Feature/Plugin request: Mnemonic recovery UI with derivation path "scanning"

[aantonop]

I see many newbies having trouble with recovery of BIP39 mnemonics when they don't know the mnemonic path, especially if created by a wallet that used a non-standard path. I am motivated to help them, while steering them away from dangerous alternative choices such as web-based seed derivation tools or giving their seeds to strangers in return for promises of help (both of which are often proposed on various forums). While this can be solved with a full node and a rescan, such a solution is not useful for newbies as it is too complex. A GUI-based self-hosted multi-platform solution like Electrum, that already has access to indexed UTXO scripts seems to fit perfectly with the use case and be more secure than alternatives.

I would like to fund a plugin that allows Electrum to import a BIP39 mnemonic such that it "scans" several possible derivation paths to find ones that have UTXO history on at least one address. The plugin would then offer a drop down of "discovered" active derivation paths and allow the user to select the one to import into a wallet file, using that derivation path to follow the normal BIP39 derivation procedure. See https://walletsrecovery.org/ for a good list of how varied the derivation paths in different wallet implementations are.

I am considering funding this with a gitcoin grant, to encourage someone with experience to implement this, as well as attract more funding from others and more developers to Electrum.

At this stage, I'd like to gauge interest in the idea and see if there are any principled objections to doing this. I don't want to start any drama accidentally if this is an undesirable use-case or violates some kind of principle held by Electrum developers. I would like to fund this only if it is likely to succeed and be incorporated into a future release.

[SomberNight]

I agree that BIP39-based recovery is becoming more and more fragile/tedious.
I guess what you describe is a valid usecase, and yes if someone makes a PR it can get merged.

Just as you described, this scan should be a one-time thing at restore time -- once the wallet is created it should be tied to a specific derivation path and script type (as is current behaviour).

Further, the scan should be opt-in; e.g. there should be a button that the user needs to press.

In terms of UI, it should be part of the Wizard, maybe part of (or before) the current "Script type and derivation" dialog -- but in any case it should also work for hardware wallets and not just bip39 software seeds.

---

See https://walletsrecovery.org/ for a good list of how varied the derivation paths in different wallet implementations are.

Note that it is sometimes not just the derivation path but also the script type that needs to be bruteforced. For example, breadwallet derives p2wpkh at m/0h, while multibit HD derives p2pkh at m/0h.

---

If someone volunteers to implement this, they can ask questions here or on IRC (#electrum on freenode).

[ecdsa]

This is exactly the kind of situation I wanted to avoid.
I think we should really take steps to discourage further use of BIP39 in Electrum.

[ecdsa]

If the scan means forever syncing multiple HD accounts, it would introduce quite some complexity in the Electrum code, and it would increase server load in a very wasteful manner. We got rid of multiple account wallets a while ago, and I do not want to see that back.

If OTOH the scan is a one-time thing, then it would be more acceptable. In that case once could sweep the wallet into addresses derived from an Electrum seed, and avoid dealing with BIP39 all over the place.

[aantonop]

@ecdsa I remember that this is the primary objection you had to BIP39 as a standard, and this is why I asked before proceeding. Whether we like it or not, BIP39 is a de-facto standard and not just on Bitcoin. Users will use it whether we make it easy for them or not, as they don't have a choice when all the wallets use it. The question that remains is whether we will make it easy for them. I think making it hard for them just discourages self-custody and pushes people to exchange wallets. But that's just my opinion.

If you do not want this operating as a GUI option in Electrum, I can look to build it as a stand-alone Qt app that leverages Electrum servers. Would that make it more or less agreeable? I'm happy to hardcode my own Electrum server into it, so that it doesn't burden others.

In case it isn't obvious, I'm a huge fan of Electrum and extremely grateful for all the work everyone has done on this wallet. The last thing I want to do is seem ungrateful or annoy the devs!

[aantonop]

If the scan means forever syncing multiple HD accounts, it would introduce quite some complexity in the Electrum code, and it would increase server load in a very wasteful manner. We got rid of multiple account wallets a while ago, and I do not want to see that back.

If OTOH the scan is a one-time thing, then it would be more acceptable. In that case once could sweep the wallet into addresses derived from an Electrum seed, and avoid dealing with BIP39 all over the place.

Absolutely a one-time thing. The point is to "find" the paths, not to support multi-path wallets.

[aantonop]

Also, we could combine this with a BIG warning explaining why an Electrum seed is superior, and suggest a sweep operation. That might be a great way to "heal" some of this problem.

[lukechilds]

FWIW I would like to see this feature in Electrum and would be interested in implementing it if there are no objections to merging.

In that case once could sweep the wallet into addresses derived from an Electrum seed, and avoid dealing with BIP39 all over the place.

Electrum already supports importing a BIP39 seed. If we discover funds in a BIP39 seed, why not just allow them to import it? They can already do that anyway if they know their derivation path. As I understand it the point of this plugin would just be to help discover an unknown derivation path.

