Seed Phrase Bug Bounty #3127
Comments
|
This issue now has a funding of 1.0 ETH (1189.64 USD) attached to it.
|
|
I had same issue with MetaMask chrome extension, a month back, i can reproduce what happened with my account. As i have not read MetaMask's code base, my understanding of seed phrase is limited. But what happened is still a issue. |
If you can reproduce a problem that meets this description reliably, you'll be eligible for this bounty, no need to understand the code. If you'd like to disclose it in secret, please submit your reproduction steps to [email protected] |
|
On reading documentation and concept of loose accounts, what happened with my account was, i had imported few accounts with "import account" option, but after reinstalling metmask extension, these imported accounts were gone, luckily i had private keys for these imported accounts, so i had to import these again. In that sense "seed phrase" will only create HD wallet, and will recover only addresses in its derivation path?(Not the previous full state of your account). |
|
That's right, the seed phrase is not a password to some server we maintain, it is the secret from which we derive the accounts that you create with MetaMask. It can't help with restoring any other information. Glad you figured it out! |
|
Why is this closed? |
ghost
mentioned this issue
|
@danfinlay Is this one still open? cc @owocki |
|
Sorry, I didn't mean to close this! |
|
working on some issues with gitcoinbot erroneously commenting on issues... looks like it might have happened here. sorry yall, working on it! |
|
just put in a fix for the gitcoinbot craziness. gonna monitor for the next few hours to make sure we're all good. |
|
Hi @danfinlay METAMASK is really a good wallet. I am a fresh user of METAMASK, and teach my girlfriend to use it. Last night when we use it to join an ICO campaign. We got the TERRIBLE problem. DEEP SAD! We lost our all accounts although we take down the seed prase. the reproduce progress as below:
That's quite terrible! We lost many tokens which cost us a lot. And I didn't find a good way to get back the account. Maybe never. It really a big BUG, and Why don't you alert users to avoid it? Some advices as below:
Good product but with quite big BUG for fresh users. Hope others good luck. :( a sad day for me. |
|
EDIT: @DavidFnck if you press create account it will restore the rest, only account 1 shows but the rest will be there if you create account again One thing to note, when I clear cache and use the password, it claims to be wrong (it was copied from a text file for testing) so I had to use the seed phrase to restore |
|
@DavidFnck The accounts should be restored one-by-one when you perform "create account" in the fresh MetaMask. EDIT: @DanielMReed edited their comment to say this as well. |
|
I'm offering up to 20% of my account balance as a bounty if I can gain access to my original address again after being effected by this bug. The bounty I'm offering is worth than the bounty of this issue no (#3127) alone. The issue I created is no #3258 it has been closed but not solved and is the same issue as this one. |
|
My original address balance can be seen here and is where I'll pay the bounty out from on regaining access: https://etherscan.io/address/0xbc70688f0394d98c6016f670d2e2515d0ef63533 |
|
If the balance increases in value so does the bounty I'm offering i.e 20% of whatever my address is worth at the time of gaining access. |
|
Hi @momoftwins
I’m afraid I can’t. I’m not a native English speaker so I don’t think it will make things easier. But we could exchange email if you don’t mind.
获取 Outlook for iOS<https://aka.ms/o0ukef>
…________________________________
发件人: Elena ***@***.***>
发送时间: Thursday, January 13, 2022 6:56:48 AM
收件人: MetaMask/metamask-extension ***@***.***>
抄送: crz101 ***@***.***>; Mention ***@***.***>
主题: Re: [MetaMask/metamask-extension] Seed Phrase Bug Bounty (#3127)
Hi @crz101<https://github.com/crz101>. If you want, we could schedule live chat via Telegram this week-end to go faster!
―
Reply to this email directly, view it on GitHub<#3127 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AE6A2KIMNRZAUWRKR5MXC2TUVYBLBANCNFSM4EOFCM7Q>.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
SORRY GUYS I was wrong, I did mess up with the SPRs. now I found the original and recovered my accout. |
|
Hello @MomOfTwins1 I was away for work but know I have got some days off, I did try everything but nothing has changed... it seems that @crz101 found a way around with the SPRs do you know anything about this solution? @crz101 would you kindly explain what is SPRs and how you manage to recover your original wallet address using them? thanks in advance for you help. |
|
@Bcrrv
I found the SPR belongs to the right one. It is my fault to mess it up. So I don’t think it’s a bug anymore.
