Mixin Safe: A Convenient and Decentralized Multisig + MPC + Timelock solution - page 5.

cedricfung

member

Activity: 87

Merit: 40

Quote from: BlackHatCoiner on August 15, 2023, 09:17:07 AM

Quote from: examplens on August 15, 2023, 05:37:48 AM

Enabling an unlimited number of attempts is again not a good solution from a security point of view.

Yes, it is. Security that relies on the limit of attempts isn't true security. You have unlimited attempts to break a Bitcoin private key. You have unlimited attempts to break into someone's password-protected wallet. Both are very secure. On the other hand, the PIN in Mixin is not secure, as I have already said in my review, because there are less than a million different combinations.

Here we don't argue about the choice. Just focus on the project itself. No perfect security.

BlackHatCoiner

legendary

Activity: 1512

Merit: 7340

Farewell, Leo

Quote from: examplens on August 15, 2023, 05:37:48 AM

Enabling an unlimited number of attempts is again not a good solution from a security point of view.

Yes, it is. Security that relies on the limit of attempts isn't true security. You have unlimited attempts to break a Bitcoin private key. You have unlimited attempts to break into someone's password-protected wallet. Both are very secure. On the other hand, the PIN in Mixin is not secure, as I have already said in my review, because there are less than a million different combinations.

examplens

legendary

Activity: 3444

Merit: 3469

Crypto Swap Exchange

Quote from: cedricfung on August 15, 2023, 05:29:37 AM

I know there are too many different names involved in using Mixin Safe, but MixPay is a third party app on Mixin Messenger. They issues EPC for you so that you can verify your Mixin Messenger PIN while doing something. So you need to transfer EPC to them to get back the refund. In that procedure you proved that you knew the PIN, otherwise if they just sent back your TRX and you didn't know the PIN at all, then the money is lost.

I haven't tried it, but is there a limited number of PIN attempts and for example what happens after 5 incorrect attempts in a row?
If there is no other recovery method, the app should not lock. Enabling an unlimited number of attempts is again not a good solution from a security point of view.

cedricfung

member

Activity: 87

Merit: 40

Quote from: noormcs5 on August 13, 2023, 09:24:31 PM

So here is my experience. I got my TRX refund instantly. However i do not understand the role of EPC and how it can be a surety to avoid assets lost through Mixin Wallet ?

The whole procedure for a refund is mentioned here. https://help.mixpay.me/en/articles/7063792-how-to-get-a-refund

I know there are too many different names involved in using Mixin Safe, but MixPay is a third party app on Mixin Messenger. They issues EPC for you so that you can verify your Mixin Messenger PIN while doing something. So you need to transfer EPC to them to get back the refund. In that procedure you proved that you knew the PIN, otherwise if they just sent back your TRX and you didn't know the PIN at all, then the money is lost.

And these small amount of TRX can't be transferred out of of Mixin Messenger because it doesn't even cover the withdrawal fee. So it's recommended to use it inside Mixin Messenger or MixPay.

MixPay is supported online in many places, like https://www.coinsbee.com/en/

noormcs5

hero member

Activity: 2814

Merit: 618

Leading Crypto Sports Betting & Casino Platform

I reviewed this project recently. At the time of upgrading the plan, i send the trx from the exchange and the minimum TRX the exchange allowed was more than the worth of 2$, so some extra TRX were sent. At the time of review, i did not claim my extra trx back to my Mixin Message wallet but later (after a day or so) i tried to check if this process really works.

So here is my experience. I got my TRX refund instantly. However i do not understand the role of EPC and how it can be a surety to avoid assets lost through Mixin Wallet ?

The whole procedure for a refund is mentioned here. https://help.mixpay.me/en/articles/7063792-how-to-get-a-refund

BlackHatCoiner

legendary

Activity: 1512

Merit: 7340

Farewell, Leo

Quote from: cedricfung on August 11, 2023, 09:35:34 AM

But it makes a good point to let a new user to choose a new PIN though. But for now, you must use the old PIN, even if it's failed.

