was for a different seed phase which had a different string of Ethereum addresses.
Me not knowing a bug occurred, saved the seed I was shown and made note of the Ethereum address tied to account 1. I did not go to settings in Metamask to reveal my seed word to check it was the same as I was originally shown I had, If I did I believe I would have been shown a completely different seed phrase to what I had recorded. After a week of successful logins and my Ethereum address showing the same every time I checked, I sent tokens to my Ethereum address for account 1. A couple of days later it would not let me log on with the correct password. I restored my account from the seed phrase I recorded and account 1 then showed a different Ethereum address. I believe this is because this is actually a completely different account, the one I assumed was created in parallel on initial creation.
Anyone think this is a plausable theory?
I managed to get back into my account again and transfer all my tokens and Ethereum out of my account into another address I own which i don't use with Metamask :D
Basically last year I installed metamask on mozilla firefox, created an account and recorded that seed. I never used that account and uninistalled metamask.
Then this year I decided to Metamask and completely forgot I created an account i never used. Anyway I installed the lastest version of Metamask on firefox again and this time google chrome also. I created a brand new account using the firefox installation and a brand new seed was shown and an address which i recorded down.
It turns out the new accounts address for account 1 does not releate to the new seed I was given but actually relates to the seed from my account I never used last year.
Whilst cleaning up the files on an old memory stick i found a seed phrase to the account I never used. I thought i have nothing to lose as I had already lost it all and tried to recover my account with my seed phase from the account i never used last year. I then created a new password but one which was excatly the same as the new account I recently created and it worked! I went to settings and reveal seed phrase but the new most recent seedphase was still showing not the one I managed to recover my account with. I logged back out and back in and revealed the seed phrase again and this time the correct one was showing. I then as quickly as possible transfered everything out of my address lol.
I beleive this is still a big problem for many.
I think the intial issue of being locked out of your account even if you enter the correct password has something to do with with a conflict between Metamask being used on 2 different browsers for 1 account and how the metamask data is stored.
I don't understand it in depth at all but If Metamask is used with firefox then those files are perhaps update and the google chrome data does not until you use it. If you delete your firefox history and have not used the google chrome browser version of Metamask after first creating an account with the firefox browser version then when you enter the correct password perhaps it doesn't recognise it and it locks you out until you restore.
The second issue of being shown a different seed for the ethereum address attached to the metamask account may be to do with previous meta mask data being saved in your browser from along time ago. I don't understand why but it seems after re-installing metamask and creating a new account with the same password as another from along time ago actually restores your previous account but on account creation shows you a seed not relating to your account. If you go to reveal seed word it will show the seed which does not relate to your account. If you get locked out and you restore with the seed phrase most recently shown it will restore an account with a different ethereum address. To get back your original ethereum address back you have to use a previous seed so hopefully you have not deleted it even if you never used that account.
I'm waffling a bit now but please someone try make sense of this, Many people are losing access to their original ethereum address because of this. Hope this helps someone
Well @BGzetro , your luck is back, I guess. If the steps you've given can lead to a reproduction, then your luck is even more back!
@BGzetro the current bug bounty is on issue #3127.
Could this be a multiple vault creation issue?
This is what the previous seed phrase bounty was awarded for. We added a few extra locks to ensure that only a single vault is created when the "Create vault" button is clicked.
Could this be a string formatting issue?
The only way to tell if this issue is that issue is to talk to those users, and have them analyze the seed phrases they were trying to use. This would probably require providing a client-side tool they could use to sanitize their seed phrases. I've made tools like this before:
- Seed phrase guesser (spell checks and fixes some formatting issues)
- recover-bip39 (recovers partial word fragments when possible).
If you could provide a tool that fixes other formatting errors that these don't catch, or could PR against seed-phrase-guesser, and we verified this fixed outstanding issues that we're aware of, we would award this bounty.
What happened?
I'm not sure what the correct term is but what I feel has happened on account creation is 2 different accounts were created sort of in parallel somehow at the same time (this should not happen)
I agree this should not happen, and this is why we have the standing bug bounty for finding anything that would cause something like this (#3127).
I did not go to settings in Metamask to reveal my seed word to check it was the same as I was originally shown I had, If I did I believe I would have been shown a completely different seed phrase to what I had recorded.
This is why we showed a notice to all MetaMask users notifying them to check their settings and back up their seed phrases:
https://github.com/MetaMask/metamask-extension/blob/master/notices/archive/notice_3.md
Anyone think this is a plausable theory?
I think it is plausible, and it's a very concerning theory, and I've personally dedicated weeks to looking for possible causes to this, and we've posted a bug bounty. Ultimately, I've come to believe this is basically all we can do. We still have to live our lives, and we can't chase phantoms forever. At a certain point we have to just keep adding to the bounty, and let that serve as our best guarantee that this bug doesn't live.
