I almost lost a Bitcoin wallet due to Blockchain.com

fortunately, ended well

Posted by Giulio Magnifico on Monday, November 18, 2024

The other day, I found the credentials for an old Bitcoin wallet on blockchain.com, so I installed their app and tried to log in. Everything was fine, and the passwords were correct until I saw a warning that said:

Second Password Detected We’re moving away from 2nd passwords. To use the mobile app, login on web to disable 2nd password. After logging on Web, tap on the User icon > Security > Advanced and tap the button named “Remove Second Password”. You will then be able to login on the mobile app.
2FA iPhone

Well, I thought, it’s normal after at least 5/6 years since my last access to that wallet, and they have changed the authentication method.

So I went to the website blockhain.com from a desktop browser and…

🖐️
Stop, wait, I have to explain what blockhain.com is first

Blockchain.com is (was) a site that allows you to open a “semi-cold” or “non-custodial” wallet. Basically, the private key of your wallet is generated and sent to you, and it’s not managed by them (like on the exchanges). They also provide a series of passwords and recovery phrases that allow you to access and recover your wallet. However, to access your wallet, you must first access their site or use the recovery phrase to move/recover it.

Let’s get back to us: so I was trying to unlock my wallet with their website credentials: I go to the blockchain.com website from the desktop, enter my wallet ID, password, and the access validation email arrives, I open and validate my login. the 2FA request appears, I emter it, and the process was going on with the message “Decrypting wallet…” but immediately after it returns to the login page with this error:

AxiosError: Request failed with status code 409
2FA iPhone

Uhm, not knowing what it was, I tried to log-in again and … same error!

At that point I tried to use the recovery phrase, I entered it and another error appears:

There was an error resetting your KYC
2FA iPhone

I had no idea what it meant, but the recovery phrase was correct because when I entered it, it gave me a green checkmark ✅ and allowed me to continue:

Recovery Phrase

At that point, I try to do the same thing from the phone and yet another error appears:

Wallet initialization failed due to being double encrypted
Double Encrypted

Quite surprised, I contacted the support service, which couldn’t tell me anything useful except that the second password had been deactivated and that I needed to log in to deactivate it, but if I didn’t have the correct credentials, they couldn’t help me in login process.

But my credentials were correct!

So I send them some screenshots of the errors and even a screen recording.

Here’s the video I sent him:

Login Error

In the meantime, I noticed that the login page URL contained a beta in the address. So I tried to find a button or a link to attempt logging in on the old page (v4) but couldn’t find one.

I asked him if he could provide me with the URL of the old login page, trying to make him understand that it was an error on their side, on the server side. Not my credentials.

But the guy seemed to be a bit dull and asks me for the screenshots again so he can report the issue to the developers, saying that now they have upgraded the login page for all users and that if I have lost the recovery phrase, I have lost everything.

But my recovery phrase was correct, you can see it clearly from the screenshots! And that fact that they had changed the login page I noticed on my own, thanks, I want the old one I said!

His reply again:

Dear Giulio,

I hope this message finds you well.

I regret to learn about the issue you are ex-periencing.

Could you kindly attempt to use the computer and inform us if the issue per-sists? If you continue to encounter the problem, please provide a complete screenshot of the error so that our team may conduct a thorough investigation. Best regards

…I wanted to insult him, but he could have been useful to me, so I avoid bad words and send him back the screenshots and videos, pointing out that my recovery phrase is correct and that I was already trying from the desktop web browser and not mobile, asking also if he saw the screenshots.

…waiting…

No response for 2/3 days. I understood that this was an [insult] and I had to solve the problem myself.

So I start trying a few URLs without beta in the address (instead using v4 or old/legacy) but never manage to find the right one, there was always the redirect to the new/beta page.

So I was “wandering” around their site looking for something useful, and I notice that now they have also opened an exchange service for trading. Nice, I try to see what it is, I go to the login page (basically the tab near the wallet login page) and with my big surprise, finally I see a nice button with the phrase:

“If you experience issue during the login, try using the old login pagine: url”

Damn! I click here immediately, see the old login page, enter the credentials, and boom, I’m inside my wallet.

Login v4
🎉

P.S. This button to log in on the old version of the website was available only from the login page for the blockchain.com Exchange, and the customer support guy neither told me to go on the Exchange page, nor directly linked me the old login page. And now it has also disappeared. Absurd and unbelievable!

After solving it, and in my spirit of help and sharing on the web, I also tried to alert this guy about the problem, so he can report it to the developers and they can it.

…well, I had no response for 4/5 days, until few days ago he replied to me with this:

Thank you for reaching out to us and sharing your thoughts.

We understand that adjusting to a new design can take time, and we appreciate your feedback on this transition. To provide a more streamlined and enhanced experience, we have now fully transitioned to the latest version of our web wallet. While an option to revert to the previous design was temporarily available, this feature is no longer accessible as the new design has been rolled out to all users.

Our goal is to offer you an improved experience with updated features and easier navigation. That said, we understand it can take some time to get accustomed to the changes, and we’re here to support you with any questions you may have as you explore the new layout.

Thank you for your understanding and if there’s anything specific we can assist you with, please feel free to reach out - we’re here to help

…now, tell me if this guy isn’t a [insert insult]?!

I initially let it go, but after reading the response a week later I decided “That’s enough. I’ll write a blog post to warn others against using this service and how to solve this problem if they encounter it.” So, here it is.

But the story doesn’t end here

Obviously, as soon as I had access to my wallet, I didn’t want to trust them even a second longer, so I wanted to immediately send the contents of the wallet to my Ledger.

Okay, I was about to send everything, but I thought for a moment, “Wait, before I encounter more surprises, perhaps it’s better to try sending $0.50 before sending the whole amount”

Okay, I went to send it, everything was perfect… but suddenly I saw my wallet halved in value and only $0.50 arrived at my other address.

I realized it was a UTXO (Unspent Transaction Output) transaction, so I knew the rest had to return to my wallet. Since the transaction took 20/30 minutes for confirmation, I thought the network was congested, so I went to sleep in the meantime.

In the morning, I wake up, but my wallet is still halved in value. How is that possible?

Quite scared, I write again to the support service of blochkain.com [insert insults here] in chat, but this time someone definitely more intelligent and prepared responds and explains what might have happened:

In this case, the amount did not reflect due to what is called a gap limit. An HD wallet allows for billions of public and private key wallets to be generated from your seed phrase. However, our DeFi wallet only scans the first 20 unused addresses to comply with the BIP44 spec, which states that addresses of an xPub beyond this limit should not be checked for funds.   This means you have different addresses under your seed phrase where the change could be sent. Unfortunately, in this instance, when you sent the funds, the change was sent to the 22nd unused address in your Segwit xPub.   To address the gap limit, kindly send “dust funds” to the wallet address below. Please be assured that the dust funds you send will also appear in your wallet: bc1qr83j43ycpddgnrghl….

Okay, I didn’t know this, it had never happened to me before. I tried to do as he said and sent 0.0000088 BTC to that address (the minimum transferable), and indeed after a few minutes, I saw my wallet return to its original value! Finally.

All is well… but if someone doesn’t know this, what do they do? I mean, it’s quite a big issue.

Anyway, I didn’t even want to know. Now I’ve transferred everything to my Ledger, and I’m safe and relaxed.

ledger

If you want to use or open a wallet on blockchain.com, keep in mind this weird experience of mine using blockchain.com, and I hope it can help you.