trezor / community Goto Github PK

Looking through the JS console log on beta-wallet.trezor.io, it appears that the sequence number for inputs on TXNs are still listed as 4294967295 or 0xFFFFFFFF. RBF (BIP 125) suggests decrementing the sequence for inputs to 4294967294 (0xFFFFFFFE) or lower to explicitly opt-in to RBF protocols. Ideally this would be a checkbox on the Send interface that would allow RBF (off/on) for the particular TXN.

These assessments could be incorrect since I was hesitant to spend the amount of money required to put an actual TXN on the network. I simply tried to see what trezor.js was sending over the wire to the FW for signing and deduced that RBF appeared to be off (not opt-in).

Please add support sign/verify support for P2SH-segwit and bech32-segwit address. This would allow a Trezor HW Wallet owner to sign messages and direct non-Trezor wallet owners to https://btc-bitcore1.trezor.io/messages/verify, or perhaps a beta site like https://btc-bitcore1.trezor.io/messages/beta-verify

Today I wanted to use the built-in Exchange feature in Trezor Suite converting BTC for ETH using Change Hero. My transaction has been flagged as "suspicious" by their KYC department. Then you have two choices, either you go through the KYC procedure or you accept a refund minus 10% (see https://changehero.io/faq at the end).
It's not an easy choice but I decided to KYC. I provide my ID card plus a photo of me holding it as they ask. However they still refused to process the transaction and asked for an additional Source of Funds statement.

We would kindly ask you to provide us with the Source of Funds. It is the document that represents the origin of the funds that were sent to ChangeHero for the exchange (e.g. your trade history where it is clear that the account belongs to you, your purchase of sent crypto for fiat, bank statement or other documents that demonstrate the fact of you obtaining the amount of crypto in question).

You have to understand that those coins I sent were kept in cold storage for years. I genuinely have no idea of the exact source of funds. It is like asking where this bank note you have in your pocket comes from?
I was then forced to accept a partial refund with a 10% cut.

So as you can see it is a clever scam. First the terms are totally abusive. But second you are screwed whatever you do. Nobody keep tracks of all payments, knowing where each utxo comes from, especially a cold storage that you don't touch often.

Change Hero should be removed from the Exchange providers on Trezor Suite!

In the Ordering and Shipping FAQ on wiki.trezor.io there is a link to Amazon that does not filter by merchant. Amazon will (seemingly) randomly determine which merchant that particular link will arrive at. This would lead a customer from a trezor.io site directly do a malicious Amazon merchant.

I'd suggest you link directly the the Trezor Offical Amazon store instead

Please change the links of docs to:
https://wiki.trezor.io/User_manual
https://wiki.trezor.io/Developers_guide
https://wiki.trezor.io/Security
https://wiki.trezor.io/FAQ

I just upgraded to FW version 1.8.0 and python-trezor v0.11.2. Running Python 3.7 on Windows. Tried the following:

1. Put trezor-one in bootloader and plugged into PC.
2. Issued command trezorctl self-test
3. Let run for about 10 minutes with no console output seen.
4. Canceled self-test.

I have no real need to run the self test, I was just curious about how it worked and how long it took to run. Don't mind leaving it running overnight as long as it doesn't have any unintended consequences.

Would be cool to see that in password manager, like in 1password where I can make several fields, name them and add content. useful for mnemonic seeds, credit cards data.

Eg The app when deployed on vercel will not find trezor devices

When the app is running on localhost: https://github.com/ta32/tpm/tree/logging
The trezor connect popup appears and I can see device events being sent.

export async function initTrezor(
  appUrl: string,
  deviceEventCallback: (event: DeviceEventMessage) => void
) {
  console.log("initTrezor for appUrl: ", appUrl);
  await TrezorConnect.init({
    transportReconnect: true,
    debug: true,
    popup: true,
    lazyLoad: false,
    manifest: {
      email: "[email protected]",
      appUrl: appUrl,
    },
  })
  .catch((error) => {
    console.log("TrezorConnect init error");
    return error;
  });
  TrezorConnect.on(DEVICE_EVENT, deviceEventCallback);
}

The deviceEventCallback is only triggered when the app is running from localhost
When its working the log will look like this

When deployed on vercel (same branch)

I am currently working on porting the slip--39 to javascript. I plan to host it as a npm library an expose the gen-mnemonic interface. I am just to the point of working on the c code interface, but I wanted to reach out about having the code reviewed when it is completed. I will have a testing suite but I wanted to reach out ahead of time and see if there was a process to go through to get code like this reviewed by anyone at trezor or in the community before its released into the wild.

Tried the password manager on about 20 sites, most work, even ones requiring additional PINs or additional 2-factor authentication. Here are a 3 sites that I'm having authentication failures: 1) bitcoin.stackexchange.com, 2) gyft.com, 3) adp.com. Obviously, the login URLs can be chased down from the URLs above.

Hi team,

Not sure if this should be addressed by Support ticket, but here it goes.

I'm unable to use Trezor with Edge(latest) browser running on Android. I find it weird since it's running on Chromium base.

The page tells the browser is not supported and directs me to Chrome or FireFox.

Indeed it works on Chrome for mobile.

Could it have to do with simple User-agent identification?

Thanks

There was recently a paper (Low-Level Attacks in BitcoinWallets) published that outlines HID transport attack vector on other HW wallets. One attack (page 12, sec b.1-b.2) that seemed the most dangerous was the modification of destination and "change" addresses in TXNs as they are sent to a HW wallet for signing. Obviously, the destination address that is signed is displayed on the Trezor before the user ACKs the TXN that would neuter such attacks, but is modification of the "change" address using this attack vector possible.

Or to state differently...

• Does Trezor FW ensure that "change" addresses are part of the same derivation path as the UTXOs that are signed.

Keep in mind this an attack at the transport layer so safeguards in the application layer may not suffice.

Ravencoin (RVN) is listed as a supported coin on the Trezor website. https://trezor.io/coins/

Our web wallet (Mango Farm) now supports Trezor with RVN. https://www.mangofarmassets.com

The Trezor site currently states “No wallet yet.” May we get listed on the Trezor site as a RVN wallet?

In addition, it is known to us that Trezor is supported by the RVN electrum fork. We did not develop this but are passing it along in case you were not aware. Perhaps this could be added as well. https://github.com/traysi/electrum-raven/releases/

Thank you.