What a Twist!
I managed to get back into my account again and transfer all my tokens and Ethereum out of my account into another address I own which i don't use with Metamask :D
Basically last year I installed metamask on mozilla firefox, created an account and recorded that seed. I never used that account and uninistalled metamask.
It turns out the new accounts address for account 1 does not releate to the new seed I was given but actually relates to the seed from my account I never used last year.
Now that's something very specific that we can investigate. In my experience, removing an extension also removes all of its data, including your vault, and there should be no way for it to persist, but I've created a new issue for us to investigate this further (#3452).
I think the intial issue of being locked out of your account even if you enter the correct password has something to do with with a conflict between Metamask being used on 2 different browsers for 1 account and how the metamask data is stored.
MetaMask data is entirely local, so there should be no way for MetaMask on one computer to interfere with MetaMask on another computer. They have their own passwords, encrypting their own local vaults. It seems more likely to me that you forgot which password you used on which computer.
We'll investigate the possibility that a computer keeps a deleted vault around, that's very spooky, but for the most part, I'm just glad you were able to recover yours!
@lazaridiscom
Thank you, it is :). I'll give it a go 👍
I was using 2 metamask installations for 1 account, both on the same computer but on different browsers. I'm quite confident I used the same password but what you explain makes sense.
I don't quite have enough knowledge to create a seed phrase tool that fixes other formatting errors or or could PR against seed-phrase-guesser but it is possible that i may be able to reproduce the fault I had.
I'll try and see if i can reproduce the fault this week.
Thank you, it's a huge relief! I hope other people with the same issue will do to.
@owocki This one could be 'always-open' through expiration, FYI!
Testing GitCoin app
I have investigated for a few hours, and while I could not produce a scenario where the wrong seed is being shown, I have found some odd things in the code which are a bit wonky and could potentially be a puzzle piece to why a wrong seed is shown.
So although not the solution, I have filed issues / PRs anyway:
@gitcointestuser Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
- warning (3 days)
- auto removal (6 days)
@gitcointestuser Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
- warning (3 days)
- auto removal (6 days)
Metamask: 3.13.8
Browser: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Firefox/60.0"
I found a dangerous situation in which the incorrect seed phrase was shown to the user. If this seed phrase was backed up, it could not be used to restore the accounts being generated & subsequently used.
To reproduce:
-
install a fresh MetaMask from https://addons.mozilla.org/en-US/firefox/addon/ether-metamask/?src=search
-
Accept privacy notice and terms & conditions
-
Click "import new den"
-
We have prior access to seed words. Maybe a friend generated them and is reciting them to us over the phone. We enter the words as they say them.
-
Click out of metamask, open password manage and copy our super-strong password to the clipboard.
-
Open metamask, paste password into the "create a new den" fields and click create
-
Oops, this isn't what we wanted. We see randomly generated seed words (we'll call these seed words #2) but we're trying to restore an existing seed phrase (#1). Open top-right settings and click logout.
-
Click "restore from seed phrase" and we see our original seed phrase #1 is still here, how convenient!
-
Paste our password into these fields and click OK
-
Here, we see the randomly generated seed words #2. We are told to "Save them somewhere safe and secret." to restore our account. (Warning: these seed words (#2) will not restore the account that we're trying to load into Metamask via seed words #1). Being a naive & forgetful end-user, we don't realize these are different so we save them somewhere safe to ensure we can restore our accounts if the worst happens.
-
Click "I've saved them somewhere safe" and we see the accounts loaded from seed words #1.
-
We send funds to these accounts. We transact with these accounts. We develop reputation tied to these accounts. If only we'd revealed our seed words at some point, we'd have seen seed phrase #1 is correctly tied to these accounts & maybe we would have noticed that the phrase we originally backed up (#2) was wrong.
-
The worst happens! We spill coffee on our laptop or accidentally drill a hole through our hard drive. Good thing we wrote down the seed words that were shown to us!
-
We enter the seed phrase shown immediately after we restored our account (phrase #2). This phrase does not restore the accounts we've been using, our heart is broken.
If this reproduction satisfies the conditions of the bounty, then send funds to account: 0xada083a3c06ee526F827b43695F2DcFf5C8C892B
Thanks & I hope this helps make a great project even better!
@amitkumar991 Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
- warning (3 days)
- escalation to mods (6 days)
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days
@rav8815 Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
- warning (3 days)
- escalation to mods (6 days)
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days
Sometimes when I have some imported PKs in my MetaMask and also modified the names of the accounts, then after some browser restarts MetaMask re-arrange the accounts based on the name of the account. So if this sorting creating the problem then this might be the case also when importing new seed.
Sometimes also observed that the names are not stored in MetaMask even after doing multiple attempts. and sometimes it fetched the old stored names even if I have removed old seed and restored new seed, and when restore old seed, again the names of the old seed comes. So somewhere it keeps storing the names of the accounts even if the different seed is configured.
