[Deprecated] Warning: Funds on spent addresses! How to unblock your funds
Getting back control over Iotas blocked by the Trinity wallet
The guide will stay online for educational purposes only.
In certain cases, the official Iota Trinity wallet will display the warning above and effectively block you from transferring your full balance. This article will explain what’s happening and help you to get access to your iotas again.
Trinity already guides you a lot and tries to stop you from doing anything that would result in funds on spent addresses, but it is still possible to end up in this situation.
If you see the warning above, Trinity is actually protecting your funds, because sending from the same address again poses a certain risk. Depending on the reason and other circumstances there might be better options than what is described in this article. Go and check with experienced users in the Iota’s Discord #help channel if a risk-free solution is possible in your case. If no other option is applicable you will probably need to move your funds using the official Iota Command-Line-Interface wallet (CLI wallet), which does not have the key-reuse protection mechanism built-in.
Contents
1. What does the warning mean and why does Trinity block my funds?
2. How could this happen?
3. Move funds
I will first start explaining the reason for the warning and how this all could happen. If you do not care about the background and alternative solutions just head over to Move funds directly.
1. What does the warning mean and why does Trinity block my funds?
When you send an iota transaction you proof that you are the true owner of the funds by adding a signature to the transaction. The signature is generated using the quantum proof Winternitz one-time signature algorithm. One side effect of this signing strategy is that it exposes 50% of the private key of an address. But this is no reason to worry, even with 50% of the key exposed it is still virtually impossible to get access to the funds for everyone other than the true owner. However, every time another transaction from the same address is signed, another 50% of the key is made public again. Depending on the random overlap of published parts it will become easier to brute force a valid signature with every additional signing. With this, an attacker could move the funds on such a multiply-used address. It is important to say that only the funds on the affected address are becoming vulnerable. Your seed is never compromised.
Due to this behavior addresses in iota are used only once for sending. Any remaining funds on an address are automatically moved by the wallet to a new and fresh address of your seed. The spending address will never be used again.
The picture shows the process of a simple iota transaction. Bob has 100 iotas on the first address of his seed. When he sends 10i to Alice, the wallet automatically sends the remaining 90 iotas to a new address of his own seed in the same transaction bundle. The first address of his seed is cleared from any funds this way and is viewed as used as soon as the transaction hits the tangle. It will never be used again by the wallet.
So, if the used addresses are always cleared of any residual funds, how is it possible you are seeing this warning in your wallet?
2. How could this happen?
Trinity is a well-designed wallet software and even gets better with each new release. It protects you in many ways the previous wallet did not. However, there are still several ways to end up in a situation with blocked funds.
2.1 Receiving funds on a used address
The most common and also the simplest way to get funds on an already spent address is to actually just receive them. But shouldn’t that be prohibited? Well, the Iota protocol allows it, and therefore it is up the wallet software of the sender to block such a transaction. Using the Trinity wallet, sending to a spent address is not possible as you will see a warning and the transaction will not be sent.
However, if the sender uses different ways of transferring iotas it is still possible. If you, for example, withdraw funds from an exchange and use an address of your seed that already has been used for spending, they might still just send the iotas. We have also seen multiple occasions where someone who thinks himself to be funny did send 1 iota to used addresses of other users to effectively block them from accessing their funds. As it not possible to prohibit incoming transactions, even Trinity cannot prevent this.
2.2 Previous transaction(s) on an improperly synchronized node
Another way to end up in this situation could be an unhealthy node. When sending a transaction to the tangle you should always make sure your node is completely synced. Trinity takes care of this for you, but the check might not work properly in all possible cases.
If a node is not fully synced it means that the node is not aware of all recent transactions on the tangle, i.e. it is not up to date. When you send a transaction now the wallet might try to send from an address that has already been used in the meantime, or from an address that has received further funds. The first scenario might result in a transaction that will never confirm, the second in residual funds on the sending address. In both cases, you can end up with funds on spent addresses. This is a more complex and less common reason for blocked funds.
2.3 Pending transactions during a snapshot (Manual Sync)
If a transaction is pending, then the address holding the funds is already signed. This also blocks the funds in Trinity until the transaction is confirmed.
Generally, this is no issue and Trinity takes care of everything. The transaction bundle will be reattached to the tangle if necessary until it is confirmed and the funds are accessible again. Even if a global snapshot is happening and all transactions are removed from the tangle, Trinity will keep all relevant information. This will enable reattaching and finally confirmation of such a bundle.
However, it is possible to block your funds in this situation using the Manual Sync feature. This command is sometimes necessary to synchronize all the locally stored transaction information with what is stored on the tangle.