获取 Outlook for iOS<https://aka.ms/o0ukef>
…________________________________
发件人: Bcrrv ***@***.***>
发送时间: Tuesday, January 18, 2022 2:54:15 AM
收件人: MetaMask/metamask-extension ***@***.***>
抄送: crz101 ***@***.***>; Mention ***@***.***>
主题: Re: [MetaMask/metamask-extension] Seed Phrase Bug Bounty (#3127)
Hello @MomOfTwins1<https://github.com/MomOfTwins1> I was away for work but know I have got some days off, I did try everything but nothing has changed...
it seems that @crz101<https://github.com/crz101> found a way around with the SPRs do you know anything about this solution?
@crz101<https://github.com/crz101> would you kindly explain what is SPRs and how you manage to recover your original wallet address using them?
thanks in advance for you help.
―
Reply to this email directly, view it on GitHub<#3127 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AE6A2KI6SPQSCID2DTJRUH3UWRQVPANCNFSM4EOFCM7Q>.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Oh,now I understand what you mean ,SPR meaning seed phase recovery.... |
|
Hi Alejandro @Bcrrv. Sorry to hear that everything you tried didn't work. May I ask what exactly did you try? @crz101, glad you recovered your access. I will delete the messages with all the screenshots I have posted for you, as it makes difficult to read the thread . Anyway, your case was not related to the issue. |
|
@danfinlay @MomOfTwins1 - Can you help me please? I used my secret seed phrase and restored my MM desktop extension but my main account is not showing correctly. It shows the same public address as my main account but has upper case letter in some of the letters when they should be all lower case. This is making my MM desktop account unrecognizable to my open sea account. I double checked the seed phrase on my MM mobile and I am 100% sure I’m putting in the correct seed phrase. Also, my MM mobile has the correct wallets and information it’s just my desktop extension that is showing incorrect information even the total balances are all off in my desktop extension appose to my mobile app. Also, my MM desktop extension doesn't show any of my NFTs or my funds correctly. To make matters worse, I'm able to see my account 2 on my MM desktop and it's the same as for my mobile but the balance on my MM desktop is not correct and hasn't updated at all since I restored my MM desktop extension. |
|
Hi @hyun305. From what I understand you have the correct seed phrase, just for some reason your account's address was not originally checksummed (only lower case letters). I think it's better to submit a ticket to the MetaMask support team. Here is a link: |
|
hi @MomOfTwins1 - thanks for your reply and I tired another session of metmask on firefox and still loading the main wallet with uppercase letters but the balance of funds are correct and still missing my NFTs in my main wallet. I created a support ticket with metamask over 16 days ago and still haven't heard anything so I was trying to find my answer through these communities. I'm just at a loss. |
|
made a metamask account yesterdat, deposited money and left it to buy an nft mint. Woke up this morning used my seed phrase to log in change password. Whole new public address is used. My old address with my money puff gone just like that loving life rn |
|
As already mentioned in post #3127 (comment) I have experienced this issue, meaning after reinstalling the MetaMask extension and importing my wallet with my usual seed phrase a new Account 1 (with 0 balance) showed-up. I was able to recover my Account with funds as the bug happened again on my device under another Chrome session and the usual seed phrase allowed me to connect to the right Account. It took me 2 months to find on my device a seed phrase which my Account with funds really belongs to. I had never seen/used this seed phrase before. However, the numerous keyring/vault data present on my device and containing this seed phrase has 3 different passwords. 3 passwords means that that seed phrase was imported at least 2 times (1st password = creation; 2nd – first import; 3rd password – second import). To import a wallet, it is a MUST to enter/type that seed phrase. I never did that. And I’m not suffering from amnesia. 🤣 It means this seed phrase was actively used by some processes in the background by MetaMask extension. What I reproach to the MetaMask extension, is that it doesn’t reproduce on the UI (user interface) what it is actually doing on the blockchain. And people are losing their hard-earned money. 🙁 Their access to it actually, but it is the same. The guide I provided on November 14th didn’t help people recover their accounts/funds till now. As I have mentioned already in a previous post: Guide 1 is invalid, as the private key in the Web Data is there due to my manipulations on my device, and not due to the issue. So please find below Guide 3 improved. I really hope this new version helps. From my own experience and other cases there are 2 possible situations when the Account 1 is different while using one's usual seed phrase. First one is “Jump in”, and is very easy to fix. Just make a fresh install of the MetaMask extension (or other wallet, as Trust Wallet or MEW) on another browser, device, phone…. Your usual seed phrase will bring you to your right account. “Jump out” - you need to find a seed phrase which your account really belongs to. This guide is about this second situation. But as a first step, you should try all the seed phrases you know of, even if they belong to other wallets. This will save you time. Find the lost account
