aboutsummaryrefslogtreecommitdiff
path: root/src/wallet/wallet_errors.h (follow)
AgeCommit message (Collapse)AuthorFilesLines
2017-12-20wallet: support for multisig seedsmoneromooo-monero1-0/+11
They are hex rather than words, because they are a lot longer than "normal" seeds, as they have to embed a lot more information
2017-12-17Add N/N multisig tx generation and signingmoneromooo-monero1-1/+18
Scheme by luigi1111: Multisig for RingCT on Monero 2 of 2 User A (coordinator): Spendkey b,B Viewkey a,A (shared) User B: Spendkey c,C Viewkey a,A (shared) Public Address: C+B, A Both have their own watch only wallet via C+B, a A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants) A and B watch for incoming outputs B creates "half" key images for discovered output D: I2_D = (Hs(aR)+c) * Hp(D) B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D), and sending the pubkeys with I2_D. A also creates "half" key images: I1_D = (Hs(aR)+b) * Hp(D) Then I_D = I1_D + I2_D Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction). A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D to his own generated ones where they are needed (secret row L, R). At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r, which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo). B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well). B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D to his cache, allowing him to verify spent status as well. NOTE: A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively. Otherwise, trickery like the following becomes possible: A creates viewkey a,A, spendkey b,B, and sends a,A,B to B. B creates a fake key C = zG - B. B sends C back to A. The combined spendkey C+B then equals zG, allowing B to spend funds at any time! The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature). 2 of 3 User A (coordinator) Shared viewkey a,A "spendkey" j,J User B "spendkey" k,K User C "spendkey" m,M A collects K and M from B and C B collects J and M from A and C C collects J and K from A and B A computes N = nG, n = Hs(jK) A computes O = oG, o = Hs(jM) B anc C compute P = pG, p = Hs(kM) || Hs(mK) B and C can also compute N and O respectively if they wish to be able to coordinate Address: N+O+P, A The rest follows as above. The coordinator possesses 2 of 3 needed keys; he can get the other needed part of the signature/key images from either of the other two. Alternatively, if secure communication exists between parties: A gives j to B B gives k to C C gives m to A Address: J+K+M, A 3 of 3 Identical to 2 of 2, except the coordinator must collect the key images from both of the others. The transaction must also be passed an additional hop: A -> B -> C (or A -> C -> B), who can then broadcast it or send it back to A. N-1 of N Generally the same as 2 of 3, except participants need to be arranged in a ring to pass their keys around (using either the secure or insecure method). For example (ignoring viewkey so letters line up): [4 of 5] User: spendkey A: a B: b C: c D: d E: e a -> B, b -> C, c -> D, d -> E, e -> A Order of signing does not matter, it just must reach n-1 users. A "remaining keys" list must be passed around with the transaction so the signers know if they should use 1 or both keys. Collecting key image parts becomes a little messy, but basically every wallet sends over both of their parts with a tag for each. Thia way the coordinating wallet can keep track of which images have been added and which wallet they come from. Reasoning: 1. The key images must be added only once (coordinator will get key images for key a from both A and B, he must add only one to get the proper key actual key image) 2. The coordinator must keep track of which helper pubkeys came from which wallet (discussed in 2 of 2 section). The coordinator must choose only one set to use, then include his choice in the "remaining keys" list so the other wallets know which of their keys to use. You can generalize it further to N-2 of N or even M of N, but I'm not sure there's legitimate demand to justify the complexity. It might also be straightforward enough to support with minimal changes from N-1 format. You basically just give each user additional keys for each additional "-1" you desire. N-2 would be 3 keys per user, N-3 4 keys, etc. The process is somewhat cumbersome: To create a N/N multisig wallet: - each participant creates a normal wallet - each participant runs "prepare_multisig", and sends the resulting string to every other participant - each participant runs "make_multisig N A B C D...", with N being the threshold and A B C D... being the strings received from other participants (the threshold must currently equal N) As txes are received, participants' wallets will need to synchronize so that those new outputs may be spent: - each participant runs "export_multisig FILENAME", and sends the FILENAME file to every other participant - each participant runs "import_multisig A B C D...", with A B C D... being the filenames received from other participants Then, a transaction may be initiated: - one of the participants runs "transfer ADDRESS AMOUNT" - this partly signed transaction will be written to the "multisig_monero_tx" file - the initiator sends this file to another participant - that other participant runs "sign_multisig multisig_monero_tx" - the resulting transaction is written to the "multisig_monero_tx" file again - if the threshold was not reached, the file must be sent to another participant, until enough have signed - the last participant to sign runs "submit_multisig multisig_monero_tx" to relay the transaction to the Monero network
2017-11-15Add out-of-bound exceptions and handle them in RPCMichał Sałaban1-0/+22
2017-11-14wallet: move some scoped_message_writer calls from the libsmoneromooo-monero1-0/+6
2017-10-16Distinguish "not enough money" and "not enough unlocked money"binaryFate1-4/+31
Fix #1530
2017-10-07Subaddresseskenshi841-2/+2
2017-08-07change mixin to ring size in user visible placesmoneromooo-monero1-2/+2
2017-06-03Prevent crash if performing certain actions before wallet is initializedRobby Weinberg1-0/+10
2017-02-21update copyright year, fix occasional lack of newline at line endRiccardo Spagni1-1/+1
2017-02-08extract some basic code from libcryptonote_core into libcryptonote_basickenshi841-1/+1
2017-01-16wallet: add a node RPC cache layer for simple RPC callsmoneromooo-monero1-0/+12
Mostly getinfo and get_hard_fork_info, which are called pretty often. This speeds up transfers as a bonus.
