Bitcointalk username: LoyceV
ReviewI wanted to start clean, so I didn't read other reviews before I did mine. I'll check (and Merit) them when I'm done.
Initial thoughsHODL! Not your keys, not your coins! Self-custody! Be your own bank! We, Bitcoin users, all know this.
This isn't a service attractive for Bitcoin hodlers, this is a service that should target the users who keep "their" Bitcoins on an exchange. Imagine that: you deposit dollars, and instantly get self-custody over your Bitcoins.
Now, let's see how much of my initial thoughts are correct.
Test setupI started with a fresh Linux installation on my spare laptop, using VPN. I copied a pruned blockchain from my server, installed the latest Bitcoin Core version (25.0), and enabled PSBT controls.
I installed a VPN on an old Android tablet, and installed Mixin Crypto Wallet Messenger.
Mixin Privacy Policy and
Mixin Terms Of ServiceThere's one very big problem with both PP and ToS: I have to share all phone numbers in my phone regularly. I also have to confirm I'm authorized to do so. I don't want to do this, and I'm not allowed to do so either. That would (based on privacy laws but also based on the conditions stated by Mixin) mean I have to ask explicit consent from everyone who's number I store in my phone. Can you imagine I have to call hundreds of people, explain to them I want to use an app, and ask all of them for their consent? And if even one of them refuses (and that's what I would do if someone asked me), I can either remove their number from my phone, or I'm not allowed to use the Mixin app. I know apps like Telegram and Whatsapp all do this, but this is a huge no-go for me.
To fix this: sharing phone numbers should be done manually, and only the numbers of the users I want to interact with through your app.
The rest of the Terms look acceptable to me.
SMS verification and first impression of the Mixin appI used tempsmss.com for SMS verification (+447893932805, Mixin ID: 41189703), and after a double captcha inside the Mixin app, it worked on first try.
Now I have a messenger. The only other combination of "wallet" and messenger I've seen is Byteball (now called Obyte), an altcoin based on a DAG instead of a blockchain. It worked well there.
My first impression on Mixin Messenger is: now what? I get 4 automated messages from "Team Mixin" (the same 2 messages twice), and click "How to use Bots on Mixin Messenger?". It shows a video, which to me is a waste of time. I now need to be in a quiet environment and waste time listing to music for something I could have read in 5 seconds. The voice in the video has a terrible accent, I can barely understand what she's saying. Part of it doesn't even sound like it's English.
Clicking "back" is what I needed to see the normal view, and "Create wallet" looks like what I was looking for.
SecurityWhen creating a PIN, I'm told that the Throttled Identity Protocol makes a 6 digit PIN a strong secret key. I have a hard time believing that, as there are only 1 million possibilities no matter how you encrypt it. Even worse, it's less than a million, because the first PIN I tried was rejected.
This feels very, very weird! I now have a wallet, without seed phrase, and I have no idea how to recover this outside your app. As an experienced Bitcoin user, this is confusing. None of it is what I expected from a wallet.
DepositFor testing, I deposited a low-fee expendable altcoin (0.001 LTC). It showed up after 2 confirmations, but the balance needed 12 confirmations to update (this is more than usual for Litecoin).
Withdrawal and feesI tried to withdraw again, which is where it got ridiculous:
Network fee: 0.02 LTC, Minimum withdrawal: 0.0001 LTC. The fee is 10 times higher than what exchange Kraken.com charges. I guess my Litecoin is a donation to Mixin now.
Note that the transaction fee for a normal Litecoin transaction is 0.00000226 LTC, about 8800 times less than what Mixin charges. That's not a "network fee", it's outrageous! It also shows Mixin is not a wallet: a wallet (by my definition) gives me full access to my funds, and only makes me pay the actual transaction fee. At least call it a "service fee", now it's misleading. And it's a stark contrast with this:
What good does it do me if I can send transactions to other Mixin users for free, if I have to pay 8800 times more for on-chain transactions? Even if I'd send many, many transactions through Mixin, it would still be much cheaper to make all my transactions on-chain from my own wallet.
This made me curious how much the Bitcoin withdrawal fee is. It's 0.00037 BTC, almost 50 times what I paid for my last Bitcoin transaction, and 7.4 times what Kraken.com charges.
To send a transaction from Mixin, I have to first add the address, then enter the PIN, then make the transaction, and enter the PIN again. That's one more PIN than I want to use for making a transaction.
So my first impression is ... confusing. I see high fees and a complicated app, while I have no idea how I could recover my funds without Mixin. If I compare this to for instance Coinomi, Coinomi does exactly what I would expect.
After installing and verifying the app, I was hoping to continue on my desktop. Unfortunately, there's only a Microsoft or Apple version, and nothing for Linux users.
safe.mixin.zoneAre those numbers real? The average customer transferred $1M, and the total amount of assets managed are transferred almost daily? When I see claims like this, it instantly raises doubts. Especially when I see this after creating a Mixin safe:
safe.mixin.zone/decentralized-recoveryThis page is filled with buzz words, but it doesn't tell me
how to recover my funds. That's weird, especially since any other wallet would just give me a seed phrase, and I can get started. The page is filled with stories about people who lost their Bitcoins, but I've also seen many people lose access or have a really hard time recovering their funds after they used a non-standard wallet implementation, some of them with multisig shared by a third party.
It sounds great, but I'm missing the "how". And that's concerning.
Mixin SafeCreating a Mixin safe on
https://safe.mixin.zone/login worked well, after scanning the QR-code. So at least I can continue on my desktop.
