coinbase / multisig-tool Goto Github PK

DEPRECATED — Multisig Vault recovery tool

Home Page: https://blog.coinbase.com/multisig-vaults-on-coinbase-c21f58eed7cb

License: Apache License 2.0

CSS 1.03% HTML 2.21% JavaScript 96.55% Makefile 0.21%

multisig-tool's Introduction

Coinbase Multisig Vault recovery tool

You can use this open source tool to send all the coins from your Coinbase Multisig Vault to any bitcoin address you choose.

In order to do this you will need the data from your vault backup that you either printed out or saved somewhere.

https://coinbase.github.io/multisig-tool

Usage

Required input

To complete this recovery process, you will need the following information:

3 extended public keys (xpubkeys)
User seed
Shared encrypted seed
Your vault password

Online/Offline

Internet connection is only required in Step 1, where you input the public keys, so that we can fetch the unspent outputs from your vault addresses.

Before inputting your keys in Step 2 and signing the transaction you can safely go offline.

In Step 3 you will get a signed transaction in raw hex form.

You can then copy this transaction and verify it with Bitcoin Core and decoderawtransaction or using an online tool like Coinb.in.

After verifying you then broadcast it using Bitcoin Core and sendrawtransaction or any other API or client that supports broadcasting transactions into the Bitcoin network.

Running

You can download this tool and run it locally or use our hosted version at https://coinbase.github.io/multisig-tool.

Running locally

If you wish to run the tool locally, you need to do it through a local web server. The easiest way to do that is by running:

make run

This is because we use Web Workers for decrypting your BIP38 encrypted shared key seed, and Web Workers are not permitted to run through the file:/// protocol.

Another alternative is to run Chrome with the --allow-access-from-files parameter.

Development

This tool was designed to have a minimal code foot print so it could be easily auditable.

All the domain specific crypto is done in the various files in lib/multisig.

These files are compiled using Browserify into multisig.js with:

make compile

Everything else is either UI code or dependency libraries.

Dependencies

BitcoinJS

We use the BitcoinJS library to handle HD wallets, Bitcoin keys, addresses and transactions.

BIP38

We use the BIP38 library to decrypt the encrypted shared key seeds.

To build the multisig/bip38.js we used:

Install packages with npm:

npm install bip38 crypto-browserify --save
Use browserify to resolve dependencies:

browserify -r bip38 -s Bip38 > lib/multisig/bip38.js

Then we amend the lib/multisig/bip38.js to support progress callbacks and Web Worker messages handling.

We need this as a separate file, because we're using it with web workers.

Improvements missing

There is currently no error checking whatsoever. That means the tool won't let you know if something is wrong with your input or with anything else. It will just silently stop working.
There is also currently no support for group vaults.

We plan to tackle those issues soon, but we do accept community contributions as well. So if you have a solution for some of these, please submit a pull request!

multisig-tool's People

Contributors

Stargazers

Watchers

multisig-tool's Issues

Balance display always zero: bitcoin.toshi.io is down

The balance is always displayed as "0.00 BTC," because the backend API at bitcoin.toshi.io appears to be offline.

Keep getting "The user seed does not correspond to a xpubkey."

Steps I took:
Created a multisig vault on coinbase.com.
Chose that I'll manage the details.
Gave it a password.
Printed the keys and seeds info using the print button option.
Put a bit of money in the vault.
Went to https://coinbase.github.io/multisig-tool/.
Filled in the three public keys text boxes.
Clicked 'Continue'.
Filled in the user seed and encrypted shared seed.
Filled in a destination address.
Filled in the vault password.
Clicked 'Continue'.
Received the error: "The user seed does not correspond to a xpubkey."

I've tried creating a vault and going through this process a few times and it failed every time.

The printed output from coinbase.com is quite straightforward, so I don't see how I could have filled in the wrong values. There are five values on the left-hand side of the paper in this order:

user seed
user public key
shared encrypted key
shared public key
coinbase public key

I copied each one of them (without the line breaks) into their corresponding text boxes.

Please include support for Bitcoin Cash

There's currently no way to withdraw Bitcoin Cash from Multisig Vaults using this tool. This could become a huge legal issue for Coinbase because users could get together in a class action lawsuit like it happened before when Coinbase said it wouldn't support it.

Need UI option for compressed keys

Currently, there is no UI option to indicate you're inputting compressed keys. You must enter compressed[]=1 on the URL.

Either a a single checkbox to indicate all the keys are compressed, or individual checkboxes for each textarea.

Uncaught SecurityError

When I enter my information and click the button under step 2, this shows up in the console. I suspect it's because my vault passphrase has a space in it--perhaps this is not handled by the javascript?