I don't have a second PIN. The PIN I entered was just one, and nothing interrupted the process. It's curious how no one else experienced this.

Edit: I just downloaded it from another source, and it worked. The properly working apk I just downloaded is mixin-400309.apk.

cedricfung

member

Activity: 87

Merit: 40

Quote from: BlackHatCoiner on August 10, 2023, 11:15:12 AM

I have installed both Mornin key and Mixin messenger, but in the Mixin app I'm incapable of creating a wallet. When I open up the app, I get the following message:

When I'm entering the (correct) PIN, error "PIN incorrect" pops up:

Has anyone experienced this before? I have tried to uninstall, and reinstall it but it still persists.

From the screenshots it looks like you have tried to set up a PIN and interruppted somehow, and now you need to continue that process with the old PIN you have tried to set.

But it makes a good point to let a new user to choose a new PIN though. But for now, you must use the old PIN, even if it's failed.

BlackHatCoiner

legendary

Activity: 1512

Merit: 7340

Farewell, Leo

I have installed both Mornin key and Mixin messenger, but in the Mixin app I'm incapable of creating a wallet. When I open up the app, I get the following message:

When I'm entering the (correct) PIN, error "PIN incorrect" pops up:

Has anyone experienced this before? I have tried to uninstall, and reinstall it but it still persists.

cedricfung

member

Activity: 87

Merit: 40

Quote from: logfiles on August 02, 2023, 04:46:05 PM

I thought I would post a few things here that happened after a mead a review about a week back

Especially this parts;

Quote from: logfiles on July 26, 2023, 09:14:48 AM

I never set the lock time to 4 days, so I have no idea what happened. How one can modify the lock time, if it's even possible? What if I want 10 days or 30 days?

Why does the time lock automatically set to 4 days or is it just a default for testing purposes?

Regarding the timelock, it's by default 4 days for the test purpose. It's possible to set it before creating the safe, but we didn't show the option on the website.

For recovery transactions, the website has improved a lot to show more details. It was not that good a week ago. And as always, you can find all transactions about your Safe address in a Bitcoin explorer.

Quote from: Kakmakr on August 02, 2023, 01:25:45 AM

Can you find a solution to substitute "Mixin Messenger" with a more well known platform? You say you use it to create the wallet... but will Electrum not do the same thing?

It is about time that someone figure out a more user-friendly method to use Multisig and timelock features. In any way, I will monitor and follow this thread... it has potential to be one of the good solutions in the Bitcoin space. Wink

It just needs to be more decentralized and Open-source for transparency.... preferably without revealing your private telephone number. Tongue

No other wallets have the support for these bitcoin features yet. And the most important thing is we are trying to provide a decentralized solution to people that are used to traditional financial apps and centralized exchanges. Electrum will never provide the same user experience as Mixin Messenger does.

And all Mixin apps are open source since day one, the first commit is six years ago. https://github.com/MixinNetwork

Mixin Messenger is also pretty known I think Grin

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: Kakmakr on August 02, 2023, 01:25:45 AM

Can you find a solution to substitute "Mixin Messenger" with a more well known platform? You say you use it to create the wallet... but will Electrum not do the same thing?

It is about time that someone figure out a more user-friendly method to use Multisig and timelock features. In any way, I will monitor and follow this thread... it has potential to be one of the good solutions in the Bitcoin space. Wink

It just needs to be more decentralized and Open-source for transparency.... preferably without revealing your private telephone number. Tongue

Ideally you would be able to use any Web3-enabled wallet supporting, I dunno, a protocol like "WalletConnect", but the problem with this approach is that most of these wallets only work with ETH-like coins.

