To the Nervos community and imToken users

On May 10, 2022, Nervos successfully implemented the Mirana hard fork. Under the coordination of the Nervos community, imToken, as a wallet service provider in the Nervos ecosystem, immediately released the 2.10.0 series version to support upgrades.

After the release of the new version, imToken received feedback from users in the Nervos community and identified irregularities when using imToken to transfer funds to Nervos long addresses.

Troubleshooting

After receiving feedback, imToken established communication with the Nervos team, and then located the cause of the issue:

  • The new long address type Bech32m was introduced in the Mirana upgrade of Nervos, and the ckb-sdk-js commonly used by the Nervos community also supports this type of address format;
  • Edge case scenarios are not covered during the address format processing of ckb-sdk-js, which will cause the new long address type to be recognized as the old long address type;
  • While imToken recognizes both old and new address formats, calling ckb-sdk-js failed to correctly process the edge case, which eventually led to locking of funds transferred to the new long address.

Affected users

  • By screening and checking the node logs for transaction data with above criteria and since version 2.10.0, we found that very few users are affected by the issue above. Furthermore, all funds have been safely returned to the wallets of the affected users;
  • After finding the issue, imToken shut down the NervosCKB service for maintenance and stopped the transfer function, so as to control the impact.

Issue handling

  • imToken will release version 2.10.2 to fix the issue above;
  • The CKB transfer function of imToken versions lower than 2.10.2 stays disabled on the client side. The payment function and balance query function will not be affected;
  • We advise users to update their imToken app to 2.10.2 which features the fix and thus allows for normally CKB transfer functionality.

What we learned

  • The correctness of signatures is extremely important for decentralized wallets. Every change requires a complete code review of the entire process, not only the wallet code itself, but also related dependencies. Code robustness is directly related to the security of user assets. This responsibility is the minimum principle that everyone in our teams and the industry has to keep in mind. imToken will also provide ecosystem partners with more space for testing in future updates, to cover various scenarios and cases;
  • The development of the blockchain ecosystem is changing with each passing day. Being at the forefront of this space, Nervos CKB develops improvements such as updates in the wallet address format. This requires community-related products to stay up-to-date and cooperate closely.

 

imToken & Nervos Network

2022-05-19