If you run the Manual Sync after a global snapshot, Trinity will not find the pending transaction on the tangle any more and delete it from its local storage to be in sync with the tangle again. Unfortunately, this will then leave you in a situation with funds on a used address. You will not see this transaction in Trinity anymore and will not be able to reattach it to get it confirmed. While moving your funds with the CLI wallet is still possible you should first contact me (HBMY289) or somebody else in the Iota Discord #help channel, as there are less risky ways to solve this case.
Trinity already covers most bases and the most scenarios in which you end up with funds on spent addresses are edge-cases.
3. Move funds
3.1 Identify the affected address with blocked funds
First, it is helpful to find the address that is actually blocking you. Using Trinity, this is a fairly simple task as there is a nice overview showing your addresses and their balances. You can find this list by clicking on Account→ Account Management → View addresses.
Scroll through your list and find a used address with funds on it. Used addresses are highlighted in red with crossed-out characters.
In the example above there is 1Ki on the used address CDJYFI…
Copy the affected address somewhere by clicking on it and also write down the respective amount in your case.
If you have considerable amounts of iotas on your affected address(es), then this is the time where should take a break and head back to the #help channel on the Iota Discord server. Post your address(es) there and ask for possible risk-free alternatives to move your funds. If there are none or the funds have a negligible value you can proceed here.
3.2 Create fresh seed/account in Trinity
Although it might seem this way at this point, your current seed is not broken. If you want to you can still use it later on. However, to make things easier and to have a fresh start we will transfer all your funds to a new seed first.
For that, just create a new account as shown in the picture above. Click “Yes, I need a seed” if you do not already have another one available. Follow the wizard and finalize by backing up your seed.
NEVER use an online seed generator on any website!!!
Once you have created the new account, click Receive and then copy the receive-address somewhere to have it at hand. We will call this address target address from now on.
3.3 Move unblocked funds first with Trinity
The way the Trinity wallet works, you will find that not all your funds are blocked. Only the amount on the affected address(es) actually needs to be transferred using the CLI wallet. The remaining funds can be moved using Trinity the normal way. These unblocked funds would never be at risk to be stolen, but in case something goes wrong during the CLI wallet transfer, it is possible to end up in a situation where these previously unaffected funds can become blocked, too. This is only an edge case with a very low probability but it is still recommended to move unblocked funds first, especially if you have substantial amounts of funds on your seed.
In order to transfer the unaffected balance first, you need to know how much it actually is. Trinity makes this easy again, as it ignores blocked funds when calculating the maximum balance for sending.
In the shown example the total balance is 11 Ki with 1 Ki on a used address, but activating the MAX button yields a maximum available unblocked amount of 10 Ki.
Edit: It seems that starting from the release version of Trinity (1.0) the MAX button also includes the blocked balance. This means you will have to subtract the blocked funds on your own.
Copy the target address of your newly created seed in the Recipient Address field, activate the MAX button and hit Send. Now, make sure to wait until the transaction is confirmed and your total balance equals the amount you found on the used address earlier.
3.4 Use the CLI wallet to move blocked funds
At this point only blocked funds should remain in your wallet. The Iota Command Line Wallet (CLI wallet) is a minimal wallet software published by the Iota Foundation but without a nice graphical user interface. It is completely controlled via the command line. We will use it here because in contrast to most other wallets (GUI wallet, Trinity) it does not prevent you from reusing the private key of an address.
It is important to understand that the key reuse warning in the wallet (Funds on spent address) is there for a reason. When using an address for sending multiple times it poses a certain risk that these funds will get stolen. As already mentioned above, each outgoing transaction from an address publishes a random 50% of the private key of this specific address. The risk of theft increases with every additional outgoing transaction. If the address was only used once previously the risk is fairly low. But if it was used 3 times or even more, then it becomes easy for malicious parties to access your funds on this address. Please keep all this in mind as I cannot be made accountable for any losses that may occur. If you feel unsure or uncomfortable in any way following this procedure, join the iota Discord and explain the details of your case in the #help channel to look for another solution.
3.5 Installing CLI wallet
In order to install and run the Iota CLI wallet, we will first have to install Node.js. Although the name is similar, this has nothing to do with running an Iota node. Node.js is an open-source run-time environment to run javascript code.
Navigate to the official Node.js website (https://nodejs.org/) and download the installer appropriate to your operating system. It is recommended to choose the long-term support version (LTS). Download and run the installer. Once it is finished, it is time to open the command line interface of your operating system. For Windows, go to the start menu, type cmd and hit Enter. On Mac OS X use the Spotlight search to look for terminal and start it.
Once at the command line interface we can make use of npm, the packet installer that is part of Node.js to directly download and install the iota CLI wallet by entering this line:
npm install -g iota-cli-app
Hit Enter and wait until the installation is finished.
