Topic: recover coinbase multisig wallet to electrum? (Read 471 times)

you need these three things for recovery User key- Seed and Public key. Shared key- Seed (encrypted) and Public key. Coinbase key- Public key.

Then either that decryption passphrase does not match that encrypted key (most likely), or Coinbase have done something weird and non-standard with their implementation of BIP38 (although that is highly unlikely to be the case). I suppose you could try installing the BIP38 library from https://github.com/bitcoinjs/bip38 and trying again to decrypt your encrypted key, but I doubt very much that you would have a different result.

Yes, the encrypted shared seed starts with 6P.

The encrypted shared seed is 58 characters in length.

the "cold key" that I found in an old version of my password manager is 30 random characters, not words like a "seed phrase".

regardless, I am getting a pop-up message stating: "Incorrect passphrase for this encrypted private key."

As we discussed on the previous page, your encrypted seed starts with "6P", correct?

If it does, then it should be a BIP38 encrypted key, although these are supposed to be 58 characters long, not 30, so I'm not entirely sure what you have. The easiest way to decrypt a BIP38 key is going to be to download bitaddress.org from its GitHub (https://github.com/pointbiz/bitaddress.org), run it on an offline computer, click on "Wallet Details", enter your encrypted key beginning with "6P", click on "View Details", and then enter your decryption key in the new box which appears. I would try this first and see what happens.

I'm not sure if this thread can be revived but I may have located what I need but have no idea how to use it.   

Long story short, I found an old dead android phone, ordered a battery for it, got it unlocked and while the device was disconnected from the internet, opened my password manager on this device and found an old entry for Coinbase labeled "cold key used to encrypt other keys"

I would like to test decryption of the encrypted shared seed with this key but the only decryption tools I am finding need the "encrypted seed"  and a "seed phrase"...  I don't have a seed phrase... I have an actual 30 character key.   no words, no spaces...   

Any suggestions for this situation would be appreciated.

The user in that post does not reveal either his master public key nor the address he is trying to access, so I can't be sure, but it seems like he has used his user seed and user master public key on their own (i.e. as a single-sig wallet and without the multi-sig requirements of the shared seed or the Coinbase seed) to generate some addresses. Certainly the code provided by achow101 in response takes his user seed, uses it to derive a single master private key, a single master public key, and then a single address at a specific index, with no mention of the multi-sig requirements.

If you wanted, you could take your user public key and check the addresses it derives on its own, as has been done in the Stack Exchange post you linked to. There is no need to use python to do this. You can simply go to https://iancoleman.io/bip39/, paste your user public key in to the box named "BIP32 Root Key", select "BIP32" under the heading "Derivation Path", and then change the BIP32 Derivation Path to m from m/0. If any of those addresses hold a balance then you can access them only using your user seed, but it also means that Coinbase made a critical flaw that no one noticed when implementing their multi-sig vaults, which would be highly unlikely.

Thanks for saving me the couple hundred $$ trying to brute force it.   
 
I would, however, like to understand this post a little better
https://bitcoin.stackexchange.com/questions/57207/how-to-derive-the-private-key-associated-with-a-coinbase-multi-sig-vault-address

That seems pretty close to my situation, but I actually have more information than that user did.   I certainly don't have the comprehension of the problem that user does, unfortunately....   
This probably isn't the best place to ask but wanted to toss it out here.
He seemed to be able to obtain everything he needed from getting access to the master private key and the extended private key using ONLY the user seed.  Sorry, not trying to be dense, but I am not understanding the difference

I am attempting to contact the OP for that post as well
thanks

The risk of having your coins stolen is near zero. Even if the cloud computing is successful at decrypting your shared seed, then they only have access to one of the necessary seeds. As long as you don't mistakenly share or leak your user seed as well, then there is no chance of them being able to steal your coins.

I don't know how much power you could reasonable rent with vast.ai, but as pointed out above, BIP38 is specifically designed to be more difficult to brute force than, say, a seed phrase. Even if your password generator generated a weak password with only 60 bits of entropy, and even if you managed to rent enough computing power to give you 1 billion guesses a second (which is likely a gross overestimation and would be hugely expensive), then you are still looking at over 36 years of rented power to exhaust the search space. Most password generators today would generate a minimum of around 80 bits of entropy, which already takes us in to the area of millions of years.

