Seed is not validated from GRPC

Question

Seed is not validated from GRPC

Opened this issue 4 years ago · 1 comments

The mnemonic seed provided for the creation of a new wallet is not validated.

It is created with the method NewSeed from github.com/tyler-smith/go-bip39
The same library provides tools for validating the seed that could be used.
This issue could lead to the creation of insecure wallets from unaware developers.

Also unrelated: for using a SPV wallet with --noinitialload something like this could be implemented,

if cfg.NoInitialLoad {
	// Ensure the data directory for the network exists.
	if err := checkCreateDir(netDir); err != nil {
		fmt.Fprintln(os.Stderr, err)
		return nil, nil, err
	}
}

Thank you for this project!

Answer 1 · 2020-07-03T23:45:56.000Z

Thanks for pointing it out. I think it's a question of how much flexibility do we want to allow.

Technically the bip39 spec allows for using any string as a mnemonic as the string is just hashed to create the seed. So validating the mnemonic against the word list, while possible, does reduce that functionality. But maybe it's something we should do for safety.