@thjnhcolag Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
- warning (3 days)
- escalation to mods (6 days)
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days
@thjnhcolag Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
- warning (3 days)
- escalation to mods (6 days)
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days
@thjnhcolag Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
- warning (3 days)
- escalation to mods (6 days)
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days
@thjnhcolag Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
- warning (3 days)
- escalation to mods (6 days)
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days
@thjnhcolag Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
- warning (3 days)
- escalation to mods (6 days)
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days
@thjnhcolag Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
- warning (3 days)
- escalation to mods (6 days)
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days
Hi @thjnhcolag unfortunately we have to remove you from this issue and return it to the crowd as we haven't seen any progress. Please let us know if you think we've made a mistake!
@iC0rraxX Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
- warning (3 days)
- escalation to mods (6 days)
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days
@iC0rraxX Hello from Gitcoin Core - are you still working on this issue? Please submit a WIP PR or comment back within the next 3 days or you will be removed from this ticket and it will be returned to an ‘Open’ status. Please let us know if you have questions!
- warning (3 days)
- escalation to mods (6 days)
Funders only: Snooze warnings for 1 day | 3 days | 5 days | 10 days | 100 days
cancelling this bounty now
this bounty is off Gitcoin but still stands - if you're able to identify an issue, please let the team know
Issue Status: 1. Open 2. Started 3. Submitted 4. Done
This issue now has a funding of 10.0 ETH (2180.79 USD @ $218.08/ETH) attached to it.
- If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
- Want to chip in? Add your own contribution here.
- Questions? Checkout Gitcoin Help or the Gitcoin Slack
- $25,379.02 more funded OSS Work available on the Gitcoin Issue Explorer
Describe the bug
Metamask doesn't stop the seed phrase generation even though the user interrupted it and imported an account with an existing seed phrase.
This leads to metamask showing a new, generated seed phrase while using the imported one.
To reproduce
Video demonstrating the behaviour:
Steps to reproduce
- Get a fresh metamask install
1.1 Click try it now to use the new ui - Create a password
2.1 Take note of the account image
2.2 Accept the terms - Quit firefox
- Open firefox again
- Open metamask
- Import using account seed phrase
6.1 Paste a valid seed phrase as wallet seed
6.2 enter a new password (I used the same as in step 2)
6.3 click on restore - Continue with secret backup phrase steps
7.1 Notice that the account image is different than in step 2.1 even though the same backup phrase is shown (this account image actually belongs to the imported seed phrase)
7.2 Notice that even though we just imported a seed phrase metamask still continues with the seed generation process
7.3 The user is lead to believe that this seed phrase is the one being used by metamask even though it isn't - Reveal the seed phrase
8.1 Notice that the seed phrase is actually the imported one and not the one metamask just made us copy down
Expected behaviour
option 1
When a user imports an account using a seed phrase while metamask is in the seed phrase generation state, the seed phrase generation should stop.
option 2
Another solution could also be to not allow the user to import using an account seed phrase when meta mask is in the seed phrase generation state.
Actual behaviour
Metamask doesn't stop the seed phrase generation process even though the user imported an existing account using an account seed phrase. This leads to metamask showing a wrong seed phrase to the user.
Browser details
• OS: macOs 10.13
• Browser :- Firefox
• MetaMask: 4.9.2 (latest firefox version)
• Beta UI
Hey @EmanuelKuhn - thanks for reporting, and thanks for the thorough writeup and repro steps.
This appears to be a very small edge case. A user would have to pause after completing a substantial portion of onboarding, close the browser, then choose to import a different pre-existing seed. It's also worth noting that the user must have the correct seed saved somewhere, which makes the wrong seed marginally less harmful.
Still, it's definitely a bug, and we will continue to treat any issue in seed phrase logic with gravity. It very nearly fits the description of this bounty by "show[ing] a user a seed phrase on first setup that would not work for later restoring their accounts." Unsure if this counts as "first setup," but the team appreciates your report and will pay out the bounty. Expect a payment via Gitcoin from @danfinlay shortly.
A fix for this issue has been merged in #5229. This bounty will remain open for anyone who can find an issue in production with first-time seed phrase generation logic.
Hey @EmanuelKuhn to pay you, you'll need to click "Start work" on the attached bounty via GitCoin.
Sorry @adipurnama83 for removing you, if you do find another instance of this issue, you will be paid out, but I had to remove you so I could pay out Emmanuel for now.
Do I also need to formally submit work through gitcoin?
Yeah you do, sorry!
Hi @danfinlay just FYI - you're able to pay out @EmanuelKuhn without a submit work action now by using the 'Advanced Payout' feature... this sends a tip to @EmanuelKuhn via his Github username.