Its just a consequence of using TIP for authentication, but I believe any other identifier would work with the underlying algorithm besides phone numbers. Same goes for PINs - it could actually be any string of characters, but since it's a mobile app, it's easier to show PINs I guess.

logfiles

copper member

Activity: 2114

Merit: 1794

Top Crypto Casino

I thought I would post a few things here that happened after a mead a review about a week back

Especially this parts;

Quote from: logfiles on July 26, 2023, 09:14:48 AM

I never set the lock time to 4 days, so I have no idea what happened. How one can modify the lock time, if it's even possible? What if I want 10 days or 30 days?

Why does the time lock automatically set to 4 days or is it just a default for testing purposes?

Quote from: logfiles on July 26, 2023, 09:14:48 AM

New Recovery
Anyway, I just did a new recovery by holder keys method and see what happens.
Once I approved, there was not much information about what was happening next. No transaction ID, No record about the receiving address, Not many details about the transaction/activity I had just carried out. No idea whether the Bitcoin is going to appear in my address or not. And if yes, approximately after how long?

In summary, this is how the page looked like

So the Bitcoins finally appeared in the address I had provided during the time when I created a new recovery, but still I went back to my safe dashboard and no details about my recent transaction like transaction ID and address where the bitcoins had been withdrawn to. I think this is really very important for record purposes. Imagine if the locktime is about let say 100 days, there isn't away one is going to have the address in mind after that long except if they just copied it somewhere.

Kakmakr

legendary

Activity: 3514

Merit: 1963

Leading Crypto Sports Betting & Casino Platform

Can you find a solution to substitute "Mixin Messenger" with a more well known platform? You say you use it to create the wallet... but will Electrum not do the same thing?

It is about time that someone figure out a more user-friendly method to use Multisig and timelock features. In any way, I will monitor and follow this thread... it has potential to be one of the good solutions in the Bitcoin space. Wink

It just needs to be more decentralized and Open-source for transparency.... preferably without revealing your private telephone number. Tongue

cedricfung

member

Activity: 87

Merit: 40

Quote from: BlackHatCoiner on July 29, 2023, 03:14:46 AM

Quote from: cedricfung on July 21, 2023, 07:44:25 AM

Second, we have been running for 6 years, that's long enough, we have no incentive to go offline.

Don't you think it's hypocritical to call your product decentralized respecting, and requiring your presence at the same time? Neither does Coinbase has incentive of going offline, but shit happens. Shouldn't the average user be able to do this alone, with their family member, when your service shuts down?

Also, I'm sharing the same thoughts with dkbit98 and examplens. What's the phone number for? In your website, it says "Social recovery with phone number and PIN". Is it compulsory? I don't want to give my real phone number, and I neither want to give a temporary that isn't mine, because then the third party can recover the wallet.

I'm preparing the review, so I'm trying to figure out what's wrong.

Here we want to make sure there is no bug of the system. Like for Bitcoin itself, we just discuss the blockchain technology, the implementation, the product itself. We are not trying to raise debate over PoW good or bad for environment.

Everyone has their own argument over any product, let's just focus on the development aspect for now.

But we don't need to discuss this anymore, I think all these questions are already in the previous discussions in this topic.

BlackHatCoiner

legendary

Activity: 1512

Merit: 7340

Farewell, Leo

Quote from: cedricfung on July 21, 2023, 07:44:25 AM

Second, we have been running for 6 years, that's long enough, we have no incentive to go offline.

Don't you think it's hypocritical to call your product decentralized respecting, and requiring your presence at the same time? Neither does Coinbase has incentive of going offline, but shit happens. Shouldn't the average user be able to do this alone, with their family member, when your service shuts down?

Also, I'm sharing the same thoughts with dkbit98 and examplens. What's the phone number for? In your website, it says "Social recovery with phone number and PIN". Is it compulsory? I don't want to give my real phone number, and I neither want to give a temporary that isn't mine, because then the third party can recover the wallet.

I'm preparing the review, so I'm trying to figure out what's wrong.

cedricfung

member

Activity: 87

Merit: 40

Quote from: NotATether on July 27, 2023, 06:04:44 AM

Anyway, I'm having trouble getting $10 worth of bitcoins out of the Safe. I can approve the transaction with the app, but I can't for the life of me get the PSBT to sign on Bitcoin Core so that I can give it the "final approval".