This part turned out to be tricky: I first wondered why
the Howto defaulted to Bitcoin Core CLI, and not just the console in the GUI. I copied the commands into Bitcoin Core's console, and create a Mixin Safe. I paid $2 in Litecoin (for speed and low fees), which was accepted after 3 confirmations. After this, I got an invite to a Group Chat with Testers, but the users there only post smileys. I already had my own contacts through Bitcointalk, and sent some funds back and forth with OmegaStarScream. At least that works without fees.
At
Step 6.2, I realized I should indeed have used
bitcoin-cli: "-named" doesn't work in the console, so I started over.
I got it to work, but it wasn't a nice process. Copying text from a browser to a console and back to the browser, and searching the exact right parts on a small laptop screen is not user friendly. I don't think the average Bitcoin buyer (who now keeps his Bitcoin on an exchange) is going to do this.
The result:
Emergency contactI made OmegaStarScream my emergency contact. This required me to enter a 4-digit pin, which was sent to him. That means I had to leave the "emergency contact tab" to go back to chat to ask for it. When I went back, it sent a new code and the old one expired. This interface should be improved: at least give the possibility to use the last code, instead of instantly sending a new one when I go back to the "emergency contact tab". I had to try a third time, and wait for the code to pop up on top of my screen. Thanks OmegaStarScream!
After this, he made me a safe member. I haven't made more use of this.
Withdrawing from Mixin SafeAfter the deposit to my Mixum Safe was confirmed, I made a transaction from my Mixin Safe. I got a notification in the Mixin app: "a transaction need to be approved as a member" and "Please sign in to Mixin Safe dashboard to view the details". The latter is where I created the transaction, the former I knew already.
It's not entirely how I expected it to be: the
Approve button is on my dashboard, and gives a QR-code to scan with the app. It would have saved time if it showed the QR-code instantly when I made the transaction. After Approving it, I got another message on the app saying the exact same thing. Going back to the dashboard, I now have to sign from Bitcoin Core. After following the instructions, I get:
error code: -22
error message:
TX decode failed invalid base64
This was caused by a
bug in
the instructions:
The error disappeared when I removed the "=" at the top arrow. The "=" at the bottom is correct.
After this, the withdrawal completed.
Withdrawing from Mixin Safe (2)I was especially curious to see how much I can withdraw from my Safe: I'm supposed to get one free withdrawal, but if it's non-custodial withdrawing from my own address, I'm curious to see who pays the transaction fees.
This is
my withdrawal transaction:
It started from my deposit address, but Mixum added another input. That one pays for the transaction fee, and adds an OP_RETURN output.
Improve interaction with Bitcoin CoreIn the instructions, there's often a field with data to Copy to Bitcoin Core:
Then there's a link to the Guideline, where I find the commands to use on Bitcoin Core. It would be much more convenient as a user if you can combine those 2: add the Bitcoin Core commands to the first copy field, so I can copy everything at once.
Custodial?The Mixin deposit addresses aren't multisig, so for sure deposits to the Mixin wallet are custodial. I was hoping the wallet would actually have a non-custodial method to recover funds, but I didn't find it. I guess only the Mixin Safe is non-custodial.
Now all I have is a PIN, a username ("Loyce"), a Mixin ID, a phone number, a Dashboard on my laptop and a wallet in Bitcoin Core. I consider data in the app and access to a phone number as something that can be lost at any moment, so that leaves a Mixin ID, username, 6 digit PIN and my Bitcoin Core wallet. I doubt that's enough to recover my funds, and the app doesn't offer to save a backup.
Other thoughts- I don't understand the inner workings of the multisig Safe, but I do understand my Bitcoin Core holds 1 out of 3 keys. From what I understand, 1 of the keys is held by the Mixum app, but since the app doesn't have private keys and is custodial: does that mean Mixum could get their hands on 2 out of 3 keys (even if that means waiting a year for the timelock to expire)? In other words: if a HODLer doesn't touch his wallet for a year, he is no longer the only owner. Is that correct?
- The withdrawal from my Mixin Safe included another input that wasn't mine. How does that work? I assume this withdrawal was still custodial.
- Generally, I don't like services that require a phone number, or an app. The reason for this is that I don't consider any device I carry with me on a daily basis as being secure, and when it comes to money, I don't use my phone for anything other than small daily expenses.
- The QR-scanning to open a Mixin safe worked well. So it is quite convenient, but linking Bitcoin Core undid all convenience. I really dislike the fact that I have no idea what it's doing "under the hood". I'm not in Bitcoin to trust companies.
- The URLs used by Mixin are inconsistent: I've seen mixing.one, mixin.network and mixin.zone. I'd say: pick one, and stick to it. Now you're making it easy for phishing sites, as I already lost track of all the domain extensions.
- Compared to Obyte, I miss functionality to send funds and payment requests directly from the chat to the person I'm talking to, instead of having to go back to the wallet and then select the Contact to make a payment.
- In general, before funding any wallet, I create a backup and try to recover that backup from scratch. I couldn't do this with Mixin Safe, and I would never send any substantial funds without being able to recover funds on my own.
- All in all setting up a Mixin Safe is much more work than setting up a hardware wallet, and it feels like I'm much less in control, while I pay higher transaction fees.
From all the reviews I've done, this one was by far the furthest out of my comfort zone. I had no idea what I was doing when I started. I can only imagine this is worse for Bitcoin newbies.