If the password was randomly generated and you have absolutely no idea what it is, then you are wasting your time. The only other possible option I can think of is to contact Coinbase and see if they still have the Coinbase seed linked to your account stored somewhere and if they will provide it to you. Seems like a long shot though, given how terrible Coinbase support is and how little they care about their customers.

In the event anyone else in the same boat is following this thread my post on stack exchange covers how to test decryption of shared seed for a multisig vault https://bitcoin.stackexchange.com/questions/111851/how-to-test-decryption-of-shared-seed-for-a-multisig-vault

Unfortunately, all my attempts at a password failed.   In addition to that, researching my email leads me to believe I was using a password manager that supports strong password creation at the time of the vault creation so I didn't pick a password.   That is what rubs me the wrong way in this situation since I stored (what I thought to be) all the essential information for the vault (user seed, shared seed, all three public keys, etc).  I was (and still am) a noob and didn't understand any of the working parts.  

Continuing down the rabbit hole...
On the topic of brute forcing, This YouTube video covers running BTCRecover with Vast.ai (rented servers) https://www.youtube.com/watch?v=8Zqc-2Te3zQ and in the first 10 seconds, he states that "In one 24 hour period, with $50 worth of hash power, this could knock over about as much as my CPU could do if it was running for 3 years straight"

I fully understand attempting BIP38 wallet recovery on rented servers is not secure, as there is no ability to do any kind of "Wallet Extract" or anything like that. The server owner would possess the key if decryption succeeds.  
My two questions are this:
As my wallet is multisig, does that decrease the risk dramatically?  
Assuming the answer to the above question is "yes", I'd be willing to throw a few hundred $$ at this which would get me over a decade of hashing power.  
Besides, it will make a funny story if nothing else.  
Assuming my password generator did a great job and produced a really awesome completely random password is a decade going to even come close or are we talking over 100 years to crack?
It is not easy to find answers on BIP38, everything seems to be focused on BIP39.

Users picked their own passphrase, so it depends on how good OP's password picking abilities at the time were. Also, there is hopefully a higher chance he remembers some of a password or passphrase he picked himself rather than one he was given.

Not ideal, but it doesn't look like he has any other options.

In that case, just use a program such as https://btcrecover.readthedocs.io/ to try to brute force your unknown decryption key.

As per the stack exchange answer from achow101 you linked to before, Coinbase turns the seeds in to BIP32 master keys and then uses them to create an HD wallet, which can therefore generate as many addresses as you want.

Yes, the encrypted shared seed starts with "6P".

but I am thoroughly confused, there is a single vault password and single encrypted shared seed...    how does that correspond to two different public addresses? 

No, I didn't. I meant what I said.

The Coinbase seed is protected by the password and 2FA to his Coinbase account.

Let me try explaining it another way. There are three seeds:

Coinbase seed - stored by Coinbase. The user accesses this seed by logging in to their Coinbase account.
Shared seed - stored by both parties, but encrypted. The user holds the decryption key.
User seed - stored by the user.

Ordinarily the user would log in to the Coinbase account with their email, password, and 2FA, which gives them access to their vault with 1 of the 3 seeds. They would then provide the decryption key for the shared seed, giving them access to 2 of the 3 seeds (Coinbase and shared) and therefore the ability to make a transaction.

If the user had forgotten their decryption key, then instead they could log in to the Coinbase account to access the Coinbase seed, and then provide the user seed, giving them access to 2 of the 3 seeds (Coinbase and user).

Now, as Coinbase have discontinued support for these vaults and removed the Coinbase seed from OP's account, his only solution is to decrypt the shared seed and combine it with his user seed.

You seem to missing the fact that you couldn't just log in to a vault by providing either the decryption key or the user seed - you had to first log in to the associated Coinbase account. This is really no different than, say, TrustedCoin providing a second signature when you provide the necessary 2FA code.

It would seem so. Is it indeed BIP38 encrypted? It should start with "6P" if it is.

I have found a way to test decrypting the shared user seed and none of the passwords that I have work.
As I see it, my only option is to attempt to brute force the password used to (BIP38) encrypt the shared seed since coinbase is no longer signing tx, does that sound correct?  

Looking into BIP38 brute forcing...  the encrypted seed and public address (and dictionaries) are used for the process.   
Another point of confusion for me...   which address?   Allow me to explain...   
I have two transactions going into "My Vault" and each transaction went into a separate bitcoin address. 

Instead of the bolded part, I assume you wanted to say 'shared seed'.
I guess we have to agree to disagree. The way I see it is that the security level here is onefold. With the one element he has (the user seed), he is able to unlock and gain access to all the other elements necessary for the recovery. More precisely, he was when the vault was still functional.

The Coinbase 'user seed' is nothing but a master password allowing you complete access to a vault that is supposed to be protected by two factors. It essentially is protected by different keys and multiple factors, but you can use the one key you have to find the other keys in order to have the 2/3 necessary seeds .

Would you be comfortable with the following "secure solution"?
The two of us set up a multisginature wallet. For simplicity, let's forget about the third key and public keys. We will have a 2/2 system. Let's call our keys user seeds. You have one user seed and I have the other. I don't know your key, and you don't know mine. Without the two keys, none of us can spend the coins in that address. Even though I don't know your key, I can just enter my user seed in the system and the wallet will reveal your user seed as well. Thanks to this incredibly secure setup, I now have 2/2 keys. How would you rate this scheme to store Bitcoin?

Unfortunately, the coinbase multisig github tool is no longer functional (these two threads detail my attempts with it)
https://bitcointalksearch.org/topic/--5316286

https://bitcointalksearch.org/topic/--5316286

The second key he would use in a such a scenario is the Coinbase seed. This is available to him since he can access his Coinbase account. Usually he would provide the decryption key for the shared seed so he would have the Coinbase seed and the shared seed, but in this alternative situation instead of providing the decryption key he provides the user seed, giving him the Coinbase seed and the user seed. In both scenarios, he has 2 out of the 3 necessary seeds.

If seems, however, that since Coinbase have completely discontinued support for their multisig vaults, he can no longer access the Coinbase seed, so this method is not available to him. He has the user seed, and is going to have to brute force the decryption key for the shared seed to give him the necessary 2 out of 3 seeds.

I understand that. However, OP doesn't have the shared seed or the decryption key that gets him the shared seed. He only has the user seed. He owns 1 element to make a successful recovery. The 2nd element to get the shared seed is the decryption password. He doesn't have it. Therefore, he doesn't possess 2/3 necessary requirements for recovery. If there is a way around all that by inserting the user seed in place where the decryption key goes, it defeats the whole security model of the vault. I would be glad for the user's sake if that works because it would give him access to his coins. But I am criticizing the set up and find it pointless.

Imagine having a passphrase-protected wallet and losing the passphrase. But instead of the passphrase, you can just insert your seed a 2nd time and get the same result? What's the point of the passphrase then? In both cases you only have 1 element that gives you access to coins that are supposed to be protected by two different layers of security. The seed + passphrase in the second example. The user seed and the decryption key in the first.  

That's not what is happening. Coinbase have the Coinbase seed and the encrypted shared seed. Usually the user would enter the decryption key (the "vault password"), allowing their browser to decrypt the shared seed giving them the necessary two out of three seeds in which to sign a transaction. Should the user have forgotten the decryption key, then they can instead just enter the user seed. At this point, they have access to the Coinbase seed and the user seed, again meeting the two out of three requirement.

I believe that the current vaults on Coinbase are completely different to the old multi-sig vaults, which is what you are dealing with here.

Have you tried entering your information in to their multisig vault recovery tool? Best to download this and go offline after it has scanned for balances for safety reasons. You should also be able to test your decryption key using it. https://github.com/coinbase/multisig-tool/blob/master/README.md

So essentially what I need is to find someone that understands the decryption process discussed in the ReadMe on the coinbase multisig github https://github.com/coinbase/multisig-tool#bip38 since that is how coinbase decided to do it. and once I verify the password or verify I do not know the password, I could determine next steps...   does that sound accurate?