Uncaught SecurityError: Failed to construct 'Worker': Script at 'file://localhost/Users/andrew/Desktop/multisig-tool-master/multisig/bip38.js' cannot be accessed from origin 'null'.multisig.js:49 Multisig.Bip38Workermultisig.js:298 Multisig.App.buildTransactionindex.html:83 (anonymous function)jquery-2.1.1.min.js:3 n.event.dispatchjquery-2.1.1.min.js:3 r.handle

Hitting rate limits in HTTP API

When trying to recover a wallet where I had several transactions I set a limit to 50.
Under the hood page tries to make 150 HTTP API requests to insight.bitpay.com.
One of the returned headers x-ratelimit-limit: 30, which implies that only 30 requests per hour could be made. Most of HTTP API requests fail due to rate limits.
Unfortunately UI does not handle failures well. There is no indication that something has failed. It just shows "0" as a total amount of money in a multisig.

Workaround:
Open JavaScript debug console and track HTTP requests to get visibility into errors.
Do not use more than 10 generated wallets.

Suggested fixes:

Switch to a different API backend
Add clear indication in UI that API request has failed
Add a "retry" button to rerun all the requests so I don't have to retype all the public keys

Withdrawal the vault

Hey there I have totally no idea how I can cash out the vault from me. I have this cryptic code which I became at the first time i logged me in. And a seed from coinbase. So If anyone can help me to cash it out I will regred this person with a part of this btc.

multisig.js not found and Uncaught ReferenceError

I am running the latest version of the tool in OS X 10.10.3 Chrome 42.0.2311.90. The tool broke upon loading the page.

GET http://localhost:8080/multisig.js (failed)
tool.js:13 Uncaught ReferenceError: require is not defined
    (anonymous function) @ tool.js:13
    n.Callbacks.j @ jquery-2.1.3.min.js:2
    n.Callbacks.k.fireWith @ jquery-2.1.3.min.js:2
    n.extend.ready @ jquery-2.1.3.min.js:2
    I @ jquery-2.1.3.min.js:2

I am going to include my terminal if it is of any help

Busybox:multisig-tool-master andrew$ make run
gem install thin && \
    ruby -rrack -e "include Rack; Handler::Thin.run Builder.new { run Directory.new '' }"
Fetching: rack-1.6.0.gem (100%)
ERROR:  While executing gem ... (Gem::FilePermissionError)
    You don't have write permissions for the /Library/Ruby/Gems/2.0.0 directory.
make: *** [run] Error 1
Busybox:multisig-tool-master andrew$ sudo !!
sudo make run
Password:
gem install thin && \
    ruby -rrack -e "include Rack; Handler::Thin.run Builder.new { run Directory.new '' }"
Fetching: rack-1.6.0.gem (100%)
Successfully installed rack-1.6.0
Fetching: eventmachine-1.0.7.gem (100%)
Building native extensions.  This could take a while...
Successfully installed eventmachine-1.0.7
Fetching: daemons-1.2.2.gem (100%)
Successfully installed daemons-1.2.2
Fetching: thin-1.6.3.gem (100%)
Building native extensions.  This could take a while...
Successfully installed thin-1.6.3
Parsing documentation for rack-1.6.0
Installing ri documentation for rack-1.6.0
Parsing documentation for eventmachine-1.0.7
unable to convert "\xCA" from ASCII-8BIT to UTF-8 for lib/fastfilereaderext.bundle, skipping
unable to convert "\xCA" from ASCII-8BIT to UTF-8 for lib/rubyeventmachine.bundle, skipping
Installing ri documentation for eventmachine-1.0.7
Parsing documentation for daemons-1.2.2
Installing ri documentation for daemons-1.2.2
Parsing documentation for thin-1.6.3
unable to convert "\xCA" from ASCII-8BIT to UTF-8 for lib/thin_parser.bundle, skipping
Installing ri documentation for thin-1.6.3
4 gems installed
Thin web server (v1.6.3 codename Protein Powder)
Maximum connections set to 1024
Listening on localhost:8080, CTRL+C to stop

On the bright side, I finally did get this tool to work after 1) Loading the page in Safari with file:/// , 2) having the page fail with the Security exception, and then 3) reloading the page and trying again. I have no idea why it works.

Export Private Keys in BIP32 Format

Is there any way to export the shared key and the user key in BIP32 or "xpriv" format? Or at least get a better explanation than "Use BitcoinJS to recreate the wallet".

It should be pretty simple to just output that to the user with this tool, that way the wallet can be used with another Bitcoin Client so we don't have to use the Vault every time to make a transaction or to withdraw instantly.

Add Coinbase Multisig Vault data sample

Please provide sample data for this tool.

It will be very useful for me, thanks.