2016-10-15wallet: improve error messages when not enough money for transfermoneromooo-monero1-0/+27
2016-09-16wallet: change priority/fee to ArticMine's recommendationmoneromooo-monero1-4/+4
We keep 1, 2, 3 multipliers till the fee decrase from 0.01/kB to 0.002/kB, where we start using 1, 20, 166 multipliers. This ensures the higher multiplier will compensate for the block reward penalty when pushing past 100% of the past median. The fee-multiplier wallet setting is now rename to priority, since it keeps its [0..3] range, but maps to different multiplier values.
2016-08-11Fake outs set is now decided by the walletmoneromooo-monero1-3/+3
This plugs a privacy leak from the wallet to the daemon, as the daemon could previously see what input is included as a transaction input, which the daemon hadn't previously supplied. Now, the wallet requests a particular set of outputs, including the real one. This can result in transactions that can't be accepted if the wallet happens to select too many outputs with non standard unlock times. The daemon could know this and select another output, but the wallet is blind to it. It's currently very unlikely since I don't think anything uses non default unlock times. The wallet requests more outputs than necessary so it can use spares if any of the returns outputs are still locked. If there are not enough spares to reach the desired mixin, the transaction will fail.
2016-06-22wallet: add a fee multipliermoneromooo-monero1-0/+10
Fee can now be multiplied by 2 or 3, if users want to give priority to their transactions. There are only three levels to avoid too much fingerprinting. Default is 1 (minimum fee). The default multiplier can be set by "set fee-multiplier X".
2016-04-17Add GET_HASHES_FAST rpc, use it in walletHoward Chu1-0/+5
When m_refresh_from_block_height has been set, only hashes will be retrieved up to that height, instead of full blocks. The same will be done for "refresh <height>" when the specified height is beyond the current local blockchain.
2016-04-02Merge pull request #767Riccardo Spagni1-1/+8
24b3e90 Convey tx verification failure reasons to the RPC client (moneromooo-monero)
2016-03-27Convey tx verification failure reasons to the RPC clientmoneromooo-monero1-1/+8
This allows appropriate action to be taken, like displaying the reason to the user. Do just that in simplewallet, which should help a lot in determining why users fail to send. Also make it so a tx which is accepted but not relayed is seen as a success rather than a failure.
2016-03-26wallet: change sweep_dust to sweep_unmixablemoneromooo-monero1-0/+9
With the change in mixin rules for v2, the "annoying" outputs are slightly changed. There is high correlation between dust and unmixable, but no equivalence.
2016-03-16Wallet::store_to(path, password) implemented;Ilya Kitaev1-1/+0
2016-03-11Use boost::thread instead of std::threadHoward Chu1-0/+1
and all other associated IPC
2016-01-29wallet: detect and handle failed outgoing transfersmoneromooo-monero1-0/+11
When a transaction is not found in the pool anymore, it is marked as failed, and displayed as such in show_transfers.
2015-12-31updated copyright yearRiccardo Spagni1-1/+1
2015-12-17wallet: save to a temporary file, then renamemoneromooo-monero1-0/+6
This should avoid most of wallet cache corruption cases
2015-08-11wallet: new rescan_spent command to update outputs' spent statusmoneromooo-monero1-0/+9
This obsoletes the need for a lengthy blockchain rescan when a transaction doesn't end up in the chain after being accepted by the daemon, or any other reason why the wallet's idea of spent and unspent outputs gets out of sync from the blockchain's.
2015-01-02year updated in licenseRiccardo Spagni1-1/+1
2014-09-15Give up on brace initializers in initializer lists (MSVC bug)Zachary Michaels1-9/+9
2014-09-15Separate testnet address prefixZachary Michaels1-11/+26
2014-07-23License updated to BSD 3-clausefluffypony1-3/+29
2014-07-01Explicit error constructorsZachary Michaels1-5/+5
2014-06-12most functions prototyped/modified for wallet recoveryThomas Winget1-0/+11
2014-05-03initial [broken] updatemydesktop1-23/+0
2014-04-07Improvements in JSON RPCAntonio Juarez1-1/+1
2014-04-02json rpc for wallet and bugfixAntonio Juarez1-0/+611