Code:

# The PSBT I'm given to sign:
cHNidP8BAG0CAAAAAUFu84YkNsGPV2cIqxFcO59PXJ8pJY9TMw90ew6qXp+VAAAAAAD/////AkCcAAAAAAAAFgAUH8WFFsDMwDYR8WzeafSpjeMzGXUAAAAAAAAAABJqEGraR8OsQUhlhYdcPQRibgMAAAAAAAEBK0CcAAAAAAAAIgAgaN/B/zX5booLeWET8OQDmgXWR24Fx1wvU4fIw7mWekQBAwSBAAAAAQV4IQLsNyxLbWpvwJZOB91IRIvISSFGn7/cTFItqQ86a5VP6ax8IQPWQXejk5icX/nIYD30IeKJDQORPx4eXnlItj9+E2pX0ayTfIKSYyEC2E82kxxhOPGCWknCn1xNmvlSTKeV4TO4z8ZaAazXfJqtArABspJok1KHAAAA

# I have the following address and public key in the private key wallet:
02ec372c4b6d6a6fc0964e07dd48448bc84921469fbfdc4c522da90f3a6b954fe9
16THpFJrhKtiWKtZGZ6BsKCJpeR5Bvpuim

# The script imported into the script wallet is:
wsh(thresh(2,pk(02ec372c4b6d6a6fc0964e07dd48448bc84921469fbfdc4c522da90f3a6b954fe9),s:pk(03d64177a393989c5ff9c8603df421e2890d03913f1e1e5e7948b63f7e136a57d1),sj:and_v(v:pk(02d84f36931c6138f1825a49c29f5c4d9af9524ca795e133b8cfc65a01acd77c9a),n:older(432))))#pdtn7kxw

The first key is my public key, the second key I assume belongs to my Mixin Wallet and the third is probably owned by the network, so it seems that the timelock will not help me in any case.

I wish you had set this up with Testnet first...

Sorry to hear this Sad

You lost the private key in your Bitcoin Core? Or any errors that prevent you from using Bitcoin Core to sign the PSBT? And you need both the private key wallet and script wallet to sign the PSBT, and follow the guide in correct order https://support.mixin.one/en/article/how-to-use-bitcoin-core-to-approve-transactions-74l0ro/

In anyway, if you can't do it with Bitcoin Core, go to the Recovery section, and start a recovery with Members Key using Mixin Messenger.

The timelock here means to prevent us from using the Recovery key during the lock time. And that Recovery can only work after the timelock expired as shown in the website.

However, if you have lost both of your Bitcoin Core and Mixin Messenger, then the wallet recovery is impossible in anyway, because the 2-of-3 multisig.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: LoyceV on July 25, 2023, 11:45:42 AM

Quote from: NotATether on July 25, 2023, 08:18:19 AM

there's a network fee that is deducted from all outgoing transactions from the wallet/~~safe~~

See:

Quote from: cedricfung on July 17, 2023, 12:28:29 AM

For test, the price is very cheap, starts at $2 per year, and it includes a free transaction to send, so $2 is the minimum cost for a tester.

The network fee apparently only applies to the wallet transactions, not to the safe.

Anyway, I'm having trouble getting $10 worth of bitcoins out of the Safe. I can approve the transaction with the app, but I can't for the life of me get the PSBT to sign on Bitcoin Core so that I can give it the "final approval".

