Chia heist 250 XCH stolen from "cold" wallet

TheCarpenter · August 24, 2021, 7:01pm

What about internet connection? Do i need to be online or can i use the chia client to generate a new key offline?

WolfGT · August 24, 2021, 7:03pm

Honestly, I don’t know for sure. Hopefully someone else will chime in. Or, just try it for yourself and let us know.

My guess: you can install chia and create the keys/phrase without internet connection. But I would think it would need to see the blockchain to create the receive address to avoid duplicates. But I’m not sure.

DjDemonD · August 24, 2021, 7:46pm

Good point about the receive address. It is this long though xch196vls5uwz872xffcm9******02kh3dhdt3mlkvc8thl4g4has0yscnn4pw (62 characters)
which this site:
http://www.csgnetwork.com/optionspossiblecalc.html
suggests means there are:
2.0820565038911377e+66 permutations.

So maybe they just generate one and take a chance on never producing the same one again. You only need to move to powers of 78-82 to be at atoms in the known universe scale.

WolfGT · August 24, 2021, 7:55pm

Yeh, I knew it would be a very very slim chance of getting a duplicate. But it happening even once would be very bad. I would think they would have measures to make sure it never happens.

WolfGT · August 24, 2021, 7:59pm

Now that I think about it a little further, the receive addresses are probably some encryption result of the wallet’s keys. So they should be unique to that wallet. If this is the case, then no internet connection would be needed to get one.

Zulu718 · September 1, 2021, 2:32pm

Ok, If I’m getting this correct, I should be creating a “cold wallet” that never has any connection to the internet, or my plotting/farming /harvesting machine other than to receive the XCH rewards I earn?

Would I just hold the XCH indefinitely in the cold wallet?
How the heck do I cash out/exchange it then?

DjDemonD · September 1, 2021, 2:48pm

One strategy, is use virtual machines. VMware player is free and windows offer 90 day trial OSes free. I boot one up, sync the cold wallet, transfer what I need, then make a new wallet, transfer the balance to it, record the keys on paper or whatever, then nuke the entire VM.

Bones · September 1, 2021, 8:26pm

The most secure method would be how it works with say btc.
Sign transaction in an offline pc, then broadcast the transaction through a live node.
If this is possible with chia I’m unsure, but its tried and tested secure, it’s just if we can do it or not with chia.

mattarse · September 2, 2021, 5:17am

I’m hoping for ledger integration at some point

Sandbo · September 3, 2021, 5:55am

I hope Chia will make these functions more accessible like having a way to do it with its cli API

PS : was referring to signing offline

chiasuperfarmer · September 3, 2021, 7:51am

The best way is Windows? omg…(stopped reading). No need for any VM, just create a new wallet and keep it offline. no need to synchronize anything…

Voodoo · September 3, 2021, 9:06am

If you don’t have the option to make a key on a (permanently)offline machine, a VM is a good alternative though.

Whether you create the key on Windows, Ubuntu or whatever don’t matter one bit.

Sandbo · September 3, 2021, 9:19am

While this is a better way (also the way I use), it might still be compromised by a key logger on the host.

TheCarpenter · September 20, 2021, 5:16am

Are we sure that no internet connection is needed? I haven’t been able to find solid information any where else.

TheCarpenter · September 20, 2021, 7:24am

i actually did a test from a live Ubuntu usb (on a spare pc wich no other discs) that i only connected to the internet to download the chia client. I then disconnected, generated and printed the keys and address and then formatted the usb.

To test i made a transfer to the address and it came thru in chia explorer. I’m now contemplating whether that’s proof enough or if i should input the mnemonic seed in my regular machine and transfer the amount back just to see that everything works perfectly. But i would then have to run thrugh the process again to generate a new cold wallet.

Voodoo · September 20, 2021, 7:59am

Yes I know how you feel, It’s weird that you can’t see like your actual wallet and still have faith that your seed phrase will do the trick

But in general, yes offline is possible. Any possible valid address becomes “active” on chain as soon as a transfer is made to that address. A private key gives access to a certain range of addresses.
There is no creation process on the chain that registers your private key to a certain address. Private key and address connection exists by the rules of cryptography, not registration process.

You might ask, is it possible to generate the same key twice? Yes it is. But that is about as likely as being hit by lightning every second for a week long.

Bones · September 20, 2021, 1:47pm

Not heard that one before , do you know what encryption algo chia actually uses?

TheCarpenter · September 20, 2021, 3:58pm

Tell that to Roy Sullivan

Dan · September 23, 2021, 3:50am

BIP-39 with 256 bits of entropy. More info:

Bones · September 23, 2021, 4:07am

Found the math on it.

https://www.reddit.com/r/ledgerwallet/comments/6cjvam/probability_of_seed_phrase_collisionbrute_forcing/