3.6 Sending blocked funds
You will need to have a target address from a fresh seed and the CLI wallet installed to proceed. Start the CLI wallet with this command:
iota-cli
After starting it will look like this:
By default, the wallet will try to connect to a node running locally on your computer. If you do not run a local node you can enter a trusted public node. Here we will use a node run by the same team that brought us the probably most used tangle explorer theTangle.org.
You can choose the same node or pick a different one that you trust. A list of nodes is for example available here https://iota.dance/
Connect the wallet to the node by typing
node https://nodes.theTangle.org:443
After a few seconds, the wallet will be connected, visible by the green checkmark after the node name.
A few general parameters need to be set first. Type
depth 3
and then
mwm 14
These two settings make sure that the transaction you will send later is compliant with the default parameters on the current tangle.
Now enter your seed:
seed YOURSEED
Replace YOURSEED with your own seed and press Enter. If you paste your seed from the clipboard you can use right-mouse-click and Paste on Windows and Shift-Command-V on OS X.
Choose No when asked to save the seed locally for auto-completion (type N and hit Enter).
After entering your seed the wallet will automatically retrieve the full account data in the background. Depending on the number of addresses you have already used it can take the wallet up to a couple of minutes to check all addresses. Once finished it will notify you and also display the available balance (1Ki or 1000i in this case).
If the balance is not displayed you can specifically request receiving it with the balance command.
balance
If even after waiting some time your balance is still shown as 0, although you see your correct balance in Trinity this is probably due to a global snapshot. There are two ways to help the CLI wallet to show the correct balance in this case.
- use a node that still holds all pre-snapshot transactions
change the node in the CLI wallet by typing
node https://perma.iota.partners:443
or
2. perform a snapshot transition in Trinity
Press No until your correct balance is shown and then Yes to start the process.
After either 1. or 2. refresh the balance in the CLI wallet by entering the balance command again.
balance
When sending funds with the CLI wallet you need to give the amount as a number of iotas, not Ki, Mi, or Gi. This means if you see a unit like K, M or G behind the balance you need to convert it into the amount in iota. The 1 Ki in the shown example equals 1000 iotas. Use this chart for reference if you are unsure about the units.
Now you have everything to issue the final transfer command. Remember that from the moment the transaction is published, your funds are at risk until it the transaction is confirmed. Even if this is only a small risk, you want to have the new transaction confirmed as fast as possible.
To finally send the funds from the blocked address(es) enter the command like this and double-check it before hitting Enter:
transfer ADDRESS amount
Replace ADDRESS with the target address you want to send your funds to and replace amount by the number of iotas you want to transfer. Do not include any unit when defining the amount. With my wallet the command could look like this:
transfer HBMYPAZXKHMGUVHZGEATCWCVUXLMSGZQFVLGJNYJMBWEFAUAHMHDXWKBANJDSDZHPVOOVFZVWSHAKFJODRJWNMPPXW 1000
The wallet checks the validity of the address, so if you include a typo somewhere it will be detected due to the invalid checksum. You would see this error message in that case:
If you see this message
it means that you probably entered a unit (i, Ki, etc) after the amount. Make sure to only give the number of iotas to transfer.
After hitting Enter on the correct transfer command the wallet will start creating the transfer bundle and sending it to the tangle. This can take up to a few minutes. When finished it will look like this:
Disclaimer:
It has to be mentioned again the funds on the blocked address become more vulnerable with each time you initiate a transfer. If your address has already been used 2–3 times or even more, you should NOT send again. Your funds will probably get stolen minutes after you submit the new transfer. Do NOT send another transfer until the first one you sent is confirmed!
3.7 Get transaction confirmed
Now is the time to promote the new transaction to help to get it confirmed faster. Go back to the original account in Trinity and hit the refresh button in the transaction history.
After that, your outgoing transaction matching the amount of the blocked funds should be visible. Click on the transaction and hit the Retry button to promote your transaction.
You can push the Retry button as often as you like to promote multiple times. As soon as the transaction is confirmed your funds have safely arrived on the new seed.
That’s it. Everything is safe and usable again. You can transfer the funds back to your original seed if you like or just leave them on the new one.
Official Iota Discord server
Discord is a software that provides multiple chat channels on separate servers. A Discord server was set up by the Iota Foundation (IF) to work as a medium for information exchange. Along with a vast number of helpful community members, you will also find IF members there on a daily basis. If you are not already part of the Discord community you will need an invitation link. This link can be found on the official iota website (www.iota.org).
If you have any questions, comments or would like to see things changed in this article, get to the Iota Discord server and find me (HBMY289).