|
|
@danfinlay |
|
@danfinlay i see someone its reading my comments: |
|
Please ,Greetings, I have this same problem for an android mobile, is where I have always used metamask and then trying to use it metamask on the pc, I use the phrase seed and it opens a new empty account, I only have one wallet, I do not have multiple accounts or anything like that try on 2 pc and another ipad and it does not open my wallet, everything I have read here works for pc but nothing for android. |
Maybe not a bug? i think extension and mobile are different types of wallets, meaning that you should be able anyway to import your wallet by using the private key as far as i know which its agnostic to implementations. If that dont works then maybe its a bug. |
|
Hi @Maikeloneate, do you still have the accesse to your account on Android? |
|
Hi, @MomOfTwins1 Very clear explanation. Hope it can save me. |
|
Hi @WalaVita. AstroGrep should work, try it again. Hope your problem will be solved. Kindly please, keep me updated wether it worked out for you or not. |
|
@herufer, issue: https://community.metamask.io/t/the-seed-phrase-has-not-been-restored-to-my-original-account/22447/16 as my message doesn't get through on the MM community. Sadly, I do not know what is wrong neither… 🙁 Do not worry, it’s an empty wallet 🤣 There where all the problems started for me. Actually, the Account 1 that was displayed on MM never was one from that seed phrase, but from my test wallet! I learned it much more later… it is not mentioned on GitHub and I had no time to update it there. Also, some other experiences, https://community.metamask.io/t/mom-of-twins-lost-metamask-account-pdf-helper-please/13906/66 seem to match the same scenario. |
|
Hello everyone, First for all of the people who tried to solve it and shared the problem thank you it helped a lot of people like me. I have the same problem as you.
I made a mistake by sending from binance to the wrong network (BSC) but even with the wrong network we can retrieve the fund. My problem is that to retrieve it i need to add the binance network to the original address What does I know :
I tried to :
Something strange :
Thank you for reading |
|
I’m having the same issue when trying to retreive my reddit Vault in the MM iOS app. The address in MM doesn’t match my Reddit address. I triple checked! edit: tried the seed phrase in the myetherwallet iOS app. Same address as the MEW address.. but NOT my Reddit Vault address. Now what.. |
|
I have tried to work on this issue on Apr 28, 2022, @danfinlay never answered nothing, it seems there is no bug bounty for mobile, i have seen the code at that time and was probably buggy, thats why i asked if the bug bounty includes mobile. Then the team started to correct the code, and i never received an answer. |
|
The other thing I noticed, as I am also affected by this, is that the old address is indicated in my MM state-log in a list designating ignored addresses. I am not sure what this means, but that the seed phrase I currently use to restore addresses was at one time related to the address that I originally sent my coins to. Wondering if anyone else can verify if they see the address with their coins also listed in a similar state-log list? @Starish971 @danfinlay Any thoughts on why the lost address would show up in the allignoredtokens list? |
|
I have the same issue whereby my seed phrase does not restore my wallets. My initial accounts were made on firefox metamask extension. |
|
@jcalv13 The above dialogue seems to suggest we were given seed phrases for an alternate wallet when we first generated our wallet. When logging with this seed phrase we get redirected to an alternate wallet, with the original seed phrase never communicated visually. I agree, hoping someone at meta mask is working on this. |
|
@danfinlay Never responded to my initial request for info from march. |
Oh wow this is even worse than I had thought. I hope you have access to your wallet & have stored all your private keys somewhere safe? This is my course of action now. |
|
@jcalv13 Except, if the above is true, the seed phrase you have will never get you access to your original wallet. |
|
I can help people with problems in PC, for those with mobile problems in my opinion nothing can be done. If i recover your wallet i expect donations. ty |
and others
As part of our commitment to the best security we can offer, the MetaMask team is planning to continuously offer a bug bounty on our seed phrase functionality, we are starting the bounty at 1 ether, but anyone is free to add to the bounty as they like.
As we have written about before #2577, and have awarded a bounty for in the past, sometimes users have reported that the seed phrase they were originally given does not restore their original accounts.
We have continued to receive rare but concerning accounts of similar experiences: #2904 #3042 #4756 #4697
The bounty will be paid to anyone who can demonstrate a condition in MetaMask's code base, either through automated tests or manual reproduction, where MetaMask would show a user a seed phrase on first setup that would not work for later restoring their accounts.
Thanks for your interest and participation, we're available to answer any questions about our key management here.
The text was updated successfully, but these errors were encountered: