electrum: Coldcard Address Verification via USB Broken for Multisig

I’m attempting a 2-of-3 p2wsh on testnet with 2 Vpubs from other devices as well as one extended private key generated directly from a coldcard that is connected via USB.

I’m getting the following error:

E | plugins.coldcard.coldcard.Coldcard_KeyStore | Error showing address
Traceback (most recent call last):
  File "/home/satoshi/workspace/electrum/electrum/plugins/coldcard/coldcard.py", line 474, in show_p2sh_address
    dev_addr = client.show_p2sh_address(M, xfp_paths, script, addr_fmt=addr_fmt)
  File "/home/satoshi/workspace/electrum/electrum/plugins/coldcard/coldcard.py", line 202, in show_p2sh_address
    return self.dev.send_recv(CCProtocolPacker.show_p2sh_address(*args, **kws), timeout=None)
  File "/home/satoshi/workspace/electrum/.venv3/lib/python3.6/site-packages/ckcc/client.py", line 163, in send_recv
    return CCProtocolUnpacker.decode(resp)
  File "/home/satoshi/workspace/electrum/.venv3/lib/python3.6/site-packages/ckcc/protocol.py", line 182, in decode
    return d(msg)
  File "/home/satoshi/workspace/electrum/.venv3/lib/python3.6/site-packages/ckcc/protocol.py", line 196, in err_
    raise CCProtoError("Remote Error: " + str(msg[4:], 'utf8', 'ignore'), msg[4:])
ckcc.protocol.CCProtoError: Remote Error: pk#1 wrong

Screenshot from 2019-10-02 18-25-02

I’m running master (7c283f9cd21e372b9a324f370b5376fdfe1a628b) with Coldcard Firmware 2.1.5.

I believe this is the same issue I reported here (I’ve done a lot of tests so it’s hard to keep track of all permutations), but instead of actually using a Trezor & Ledger I just pulled out their Vpubs to eliminate any other variables. Trezor correctly displays this address when I include it in the p2wsh.

In order for you to duplicate this, here is my cc-export for my wallet file (imported via SD card prior to getting the above error): 2of3_2vpubs_1cc-cc-export.txt

And here is my coldcard seed phrase (highly insecure but only used for testnet): rice grief core sauce injury alert alcohol car drum polar fruit horror carry endorse urban asthma pass gentle oval script skate canyon finish license

cc: @peter-conalgo @nvk

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 27 (23 by maintainers)

Most upvoted comments

Update: I believe PR #6517 will resolve this long-outstanding bug!

+3
mflaxman on Aug 18, 2020

@nvk (see previous comment) I tried to display a multisig address on a coldcard connected by USB and it works with P2SH m/45’ and also P2WSH-P2SH m/48’/0’/0’/1’ works fine but for P2WSH m/48’/0’/0’/2’ I get the error when attempting to display the receive address on coldcard display. Coldcard Firmware: 3.1.4 2020-06-12

+1
mbican on Jun 13, 2020

To clarify, I believe @achow101 is saying the BIP wants the bip32 paths in the PSBT_GLOBAL_XPUB field to be a prefix (substring) of the corresponding bip32 paths in PSBT_IN_BIP32_DERIVATION and PSBT_OUT_BIP32_DERIVATION fields. So the paths are overlapping.

To clarify what I was saying; if signers are smart enough there would be no need for an overlap. The paths in the global could be the prefix, and the paths in per-inputs(/outputs) could be the suffix. This can be detected by testing the included fingerprints against the xpubs in the globals.

The second approach has the advantage that e.g. in our case there would be no need to change the per-input/output fields back-and-forth between cosigners; but it requires signers to be a tad smarter.

I still maintain that the text of the BIP is not clear enough about mandating the overlap, and could be easily understood as allowing both approaches. However clearly not all people read it as such, and hence implementations are not smart enough to handle it, and hence we cannot rely on it.

+1
SomberNight on Nov 1, 2019

@peter-conalgo as far as I understand, the Coldcard firmware requires the full derivation and root fingerprint of all the cosigners. This will not work with Electrum’s current wallet creation workflow.

BIP174 does not require cosigners to reveal their full derivation path; in fact, having to do that is a loss of privacy, according to the creator of the BIP. This is how we want to use the BIP in Electrum: each cosigner will provide an intermediate xpub, and no full derivation.

I think the Coldcard firmware could be slightly modified to accomodate that. Let me suggest the following:

  • the initialization file of the hardware device should contain the intermediate xpubs of all the cosigners.
  • the PSBT will contain, for each input PSBT_IN_BIP32_DERIVATION, the fingerprints of all intermediate xpubs. (this also applies to change outputs)
  • before it is sent to the signer, the PSBT will be updated with a PSBT_GLOBAL_XPUB declaration, that contains the intermediate xpub corresponding to that cosigner (as key), and the full derivation and root fingerprint for that xpub (as value).

That way, a hardware device should be able to check input addresses and detect change addresses, without having to know the full derivation of all the cosigners.

Note that there is no security benefit in knowing the hardened part of the derivation of your cosigners, because you cannot check them, since they are hardened. Therefore using the intermediate xpub is just as good.

I had a brief look at the relevant parts of the coldcard firmware, and I did not see anything preventing you from making that change.

+1
ecdsa on Oct 31, 2019

I will investigate.

+1
doc-hex on Oct 3, 2019
Read more comments on GitHub
← electrum: code signature invalid for running process
electrum: Command-line: Wallet balance is not updated after sent transaction and fails on second tx →