Even better in this case might be just simply sending a tip, because it seems like you guys want to keep this open for future hunters.
Thanks for the tips!
It will be another bit before I can send, but I will send soon.
Aha @vs77bb : This tip is over the per-transaction limit of $500.00. Please try again later or contact support..
Will have to do a normal payout.
So that means I do need @EmanuelKuhn to click "submit work" before I can payout.
@danfinlay i just increased your payout amount limit to $5000 if that helps!
⚡️ A tip worth 10.00000 ETH (1735.47 USD @ $173.55/ETH) has been granted to @EmanuelKuhn for this issue from @danfinlay. ⚡️
Nice work @EmanuelKuhn! Your tip has automatically been deposited in the ETH address we have on file.
- $26138.72 in Funded OSS Work Available at: https://gitcoin.co/explorer
- Incentivize contributions to your repo: Send a Tip or Fund a PR
- No Email? Get help on the Gitcoin Slack
Thanks @danfinlay -- do you want to close the issue on Gitcoin ?
Issue Status: 1. Open 2. Started 3. Submitted 4. Done
Work has been started.
These users each claimed they can complete the work by 313 years, 2 months from now.
Please review their action plans below:
1) dunncreativess has started work.
I've noted that MetaMask team endevours to make the Seed recovery process as smooth as possible. While I don't have a specific way to recreate a failure in recovering seed phrases (have tried ethereum-js code I found on Reddit but couldn't recreate their failure) through manual or automated means, I do have some suggestions on how to improve the experience for people facing issues. I've noted that the vast majority of people complaining about their seed phrases are facing issues with properly remembering or inputting their seed phrase, and it's no particular issue with MetaMask at all.. I think I have a contribution that I thought of while trolling these errors, and would like to submit it even for a fraction of the bounty.
2) wazdevelopment has started work.
web phishers bugs detection have experience as a advanced malware detector and security analysis data mining and data recovery
3) andriytyurnikov has started work.
CAUTION
This is a bounty to fix a bug which does not exist.
It already consumed time worth thousands of dollars.
STAY AWAY
4) perpat84316 has started work.
Get job done what ever ot takes
5) darkwingduckies has started work.
I will try to replicate this rare but worrisome seed phrase bug using metamask and my previous cryptography experience.
6) esurk99 has started work.
create various test conditions to generate and check seed phrases
7) coderrick has started work.
Will do my best using the information provided to replicate this bug.
8) olumonday has started work.
My Components of an action plan include
A well-defined description of the goal to be achieved
Tasks/ steps that need to be carried out to reach the goal
People who will be in charge of carrying out each task
When will these tasks be completed (deadlines and milestones)
Resources needed to complete the tasks
Measures to evaluate progress
9) bermolin02 has started work.
ig uunnulkjjj fhiioij yeti ii gjikjh
10) sonightrus has started work.
Установлю приложение на 10 различных смартфонах и на 3 компьютера (включая 1 ноутбук), сохраню сид фразы, после чего переустановлю приложения.
11) naxsun has started work.
I have found an issue where a user can access their original wallet my the seed phrase, but it does not restore any additional accounts that were created in metamask.
So the original Metamask account was created by importing a wallet created on MEW, a seed phrase was created by Metamask.
Additional wallets were created in Metamask, and from what I understand these are tied to the original seed phrase. However, when restoring the account by the seed phrase only the original wallet is restored, but the additional created wallets are no longer there. So would the user loose access to the funds in the newly created wallets?
To be sure: I did not loose any funds, as I just created these additional wallets for test net stuff. I'm not looking for any compenstation. I'm a satisfied user from Metamask and no complaints.
Would this be of interest for you? I am able to reproduce it.
12) angara79 has started work.
Буду грызть гранит науки...пробовать писать исправлять и снова писать....
13) vivekbirana has started work.
i will run automated tests read the code and try trial and error methods if necessary
14) cdmullins69 has started work.
I already found a bug on coinbase deed phrase
15) zackilo26 has started work.
Im going to look into this and help as much as possible.
16) cjsaveas has started work.
I'd like to give it a try, hope I can finish this job.
17) benkz91 has started work.
Try most websites capable with meta mask and see witch ones link up
18) kukank9 has started work.
I will try to reproduce this bug
19) cmalfesi has started work.
I will try to reproduce using different environments and setting up different parameters and configurations. Also trying to force some code changes on the fly.
20) developer-piyush has started work.
fixing bugd that does'nt exist
21) adipurnama83 has started work.
any bug in passcarse
I found there are many bugs in the security of metask
22) ballistic541 has started work.
i will create multiple wallet address, transact betwixt them, and examine code functionality of seed phrase recovery in order to exploit any bugs within source and means of repairing or upgrading functionality.
23) graomelo has started work.
I want to work on this project. I have the requirements and I've found a bug.
