Attention delegates: Make sure your pass is strong. A trusted delegate was hacked last night and lost his testnet lisk(stealing fake coins yay!) He did not have a secure pass. Seems the coins were transferred to an account named pangu.
This can't happen on the mainnet, because we are enforcing BIP39 passphrases in the UI.
Quote from: Github Source
Code:
//Lines 260-265
private.openAccount = function (secret, cb) {
var hash = crypto.createHash('sha256').update(secret, 'utf8').digest();
var keypair = ed.MakeKeypair(hash);
self.setAccountAndGet({publicKey: keypair.publicKey.toString('hex')}, cb);
}
//Lines 268-280
Accounts.prototype.generateAddressByPublicKey = function (publicKey) {
var publicKeyHash = crypto.createHash('sha256').update(publicKey, 'hex').digest();
var temp = new Buffer(8);
for (var i = 0; i < 8; i++) {
temp[i] = publicKeyHash[7 - i];
}
var address = bignum.fromBuffer(temp).toString() + 'L';
if (!address) {
throw Error("wrong publicKey " + publicKey);
}
return address;
}
EDIT:
Please let me know if I'm understanding this correctly. To get a Lisk address, all I do is take the SHA-256 hash of the secret key, derive the Ed25519 pub/priv-key pair and then convert the first 7 bytes of the pub-key to a long? What is the "cb" parameter? I see it passed around everywhere and I also see that some method is named that. I can't readily find it's definition.
Almost! The public key is hashed again using SHA-256 and then the first 8 bytes of the hash are reversed. The account ID is then the decimal representation of those 8 bytes.