Code:

# The PSBT I'm given to sign:
cHNidP8BAG0CAAAAAUFu84YkNsGPV2cIqxFcO59PXJ8pJY9TMw90ew6qXp+VAAAAAAD/////AkCcAAAAAAAAFgAUH8WFFsDMwDYR8WzeafSpjeMzGXUAAAAAAAAAABJqEGraR8OsQUhlhYdcPQRibgMAAAAAAAEBK0CcAAAAAAAAIgAgaN/B/zX5booLeWET8OQDmgXWR24Fx1wvU4fIw7mWekQBAwSBAAAAAQV4IQLsNyxLbWpvwJZOB91IRIvISSFGn7/cTFItqQ86a5VP6ax8IQPWQXejk5icX/nIYD30IeKJDQORPx4eXnlItj9+E2pX0ayTfIKSYyEC2E82kxxhOPGCWknCn1xNmvlSTKeV4TO4z8ZaAazXfJqtArABspJok1KHAAAA

# I have the following address and public key in the private key wallet:
02ec372c4b6d6a6fc0964e07dd48448bc84921469fbfdc4c522da90f3a6b954fe9
16THpFJrhKtiWKtZGZ6BsKCJpeR5Bvpuim

# The script imported into the script wallet is:
wsh(thresh(2,pk(02ec372c4b6d6a6fc0964e07dd48448bc84921469fbfdc4c522da90f3a6b954fe9),s:pk(03d64177a393989c5ff9c8603df421e2890d03913f1e1e5e7948b63f7e136a57d1),sj:and_v(v:pk(02d84f36931c6138f1825a49c29f5c4d9af9524ca795e133b8cfc65a01acd77c9a),n:older(432))))#pdtn7kxw

The first key is my public key, the second key I assume belongs to my Mixin Wallet and the third is probably owned by the network, so it seems that the timelock will not help me in any case.

I wish you had set this up with Testnet first...

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: NotATether on July 25, 2023, 08:18:19 AM

there's a network fee that is deducted from all outgoing transactions from the wallet/safe

See:

Quote from: cedricfung on July 17, 2023, 12:28:29 AM

For test, the price is very cheap, starts at $2 per year, and it includes a free transaction to send, so $2 is the minimum cost for a tester.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: Zoomic on July 25, 2023, 05:32:43 AM

Quote from: Latviand on July 24, 2023, 12:23:29 AM

Hi, I'm one of the reviewers in your Review Campaign, I have to ask whether you are shouldering the 2 USD payment for creating a safe? I don't mind paying for it myself but I have to make sure that there's an option that you will be able to shoulder the payment. I'm currently checking it right now and that's the only part that I'm stuck.

What do you mean by shouldering the payment of 2 USD. If you are accepted for the review campaign, btc upto 0.003 or so would be sent to you and that will be enough to shoulder whatever payment and also compensate your efforts.

I agree with you. Initially, I was quite shocked to see a pricing to even use the safe at all (more details are in the review), but perhaps in a few days, once I get over this surprise, I might create a safe and see how it goes.

*The total costs will actually be more than $2 since there's a network fee that is deducted from all outgoing transactions from the wallet/safe, that is significantly larger than $2, but it should not be higher than about $20 or so from my experimenting.

Zoomic

sr. member

Activity: 616

Merit: 271

Thanks o_e_l_e_o, after the extended discussion between you and Op, I have gotten a clear hint of how the project works.

Quote from: Latviand on July 24, 2023, 12:23:29 AM

Hi, I'm one of the reviewers in your Review Campaign, I have to ask whether you are shouldering the 2 USD payment for creating a safe? I don't mind paying for it myself but I have to make sure that there's an option that you will be able to shoulder the payment. I'm currently checking it right now and that's the only part that I'm stuck.

What do you mean by shouldering the payment of 2 USD. If you are accepted for the review campaign, btc upto 0.003 or so would be sent to you and that will be enough to shoulder whatever payment and also compensate your efforts.

Latviand

full member

Activity: 1540

Merit: 219

Hi, I'm one of the reviewers in your Review Campaign, I have to ask whether you are shouldering the 2 USD payment for creating a safe? I don't mind paying for it myself but I have to make sure that there's an option that you will be able to shoulder the payment. I'm currently checking it right now and that's the only part that I'm stuck.

Topic: Mixin Safe: A Convenient and Decentralized Multisig + MPC + Timelock solution - page 5. (Read 1947 times)