24) dausady has started work.
He tenido problemas para restaurar las direcciones y aparte no me deja conectar en Etherscam en su navegador ni en el de Walletconnect
25) mehdi559914 has started work.
tanks for you 😘and a saport for me is a good
26) mrpleerson has started work.
of course I promise to publish in the content
27) fisalayoubi has started work.
I will write out a full report on proof there is a glitch
28) hugos has started work.
I'm a software engineer but I will not be touching any code, as mentioned on the description I'll be showing a manual reproduction that happened to me when trying to restore my Phone account to my browser one, using the same seed phrase, the one phone account was not restored, but rather a completely different one.
29) jochy1873 has started work.
Buenos días trabajar más y mejorar la recuperación de la wallets de META MASK ES MUY CONPLICADO PARA LAS PERSONAS NIEVAS POR EJEMPLO ME PASO A MI YME TARDE DÍAS EN COJERLE EL PASO INCLUSO HAY PERSONAS QUE TODAVÍA NO LA HANPODIDO RECUPERAR
30) reynosog has started work.
buenas tardes, tengo este problema (a veces los usuarios han informado que la frase inicial que se les dio originalmente no restaura sus cuentas originales).
Cambie de navegador ya que a la pagina donde necesito vincular con metamask en mi navegador Brave no funcion y en Chrome si !!
31) imyioda has started work.
Personalmente, mi cuenta no se ha restaurado con la frase secreta, o alguien me resuelve el problema o gano el premio 😂
32) momoftwins1 has started work.
I have experienced the issue myself. I’m able to reproduce manually the case: connecting with the same seed phrase under 2 different Chrome profiles shows 2 different wallets under Account 1.
33) ddoubledd84 has started work.
Try it again and check all addresses
34) caunhox001 has started work.
Ve may bay nay diem den la dau
35) andrel2s has started work.
if it really work, you will help me, i will help others. I like people have something who they need have it
36) llm18888333287 has started work.
Ddedddd virgin xdh Zedd birthday x adds Sweden CCS w BBC adds cxx
37) chenggiant has started work.
Will have an automated stress test to reproduce it.
38) chuoils01 has started work.
Tôi sẽ bắt đâug làm công việc thankiu vẻyrymuch
39) xiaoliuhu886 has started work.
错误详情
信息:Incorrect locale information provided
代码:RangeError
RangeError: Incorrect locale information provided
at new DateTimeFormat ()
at r.getTranslatedUINoficiations (chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui.js:152:88369)
at chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui.js:152:413397
at Array.map ()
at T (chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui.js:152:413339)
at ca (chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:75:59367)
at jl (chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:75:104449)
at bu (chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:75:90053)
at pu (chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:75:89978)
at iu (chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:75:87326)
at chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:75:45768
at r.unstable_runWithPriority (chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:172:3472)
at Vo (chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:75:45477)
at Yo (chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:75:45713)
at Ko (chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:75:45648)
at eu (chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:75:84115)
at Object.enqueueSetState (chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:75:50429)
at t.x.setState (chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:136:1461)
at chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:93:48080
at n (chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:19:98310)
at chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:19:98540
at Array.forEach ()
at Object.notifyListeners (chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:19:98510)
at S (chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:19:102095)
at chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:19:103236
at Object.confirmTransitionTo (chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:19:98249)
at Object.push (chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui-libs.js:19:103045)
at chrome-extension://nkbihfbeogaeaoehlefnkodbefgpgknn/ui.js:152:878661
40) agcaliva has started work.
hi people, i have find that most of the bugs here can be explained by an unnoticed change in BIP implementation in wallet. Dont know if this was the case but here its probably the answer. The BIP implementation just changed so even if you have correct mnemonic phrase you will recover other address, because BIP makes address indexation different for each implementation.
So you just need to try previous versions of wallet for recovery.
The explanation its that each BIP says how to index the address, so even if you have same keys it depends in BIP implementation which wallet you will retrieve.
Please confirm if you have your issue solved.
Talk me to pay bounty to ramielneitor@yahoo.com.
Each time a new BIP its implemented then previous accounts using previous BIP will not be able to recover using that version. You cant migrate without doing transactions, so the fix will probably add option for set BIP method to be used, and let user try all of them.
So to reproduce you just need to install a version that has other BIP implementation from the one that its available in last version.
41) prasniv has started work.
I will using GitHub and vs code
42) luangkhot1 has started work.
I do not have a plan, planed out yet
43) zwitea has started work.
nabil babel wellcomme to my bonis
44) recep9227 has started work.
Siteyi para kazanmayı çözmek istiyorum
Learn more on the Gitcoin Issue Details page.