I appreciate there are objections against BIP39 and you want to encourage Electrum seed usage to Electrum users, but if the funds are already in a BIP39 seed, sweeping the entire wallet over seems a bit invasive. It's also subjecting the user to privacy risks.

[SomberNight]

I think if this code will be well written it should not impose a noticeable maintenance burden on the project, and then it can be merged.

Whether we like it or not, BIP39 is a de-facto standard and not just on Bitcoin. Users will use it whether we make it easy for them or not, as they don't have a choice when all the wallets use it. The question that remains is whether we will make it easy for them. I think making it hard for them just discourages self-custody and pushes people to exchange wallets. But that's just my opinion.

Also, if we don't provide this auto-scanning tool you propose, as BIP39 gets even more fragmented in the future, I foresee websites appearing that do this type of scanning. (maybe there are already some? I recall seeing something similar)
It would be better to provide safe tools to users.

If you do not want this operating as a GUI option in Electrum, I can look to build it as a stand-alone Qt app that leverages Electrum servers. Would that make it more or less agreeable? I'm happy to hardcode my own Electrum server into it, so that it doesn't burden others.

Of course you can build any tool you want :)
Or do you mean there could be a separate binary that we build/distribute for this purpose? In that case, no, we will most definitely not do that as that would have significant maintenance burden. It would be much easier for us to integrate it into the main application.

---

Also, we could combine this with a BIG warning explaining why an Electrum seed is superior, and suggest a sweep operation. That might be a great way to "heal" some of this problem.

I believe this is orthogonal to/independent from the main proposal here.
Although yes it might be worth considering that e.g. if the user restores a bip39 seed we offer an automated creation of a new electrum seed + sweeping. (but note complications with hw wallets; privacy implications, tx fee...)

[tiagotrs]

I see many newbies having trouble with recovery of BIP39 mnemonics when they don't know the mnemonic path, especially if created by a wallet that used a non-standard path. I am motivated to help them

@aantonop Independently of this path scanning tool, please help them by helping the industry move away from BIP39.

Whether we like it or not, BIP39 is a de-facto standard and not just on Bitcoin.

Being de-facto standard is not a reason to perpetuate a flawed system ;)

Intuitively, the seedphrase is all one needs to recover funds - BIP39 is deceptive in this regard. The word-list dependency is another major limitation, with direct impact in portability and localization/usability.

besides electrum, @Roasbeef and @jonasschnelli have also proposed different seed formats.

Maybe a standardization effort is fruitless as wallets are free to derive their keys in arbitrary ways. In the other hand, with a superior format, there might be a chance for a new standard to emerge.

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

This issue now has a funding of 1000.0 DAI (1000.0 USD @ $1.0/DAI) attached to it as part of the aantonop fund.

• If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
• Want to chip in? Add your own contribution here.
• Questions? Checkout Gitcoin Help or the Gitcoin Slack
• $136,202.87 more funded OSS Work available on the Gitcoin Issue Explorer

[ecdsa]

@aantonop sorry to answer late. as I wrote above, I will not accept a pull request that re-introduces multi-chain support in the wallet, because that's way too complex and it would waste our time. I just wanted to restate that in case someone decides to go for that bounty.

I see two options:

• sweep all detected chains into an Electrum seed. (bad for short-term privacy, but this would be a one-time thing). Note that utxos could be mapped to a range of new addresses in order to improve privacy.
• create one bip39 wallet per detected chain (short-term privacy is preserved, but bad for the blockchain, because wallets will keep using deprecated address formats). more challenging in terms of interacting with the existing wizard flow.

I wrote "short-term privacy" because in the long term it is also bad for your privacy to keep using old address formats, when the rest of the ecosystem has moved on.

Multi-chain wallets may implement slow transitions to new address formats (eg send the change of each transaction to a new address format), but this is the kind of complexity that I want to avoid in Electrum.

[ecdsa]

PS: thank you for that bounty, that's a good thing if it can attract developers to Electrum

[lukechilds]

@ecdsa I think there may be some misunderstanding here, I don't think @aantonop was suggesting multi-chain support at the wallet level.

At least my understanding is:

1. User goes to create a new wallet.
2. User selects an option along the lines of "Recover from BIP39 mnemonic seed".
3. Electrum scans all common derivation paths from that seed e.g: m/44', m/49', m/84' etc.
4. Electrum display a list of derivation paths that contain funds to the user.
5. The user selects one of these to import.
6. Electrum inits a new wallet with chosen xpriv/derivation path combo.

So Electrum doesn't have to change anything at the wallet level or support multiple derivation paths in a single wallet if that's your concern.

In fact the last step works exactly the same as how BIP39 seed import currently works in Electrum. The only difference being currently the user is required to already know their derivation path. This feature is just an automated way to discover the relevant derivation path(s) for the user.

If they import a seed that has wallets on multiple derivation paths, they would repeat the import process multiple times, and choosing a different derivation path each time, resulting in multiple Electrum wallets.

Does this resolve your concern?

Also @aantonop please correct me if I've misunderstood your proposal.