To reproduce:
- install a /dist or /builds app to a browser
- click MetaMask in browser, use Beta (unsure how to change legacy behavior - willing to learn how)
- Accept all EULA etc
- 'Import Existing DEN'
- Give it a password, and import 'shoudl hat few pupil letter program soon rude ski exhaust brain bleu'
- Note that the interface returns "The following provided words are not valid seed words: shoudl,bleu"
We need additional translations for other supported languages other than EN.
https://drive.google.com/file/d/1RwyHcuCvQJPWPIQHws7taXXkpflEXhdL/view?usp=sharing
@dunncreativess are you suggesting localizing the "the following seed words are not valid seed words" into different languages?
Yes @kumavis so long as it's accepted as a viable solution to help streamline the seed recovery process and make it more user-friendly.
For lurkers: I'd written @danfinlay on Twitter and as he's away this week and next he'd asked me to contact the team via support@ email address, which I did yesterday.
I'm looking forward to seeing if this will help the user experience as I'd noted MM folks say they're always looking to help make this process easier, but no response from the team as-yet. This solution helps 1. people that obfuscate a word or all the words realize which ones so they can hopefully deobfuscate 2. people that mispelled words they were copying down 3. other chair-->keyboard errors, which I found most of the outstanding Github issues surrounding these issues to involve.
Issue Status: 1. Open 2. Started 3. Submitted 4. Done
Work for 10.0 ETH (3892.98 USD @ $389.3/ETH) has been submitted by:
@danfinlay please take a look at the submitted work:
- PR by @angara79
- (Link Not Provided) by @kris30pl
- (Link Not Provided) by @pacamara
- (Link Not Provided) by @wazdevelopment
- Learn more on the Gitcoin Issue Details page
- Want to chip in? Add your own contribution here.
- Questions? Checkout Gitcoin Help or the Gitcoin Chat
- $964,776.55 more funded OSS Work available on the Gitcoin Issue Explorer
Popup of connect request appears every time when browser restarted even if the website have been accepted before. during payment on meta-mask must refresh to Rinkeby and then main eth network to confirm payment.
Issue Status: 1. Open 2. Started 3. Submitted 4. Done
Work for 10.0 ETH (2166.02 USD @ $216.6/ETH) has been submitted by:
@danfinlay please take a look at the submitted work:
(Link Not Provided) by @wazdevelopment
Learn more on the Gitcoin Issue Details page
Want to chip in? Add your own contribution here.
Questions? Checkout Gitcoin Help or the Gitcoin Slack
$57,071.63 more funded OSS Work available on the Gitcoin Issue Explorer
Popup of connect request appears every time when browser restarted even if the website have been accepted before. during payment on meta-mask must refresh to Rinkeby and then main eth network to confirm payment.
how do i find out if i get bounty paid for the work ? thanks
@wazdevelopment this bounty is specifically for issues related to MetaMask's seed phrase logic, so your bug report does not qualify.
Thanks for pointing this out, though! Please file as a separate issue with additional details (browser, MM version, etc) so we can address it.
@bdresser was there any word whether my submission was worth part of the bounty? It doesn't point out an issue with the seed phrase logic or code, however it addresses some of the most common issues faced with seed phrase recovery.
Thanks,
hey @DunnCreativeSS, thanks for opening your issue and pointing out a reasonable UX improvement. But as the original bounty states, we're looking for
a condition in MetaMask's code base, either through automated tests or manual reproduction, where MetaMask would show a user a seed phrase on first setup that would not work for later restoring their accounts.
This issue does not reproduce. Tested on Windows Firefox and Chrome with version 5.0.3
I noticed 12 dependencies with the word "stream" in https://github.com/MetaMask/metamask-extension/blob/develop/package.json and sharing this out of caution in case MetaMask isn't already aware in case it applies, with regard to the exploits found in the event-stream NPM package (which I just saw headlines that bitpay/copay wallets were affected): dominictarr/event-stream#116
@hatgit as FallingSnow has mentioned, reverting/updating/pinning to event-stream@3.3.4.
metamask-extension [develop] :> npm ls event-stream flatmap-stream
metamask-crx@0.0.0 /Users/Desktop/metamask-extension
├─┬ gulp-livereload@4.0.0
│ └── event-stream@3.3.4
└─┬ shell-parallel@1.0.3
└─┬ ps-tree@1.1.0
└── event-stream@3.3.4 deduped
Thanks for the report and we are continuing to monitor these packages that have the dependency.
@hatgit as FallingSnow has mentioned, reverting/updating/pinning to
event-stream@3.3.4.metamask-extension [develop] :> npm ls event-stream flatmap-stream metamask-crx@0.0.0 /Users/Desktop/metamask-extension ├─┬ gulp-livereload@4.0.0 │ └── event-stream@3.3.4 └─┬ shell-parallel@1.0.3 └─┬ ps-tree@1.1.0 └── event-stream@3.3.4 dedupedThanks for the report and we are continuing to monitor these packages that have the dependency.
Great! Just saw this: 486f993
💰 A crowdfund contribution worth 0.00500 ETH (0.54 USD @ $107.31/ETH) has been attached to this funded issue from @treebeard.💰
Want to chip in also? Add your own contribution here.
Guys this is just a hoax - while bug reporters tell all kinds of stories - mentioned accounts are empty this days. So you place a bounty on a bug which does not exist and more and more people waste more and more time in this blackhole, as there is no evidence on blockchain to support existence of the bug - please consider closing the issue, and consider not having bounties of such nature.
Like check this out final comments of #3258 , sure humans are humans and we all make mistakes, but as it costs nothing to create a ticket - people do it for all sorts of reasons.
Another example - dude in comments offering 20% of his balance as a bounty - guess what is a balance this days - correct - zero.
My address shows 0 funds as I discovered what the bug caused to happen so was able to retrieve my funds by myself that is why I did not give away the 20%.
If my funds were freed by someone discovering how I could then I would have.
I gained nothing from raising a ticket other than I got my funds back during the process on my own.
So please tell why It is a hoax if I gained nothing from it?
I believe the bug has not been fixed but am aware of what is needed to be done to get funds back if it occurs again.
There have been reports of people having had the same issue as me.
They gained nothing from comments and raising tickets if they did not recover their funds, so are they a hoax to?
You got funds back because you used wrong 12 words, dude!
And other reports are coming from dudes as [censored]... wrong as you @BGzetro
Where is the palm face emoji when you need one??
@andriytyurnikov
Yes in my case technically the seed phase I was shown upon new account creation was the wrong seed phase to recover the funds of the addresses originally shown tied to that account, although that should not have been the case! That is why I entered it to try to recover my funds as it was suppose to be the correct one.
The 12 word seed phase I enter to recover my funds of my new account addresses, was the 12 word seed phrase shown upon account creation from an old account, which I had not used in a long long time.
If anyone else has had the same issue as I had, I recommend trying to enter the 12 word seed phase of your previous metamask account to recover your funds, if the seed phase you were shown on new account creation did not recover the correct addresses supposedly tied to your new seed phrase.
@BGzetro in this thread you are OFF TOPIC as this particular ticket is about bounty program, and i've highlighted moral issues with topics of such nature:
The bounty will be paid to anyone who can demonstrate a condition in MetaMask's code base, either through automated tests or manual reproduction, where MetaMask would show a user a seed phrase on first setup that would not work for later restoring their accounts.
@andriytyurnikov
I'm only off topic because you were referring to my comment in another ticket.
I've never looked a meta mask's code base, and only have little skill with programming, so have not attempted to look into the code base. I have not been able to reproduce the bug either on one attempt I've made.
I don't plan on trying to reproduce it either. I'm not looking for no bounty payment. Life is too busy for me. I'm just happy I have my funds now.
I have not used meta mask since withdrawing my funds and don't plan to use it again in the near future.
@danfinlay: Hi!
TLDR: Slow/unresponsive browser may skip key onboarding screens, in earlier versions of Metamask
Some versions of Metamask can be induced to skip the "Your unique account image", "Secret Backup Phrase" and "Confirm Your Secret Backup Phrase" screens during apparently successful account setup. Reproduce steps:
- Platform: Google Chrome, Linux or Windows. For Windows, need --process-per-site option.
- Metamask version:
** 5.1.0 -- skips all 3 screens
** 5.2.2-6.1.0 -- skips just Account Image screen - Install metamask; Click past welcome screen; Fill in password fields
- Open new tab and load misbehaving page, for example a bookmarklet which spams console.warn:
javascript: var end=new Date().getTime()+60000; do {console.warn("foo");} while (new Date().getTime()<end); alert("DONE") - Switch back to Metamask page
- Click "Create"
- After 60 seconds, close non-responding metamask page
- Switch back to bookmarklet page and observe it's finished ("DONE" alert)
- Open new tab
- Open Metamask in popup mode
- 5.1.0: Metamask will show "Terms of use", "Privacy notice", "Phishing warning", then main account screen, i.e. Account Image and seed-word related onboarding screens never shown
- 5.2.2-6.1.0: Metamask will show "Secret Backup Phrase" screen, i.e. Account Image screen never shown.
- User can use Metamask normally from here on, load funds, send funds, etc. Everything works normally.
Spamming console.warn is the easiest repro. But have also repro'd by spamming document.write, and just with a pure maths calculation. I.e. this issue is to do with timing and CPU load, not some pathological artifact of the console log.
It's not clear if the root cause of the issue has been fixed in the latest version 6.3.1, or whether the design changes to remove the Account Image screen from onboarding, and always displaying the full page login screen even when opened in popup mode are just masking the underlying issue.
is it still open issue?
So i am pretty sure that I also have fallen victim to this bug, even if I´m on Metamask Version 7.7.2. and first Version this was reported was 4.x.x if I remember right?
Pretty much the same story as BGzetro...
I installed Metamask, transferred about 100 Euros of ERC20 tokens to Account 1 (never created any additional accounts). Next time trying to use Metamask, it shows me an empty acc. Tried to restore from my written down seed phrase, again leading to an empty account (probably the same one), with a different Address than where i have sent my tokens to.
MM Version: 7.7.2
Chrome Version: 79.0.3945.130 (Official Build) (64-Bit)
Address I sent the tokens to: https://etherscan.io/address/0x8de8c5612ae5390800e923bb0b7328ffbaf4e4fe#tokentxns
Address (Account 1) I currently have access to (but is empty): 0xa8D9b7C345A7431ed9420B2790e1B77BD71D0418
Is there a way to determine cryptographically whether these 2 addresses are derived from different seeds?
And do you see any way for me to get my tokens back (Vault hacking, even If the Vault probably would be overwritten by me restoring from the seed phrase, or something else)?
Haven't really been warned that your software is in such an "experimental" state, after all. (pls excuse my bitterness, but spoiling € 100 is not really good news for me)
I don't really know where the best place to post this issue is, so feel free to move this post or tell me where I should rather post it.
Is there a way to determine cryptographically whether these 2 addresses are derived from different seeds?
No, there's no way to correlate accounts just from the address.
And do you see any way for me to get my tokens back (Vault hacking, even If the Vault probably would be overwritten by me restoring from the seed phrase, or something else)?
No, if you don't have a copy of your vault in a previous state where you had this account, there is no hacking that can be done on one vault to generate another vault's accounts.
Haven't really been warned that your software is in such an "experimental" state, after all.
We have no concrete evidence that this bug ever occurred. No one has been able to produce a new hypothetical scenario where this bug would occur in two years.
I don't really know where the best place to post this issue is, so feel free to move this post or tell me where I should rather post it.
Since you aren't submitting a new possible solution to the bug bounty, you could just email support@metamask.io for any other ideas of how to try to derive the account you think you should have, but I think it's very likely that you're out of luck, sorry.
Better sanitation of user input would go a long way to reducing reported issues and confusion surrounding them.
sure humans are humans and we all make mistakes,
When presented with poor validation and sanitation of user input, resulting in poor UX.
I have found an issue where a user can access their original wallet by the seed phrase, but it does not restore any additional accounts that were created in metamask.
So the original Metamask account was created by importing a wallet created on MEW, a seed phrase was created by Metamask.
Additional wallets were created in Metamask, and from what I understand these are tied to the original seed phrase. However, when restoring the account by the seed phrase only the original wallet is restored, but the additional created wallets are no longer there. So would the user loose access to the funds in the newly created wallets?
To be sure: I did not loose any funds, as I just created these additional wallets for test net stuff. I'm not looking for any compenstation. I'm a satisfied user from Metamask and no complaints.
Would this be of interest for you? I am able to reproduce it.
referencing customer: https://consensys.zendesk.com/agent/tickets/64454
Example my seed phase is 1 to 12 words in that order opens my wallet , now if I was to switch word 1 & 7 round I can open another wallet up .
I lost my wallet and my seed pharse restores an empty one as well:
Original wallet: 0x00050EDCb938379016a7CF194b0917e0Fc74ce2C
Restored one: 0xBAb288D7563fC3c91D01cD706794f2E818Eb05bB
It happened after I created a wallet on the RSK Mainnet. I used that wallet so I could buy SOV on the Sovryn dapp (https://live.sovryn.app/), and everything worked just fine. A couple of days later, I forgot the password, tried to restore, and now I have that empty wallet.
As part of our commitment to the best security we can offer, the MetaMask team is planning to continuously offer a bug bounty on our seed phrase functionality, we are starting the bounty at 1 ether, but anyone is free to add to the bounty as they like.
As we have written about before #2577, and have awarded a bounty for in the past, sometimes users have reported that the seed phrase they were originally given does not restore their original accounts.
We have continued to receive rare but concerning accounts of similar experiences: #2904 #3042 #4756 #4697
The bounty will be paid to anyone who can demonstrate a condition in MetaMask's code base, either through automated tests or manual reproduction, where MetaMask would show a user a seed phrase on first setup that would not work for later restoring their accounts.
Thanks for your interest and participation, we're available to answer any questions about our key management here.
Hey I’ve had the same issue where my seed phrase seems to invalid and I’m sure I have the same phrase you guys provided me with is there anyways you guys could help me with this?
@luisotravez I encountered the exact same issue while trying to use Sovryn. Were you able to resolve it? Would really appreciate your insight.